projects | github | twitter | rss | contact
April 2010

Properly stopping a SIP flood

posted to writings on apr 11th, 2010 with tags asterisk, openbsd, ruby, security, superblock, voip, and work

At about 9am yesterday morning, I noticed on the monitor that the CPU utilization of one of my servers was abnormally high, in addition to a sustained 1mbit/sec of inbound traffic and 2mbits/sec of outbound traffic. syslog messages from Asterisk showed it to be a SIP brute force attack, so I dropped the offending IP (an Amazon EC2 instance IP) into /etc/idiots to block it and went back to my work.

A while later, I noticed the traffic still hadn't died down, so I reported the incident to Amazon and my server's network provider. No luck on either front; Amazon just sent back a form reply stating the incident was forwarded to the EC2 instance's owner (yeah, seriously) and the network provider said they wouldn't bother adding an ACL to their border equipment unless it was needed to protect their entire network. With the IP blocked on my server, the CPU utilization had died down and it was no longer sending out reply traffic, but I was worried about the inbound garbage traffic counting towards the server's monthly bandwidth cap.

Continue reading 831 words...

September 2008

don't anthropomorphize computers - they don't like it

posted to writings on sep 11th, 2008 with tags asterisk and voip

it appears that asterisk/sip servers are now a target of random (?) internet brute force scans just like ssh and smtp with authentication enabled.

i'm curious what they would have done had they found an account with an easily guessable password, though. make free long distance calls to their friends? it'd be like finding an ssh account and then using it to telnet back to your home machine, no? i'm half-tempted to create one of these simple accounts and then make asterisk record all of the calls made by it and then post the audio up on the internet.

Continue reading 764 words...