Hello, Secure-SIP-Server a écrit : > > I'm suffering on a Denial-of-Service attack on my SIP(VoIP) UDP port 5060, > getting more then 70 REGISTER requests per second since yesterday. All > comming from the Japanese IP 59.146.75.111:5088. [...] > Now my 2nd question: > How can this requests (UDP) be from a ESTABLISHED connection??? They passed > the firewall in the first two examples and therefore they must be > ESTABLISHED!?! UDP being connectionless by nature, the notion of "UDP connection" is rather loose. Therefore a continuous flow of packets with the same ports and addresses can be considered as one sigle connection even if they are actually unrelated requests. > 3rd question: > Is there a way to tell iptables to lock only a specific IP:PORT for a while > if this IP transmits more then 50 requests per second? If so, how? Check the "recent" match. Be sure you read carefully the man page about its default limits. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
