[Spce-user] Under attack :-(

Theo axessofficetheo at gmail.com
Fri Feb 15 04:01:17 EST 2013


Thanks for that. I have only just started with this community, but if the
speed and quality of responses is anything to go by - it's an awesome one!!!

Cheers

Theo

On Fri, Feb 15, 2013 at 10:52 AM, Daniel Grotti <dgrotti at sipwise.com> wrote:

>  Hi Theo,
> Malicious attack are banned by the proxy and you can see the IP
> address/Users ban under the "Security Ban" section.
> What you could do is change the value defining how many seconds the system
> keep the IP/Users banned.
> You can find all the variables in /etc/ngcp-config/config.yml under
> "kamailio -> lb -> security".
>
> security:
>       dos_ban_enable: 'yes'
>       dos_ban_time: 300
>       dos_reqs_density_per_unit: 50
>       dos_sampling_time_unit: 5
>       dos_whitelisted_ips: ~
>       failed_auth_attempts: 3
>       failed_auth_ban_enable: 'yes'
>       failed_auth_ban_time: 3600
>
>
> So, by default the IP will keep banned for 300sec.
>
> Daniel
>
>
>
>
>
> On 02/15/2013 09:45 AM, Theo wrote:
>
> Hi
>
>  ngrep-sip gives me:
>
>  #
> U 2013/02/15 10:39:23.432811 173.242.123.148:5266 -> 196.41.123.113:5060
> REGISTER sip:196.41.123.113 SIP/2.0'
> Via: SIP/2.0/UDP 173.242.123.148:5266;branch=z9hG4bK-2478367181;rport'
> Content-Length: 0'
> From: "12unknown" <sip:12unknown at 196.41.123.113>'
> Accept: application/sdp'
> User-Agent: friendly-scanner'
> To: "12unknown" <sip:12unknown at 196.41.123.113>'
> Contact: sip:123 at 1.1.1.1'
> CSeq: 1 REGISTER'
> Call-ID: 4123206054'
> Max-Forwards: 70'
> '
>  with a script changing the Call-ID a a massive rate. So someone is
> trying to register or doing something sinister. This box is not behind a
> firewall at this point, just a test box. the IP you see
> there 173.242.123.148 has indeed been added to the banned IPs which I guess
> means nothing is actually reaching the proxy? Do we just leave it like this
> until they give up or is there some other action I should take?
>
>  There is no monetary risk at this point for us - this is really just for
> testing and all details such as IPs are going to change if and when we
> would start using it.
>
>
> _______________________________________________
> Spce-user mailing listSpce-user at lists.sipwise.comhttp://lists.sipwise.com/listinfo/spce-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20130215/b3257aed/attachment-0001.html>


More information about the Spce-user mailing list