LISTSERV mailing list manager LISTSERV 16.0

Help for LINUX-L Archives


LINUX-L Archives

LINUX-L Archives


LINUX-L@LISTS.UFL.EDU


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV Archives

LISTSERV Archives

LINUX-L Home

LINUX-L Home

LINUX-L  2010

LINUX-L 2010

Subject:

SIP Flood attacks from EC2 cloud

From:

Fred Posner <[log in to unmask]>

Reply-To:

Platform Independent Linux List! <[log in to unmask]>

Date:

Tue, 13 Apr 2010 12:56:49 -0400

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (16 lines)

Long time listener, first time poster. ;) Actually just came back to Gainesville and am trying to get more active in the community. Anyway... there's been a tremendous amount of ddos/sip flood attacks from Amazon EC2 space over the last few days with an extremely disappointing response from Amazon. The overview is posted on VoIP Tech Chat at:

http://www.voiptechchat.com/voip/457/amazon-ec2-sip-brute-force-attacks-on-rise/

There's been a bunch of different discussions on ways to combat the attacks, including redirecting the attacks to a different port (and responding with a fake message), iptables, fail2ban, etc.

The redirect had mixed results... and I didn't want the fail2ban, so I put up a little perl script for automatically blocking the traffic via a dedicated iptables chain. The script is posted on Team Forrest:

http://www.teamforrest.com/blog/171/asterisk-no-matching-peer-found-block/

If you have any other thoughts, that would be great... Generally I like to block on the router, or dedicated filtering system... Some people have discussed writing code for Asterisk, OpenSER, FreeSWITCH, etc. to handle this within the software. Personally, I don't like that method for 2 reasons (but of course, can always change my mind with a good argument). My thoughts are... (1) It's not the linux way... ie get a separate program to do it and do it very well... and (2) I want the traffic blocked before it reaches the Asterisk (or other SIP) process.

Anyway... glad to be back in town.

---fred
http://qxork.com

Top of Message | Previous Page | Permalink

Advanced Options


Options

Log In

Log In

Get Password

Get Password


Search Archives

Search Archives


Subscribe or Unsubscribe

Subscribe or Unsubscribe


Archives

2022
2021
2020
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999
1998
1997

ATOM RSS1 RSS2



LISTS.UFL.EDU

CataList Email List Search Powered by the LISTSERV Email List Manager