Hi,
I'm suffering on a Denial-of-Service attack on my SIP(VoIP) UDP port 5060,
getting more then 70 REGISTER requests per second since yesterday. All
comming from the Japanese IP 59.146.75.111:5088.
First I wrote into my iptable:
....
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
....
/sbin/iptables -A INPUT -p udp --dport 5060 -s 59.146.75.111 -j REJECT
....
but it didn't work.
1st Question:
Why??
Then I wrote:
....
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 5060 -s 59.146.75.111 -j REJECT
/sbin/iptables -A INPUT -m state --state RELATED -j ACCEPT
....
Nothing changed, still receiving this REGISTER requests on my server.
Then I did:
....
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -p udp --dport 5060 -s 59.146.75.111 -j REJECT
/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -m state --state RELATED -j ACCEPT
....
This worked! All requests from that IP are rejected, all others reach my
server as ever.
/sbin/iptables -L --line-numbers -v -n
shows me an rapidly increasing number of packages and bytes rejected by the
first statement.
Now my 2nd question:
How can this requests (UDP) be from a ESTABLISHED connection??? They passed
the firewall in the first two examples and therefore they must be
ESTABLISHED!?!
3rd question:
Is there a way to tell iptables to lock only a specific IP:PORT for a while
if this IP transmits more then 50 requests per second? If so, how?
Thanks and regards
Detlef Pilzecker
Weitlahnerstraße 8
D - 83209 Prien am Chiemsee
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html