[Spce-user] Under attack :-(

Daniel Grotti dgrotti at sipwise.com
Fri Feb 15 03:52:50 EST 2013 

Hi Theo,
Malicious attack are banned by the proxy and you can see the IP
address/Users ban under the "Security Ban" section.
What you could do is change the value defining how many seconds the
system keep the IP/Users banned.
You can find all the variables in /etc/ngcp-config/config.yml under
"kamailio -> lb -> security".

security:
      dos_ban_enable: 'yes'
      dos_ban_time: 300
      dos_reqs_density_per_unit: 50
      dos_sampling_time_unit: 5
      dos_whitelisted_ips: ~
      failed_auth_attempts: 3
      failed_auth_ban_enable: 'yes'
      failed_auth_ban_time: 3600


So, by default the IP will keep banned for 300sec.

Daniel




On 02/15/2013 09:45 AM, Theo wrote:
> Hi
>
> ngrep-sip gives me:
>
> #
> U 2013/02/15 10:39:23.432811 173.242.123.148:5266
> <http://173.242.123.148:5266> -> 196.41.123.113:5060
> <http://196.41.123.113:5060>
> REGISTER sip:196.41.123.113 SIP/2.0'
> Via: SIP/2.0/UDP 173.242.123.148:5266;branch=z9hG4bK-2478367181;rport'
> Content-Length: 0'
> From: "12unknown" <sip:12unknown at 196.41.123.113
> <mailto:sip%3A12unknown at 196.41.123.113>>'
> Accept: application/sdp'
> User-Agent: friendly-scanner'
> To: "12unknown" <sip:12unknown at 196.41.123.113
> <mailto:sip%3A12unknown at 196.41.123.113>>'
> Contact: sip:123 at 1.1.1.1 <mailto:sip%3A123 at 1.1.1.1>'
> CSeq: 1 REGISTER'
> Call-ID: 4123206054'
> Max-Forwards: 70'
> '
> with a script changing the Call-ID a a massive rate. So someone is
> trying to register or doing something sinister. This box is not behind
> a firewall at this point, just a test box. the IP you see
> there 173.242.123.148 has indeed been added to the banned IPs which I
> guess means nothing is actually reaching the proxy? Do we just leave
> it like this until they give up or is there some other action I should
> take?
>
> There is no monetary risk at this point for us - this is really just
> for testing and all details such as IPs are going to change if and
> when we would start using it.
>
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> http://lists.sipwise.com/listinfo/spce-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20130215/73a1a719/attachment-0001.html>

More information about the Spce-user mailing list