There was a lot of talk about this being the next menace after email spam. I’m not actually sure what it’s called for VoIP systems, but my Asterisk setup has started to be attacked over the last few days. Lots of entries like:
[Aug 27 19:20:30] NOTICE chan_sip.c: Registration from '"742"<sip:email@example.com>' failed for '126.96.36.199' - No matching peer found
[Aug 31 10:13:10] NOTICE chan_sip.c: Registration from '"1002" <sip:firstname.lastname@example.org>' failed for '188.8.131.52' - Wrong password
Lots of messages get logged a second and I noticed this as suddenly CPU load on my PC jumped up quite a bit.
For the moment I’ve routed these addresses via the interface lo0 so they won’t bother me any more, but I need to come up with a better solution.
First I’m curious if applications like Asterisk or FreeSwitch have any built-in anti-abuse controls to recognise bad behaviour and to disable those abusers. I’m pretty sure that I’ve not read about anything for Asterisk, and I’m currently reading the FreeSWITCH book I bought but haven’t come across this mentioned yet. Seems that applications like this may need to have these controls added at some time, just as sendmail, postfix and most mail servers have had to adjust to a hostile world.
The other option of course is to use a firewall or packet filter to limit the incoming traffic rate from a single IP to port 5060 or whereever the SIP connection is being accepted so that when going over the limit the ip will be blocked for some time. iptables can do this I think so I’m going to have to read about how to configure and set that up.
There are other applications designed to watch logs and use them to automatically add temporary blocks. fail2ban is one of these. I’ll also have to see if I can configure it for this task.
So if this has happened to you how do you protect your VoIP systems from that hostile world of the Internet?