LISTSERV mailing list manager LISTSERV 16.0

Help for LINUX-L Archives


LINUX-L Archives

LINUX-L Archives


LINUX-L@LISTS.UFL.EDU


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV Archives

LISTSERV Archives

LINUX-L Home

LINUX-L Home

LINUX-L  2010

LINUX-L 2010

Subject:

Re: SIP Flood attacks from EC2 cloud

From:

Jon Lewis <[log in to unmask]>

Reply-To:

Platform Independent Linux List! <[log in to unmask]>

Date:

Tue, 13 Apr 2010 13:18:13 -0400

Content-Type:

TEXT/PLAIN

Parts/Attachments:

Parts/Attachments

TEXT/PLAIN (38 lines)

On Tue, 13 Apr 2010, Fred Posner wrote:

> http://www.voiptechchat.com/voip/457/amazon-ec2-sip-brute-force-attacks-on-rise/
>
> There's been a bunch of different discussions on ways to combat the 
> attacks, including redirecting the attacks to a different port (and 
> responding with a fake message), iptables, fail2ban, etc.
>
> The redirect had mixed results... and I didn't want the fail2ban, so I 
> put up a little perl script for automatically blocking the traffic via a 
> dedicated iptables chain. The script is posted on Team Forrest:

There's a recent NANOG mailing list thread about this.  It sounded like 
Amazon was going to do something about it...but if you're saying it's 
still going on, I guess they haven't done enough.

Out of curiosity, why did you object to fail2ban?  It would actually be 
more efficient than what you've done.  In your example, you're rereading 
and reprocessing /var/log/asterisk/messages every 2 minutes.  If you 
insist on rolling your own, I'd suggest you look at perl's File::Tail and 
recode your perl script to run as a daemon that processes log lines once 
in real time as they're written.

Also, you could save yoursefl some coding by replacing push(@failhost,$1); 
with $failhost{$1}++;  That way, you're building an array of IPs and the 
number of times you've seen them, both at the same time.

Another issue is, you don't expire the iptables rules.  Iptables chains 
are processed linearly.  As the chain length increases, the system has to 
spend longer and longer looking at each rule in the asterisk chain to see 
if the packet will be dropped or allowed.  Fail2ban solves that by 
expiring rules after a predetermined time.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

Top of Message | Previous Page | Permalink

Advanced Options


Options

Log In

Log In

Get Password

Get Password


Search Archives

Search Archives


Subscribe or Unsubscribe

Subscribe or Unsubscribe


Archives

2022
2021
2020
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999
1998
1997

ATOM RSS1 RSS2



LISTS.UFL.EDU

CataList Email List Search Powered by the LISTSERV Email List Manager