Thanks to all your thoughts!
I found a solution on how to tell iptables not to see the continuous flow of
SIP-packets as an ESTABLISHED connection. I split
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
into
# iptables -A INPUT -p ! udp -m state --state ESTABLISHED -j ACCEPT
# iptables -A INPUT -m state --state RELATED -j ACCEPT
The ESTABLISHED rule has not to work for UDP, so I excluded it.
I don't know why iptables does not exclude it by default! Someone knows???
Now I can put below:
# iptables -A INPUT -p udp --dport 5060 -m recent --name
DENIAL_OF_SERVICE --update --seconds 1 --hitcount 20 -j REJECT --reject-with
icmp-admin-prohibited
# iptables -A INPUT -p udp --dport 5060 -m recent --name
DENIAL_OF_SERVICE --set -j ACCEPT
This works for me!!! < I'm happy!!! :-)) >
Now the malicious UDP-packet stream
- always pass the ESTABLISHED rule
- first pass the upper DENIAL_OF_SERVICE rule
- and some packets are accepted by the second DENIAL_OF_SERVICE rule (about
4 or 5 REGISTER requests)
- but then the first DENIAL_OF_SERVICE rule rejects all following spam from
this IP (requests from other IPs are still accepted!), and it is doing this
now since hours rejecting several hundred MB traffic received. All others
with normal traffic can pass to my SIP-Server without problems!
@ marcos: Of course I could also drop the packets instead of rejecting
them, but I prefer this for the moment with: icmp-admin-prohibited.
----
I also noticed weeks before this attack happened that someone sends me
SIP-REGISTER requests, always with the same
User-Agent: friendly-scanner
and I didn't know why. I suppose it was the one that started the attack now,
but I don't know because I don't remember the IPs of those first requests.
In the following links I found some interesting thoughts about this attacks
and a program to do those too!
blog of SIP-vicious
http://blog.sipvicious.org/
FAQ to SIP-vicious:
http://code.google.com/p/sipvicious/wiki/FrequentlyAskedQuestions
Storming SIP Security (pdf-discussion on the problem):
http://resources.enablesecurity.com/resources/22_29_storming_sip.pdf
Programs like FAIL2BAN are a good idea to use in addition to the above
iptables rules, but fortunately I'm one of two coders writing scripts for a
SIP-server in Perl (Net::SIP available at CPAN). I think I will write a
module to check the incoming SIP messages for recurring possibly malicious
intentions, that module should drop identified attacks not rejected before
by the firewall. I will think about the best way to do this.
Regards
Detlef Pilzecker
Weitlahnerstraße 8
D - 83209 Prien am Chiemsee
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
