Flooding ............... SIP :)

Hmmmmmmmmmm.....................

Last week being a tough one, I decide to write down something interesting that happened last Thursday.

I was just being back to seat after lunch. It's around 13.00 from SL time. When I unlocked my screen I had 100+ email notifications from one of the asterisk gateway that I setup temporarily till the original server upgrade to lenny :)


email notification stated that the server load average is more than 15 and I quickly logged in to the server and did a `top` :)


I saw that asterisk is consuming 100% CPU at the time where as It shouldn't be.

So Next thing I did was had a `tail` on `/var/log/asterisk/full` to see what's going on with asterisk .

Well I found the problem someone has run a stress tester against our server with SIP REGISTER requests. I have observer many register fail attempts in the asterisk log.


The guy must use sipp or sipsak kinda tool to generate this huge traffic.

asterisk couldn't cope the request rate hence ate the CPU at it will :)

So to shutdown this annoy attacker I simply add a DROP rule in iptables filter table as below,

'-A INPUT -j logndrop -s x.x.x.x'

and finally did a 'ifdown fw' , 'ifup fw' to add the rule to iptables.

Here we go CPU usage drops down to 15% and so do load average.

So I said "Bye bye flood ........." :)

Interesting, coincidence thing was we had flooding in colombo due to heavy rains on the same day :D :D lol

Later.......... We block the attacker subnet from the gateway router :)

It's really important to have basic firewall setup which allow only required connections to be made specially when your server is on the internet.

cause BAD people are always looking for troubles :p