Properly stopping a SIP flood

At about 9am yesterday morning, I noticed on my server monitor that the CPU utilization of one of my servers was abnormally high, in addition to a sustained 1mbit/sec of inbound traffic and 2mbits/sec of outbound traffic. syslog messages from Asterisk showed it to be a SIP brute force attack, so I dropped the offending IP (an Amazon EC2 instance IP) into /etc/idiots to block it and went back to my work.

A while later, I noticed the traffic still hadn't died down, so I reported the incident to Amazon and my server's network provider. No luck on either front; Amazon just sent back a form reply stating the incident was forwarded to the EC2 instance's owner (yeah, seriously) and the network provider said they wouldn't bother adding an ACL to their border equipment unless it was needed to protect their entire network. With the IP blocked on my server, the CPU utilization had died down and it was no longer sending out reply traffic, but I was worried about the inbound garbage traffic counting towards the server's monthly bandwidth cap.

Continue reading 832 words...

August 18th, 2007

I had to install an OpenBSD firewall at a customer's office yesterday and wanted to check that all of their VoIP phones still worked afterwards. Since everyone had left the office by the time I got there, it was a bit tricky testing all of the phones at the same time by myself.

I thought about writing a little routing snippet on the Asterisk server so I could dial a number at each phone and it would just play music until I hung up, but I wanted to make calls out to a PSTN number to double the bandwidth going out of the PBX server and make sure the voice quality was ok.

Continue reading 329 words...