[ale] SIP attack
Paul Cartwright
ale at pcartwright.com
Thu Oct 14 15:47:59 EDT 2010
justg read this on a fedora list, if anyone runs a VOIP server:
This is off topic, but I thought I should tell people.
This past weekend, I suffered a DOS attack launched against VOIP SIP
Clients. The attack came, at different times, from 3 separate IP addresses.
I blocked the IP addresses using IP Tables when I discovered it.
The attack was a bombardment of several hundred SIP REGISTER requests,
per second, with a user agent of friendly-scanner.
The attack was a sustained attack over three days.
I contacted my ISP. They told me they have taken steps.
I contacted 2 of the 3 owners of the offending IP addresses.
The third owner of the IP address was a job site address in China,
and I couldn't figure out how to contact them.
In my case, I run the VOIP SIP program, twinkle.
Twinkle started consuming vast amounts of memory, going from a normal 5
MiB usage to 500-600 MiB usage, before I realized what was happening.
Twinkle attempted to respond to each incoming packet with an outgoing
SIP error packet.
I posted a message on the yahoo group used by twinkle asking what they
could do to better handle such an attack.
If you suddenly seem to have memory problems, I suggest running
something like System Monitor to find out what applications have memory.
I also be on the lookout for unexpectedly high internet traffic.
This message is off-topic, because it is not specific to Fedora.
I thought it wouldn't hurt to let people know of this type of attack.
I hope people don't object to this off-topic post.
--
Paul Cartwright
Registered Linux user # 367800
Registered Ubuntu User #12459
http://usdebtclock.org/
More information about the Ale
mailing list