Bandwidth used by attack

Connection issues, drop outs or speed related faults for ADSL and ADSL2+ services
Post Reply
maestro
Posts: 85
Joined: Sat Jan 24, 2009 5:40 pm
Location: In front of my PC

Bandwidth used by attack

Post by maestro » Wed Apr 24, 2013 9:32 pm

Hi, I am currently experiencing a brute force attack on my VoIP system (Asterisk on a Linux box) where a single IP address in Egypt (188.138.127.199) has been trying to guess my passwords for about 5 hours.

Initially picked up by Fail2Ban, I have now manually blocked the IP address (both of these use iptables DENY). The attacker does not appear to detect that they have been blocked and their UDP packets are still being received at a rate of 0.5Mb/s.

I have tried changing the firewall to iptables REJECT (which would send an ICMP reject packet back to the attacker) but the packets are still coming in.

I normally only get 1.5Mb/s connection due to a bad line, but have exceeded my quota this month and now get 1Mb/s. The 0.5 Mb/s attack bandwidth has now halved my internet speed and it is quite noticable.

I estimate that they have already run my quota up by an additional Gigabyte (I only have 30GB to start with).

What can I do to stop these packets from clogging up my pipe?


Thanks

Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Bandwidth used by attack

Post by Dazzled » Wed Apr 24, 2013 10:03 pm

He doesn't sound overly bright. They wouldn't be sipvicious packets (friendly-scanner) from some halfwit who has googled up a script would they? See eg http://www.onsip.com/blog/2011/11/15/do ... pt-kiddies

maestro
Posts: 85
Joined: Sat Jan 24, 2009 5:40 pm
Location: In front of my PC

Re: Bandwidth used by attack

Post by maestro » Wed Apr 24, 2013 10:19 pm

Dazzled wrote:He doesn't sound overly bright. They wouldn't be sipvicious packets (friendly-scanner) from some halfwit who has googled up a script would they? See eg http://www.onsip.com/blog/2011/11/15/do ... pt-kiddies
Thanks for the info... It is sipvicious (the packets are from friendly-scanner), however it doesn't appear to be susceptible to this vulnerability. I have run the svcrash.py script and verified with a packet capture that the responses are actually sent, but the attack still continues. I guess there's been plenty of time for patched versions of sipvicious to have been distributed since 2011.

maestro
Posts: 85
Joined: Sat Jan 24, 2009 5:40 pm
Location: In front of my PC

Re: Bandwidth used by attack

Post by maestro » Thu Apr 25, 2013 6:58 am

Well, the attack is still ongoing, for more than 14 hours now. Definitely a dumb script kiddie as all packets are getting dropped at the firewall, however the DOS effects are still bugging me.

So far this has used about 2.5GB on my link (almost 10% of my monthly quota).

EroshanJ
Exetel Staff
Posts: 243
Joined: Tue Jul 06, 2010 11:26 am
Location: Australia

Re: Bandwidth used by attack

Post by EroshanJ » Thu Apr 25, 2013 8:14 am

maestro wrote:Well, the attack is still ongoing, for more than 14 hours now. Definitely a dumb script kiddie as all packets are getting dropped at the firewall, however the DOS effects are still bugging me.

So far this has used about 2.5GB on my link (almost 10% of my monthly quota).
You can change your WAN IP from the members facility and check whether the issue persists.

maestro
Posts: 85
Joined: Sat Jan 24, 2009 5:40 pm
Location: In front of my PC

Re: Bandwidth used by attack

Post by maestro » Thu Apr 25, 2013 4:47 pm

EroshanJ wrote:You can change your WAN IP from the members facility and check whether the issue persists.
Thank you. Good idea. I didn't think of that.

The attack ended just after midday today. I'll check periodically to see if it recurs.

maestro
Posts: 85
Joined: Sat Jan 24, 2009 5:40 pm
Location: In front of my PC

Re: Bandwidth used by attack

Post by maestro » Sun Jan 19, 2014 10:31 pm

A belated update... I had stuffed up the command line parameters when trying to run that script. I ran it about 10 minutes later and the attack stopped.

Furthermore, about a week ago, I got home after a weekend away and found about 5.7GB more of my quote was used than I had expected (my quota is 30GB per month, so this hurts!). There was another sipvicious attack underway which that script also stopped.

So thank you Dazzled, for the link.

Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Bandwidth used by attack

Post by Dazzled » Mon Jan 20, 2014 9:19 am

Thanks for the feedback.

Marvellous isn't it - that stunt was defeated years ago and the kiddies are still at it. I wonder if they know why their sipvicious crashed?

Do you have scapy (http://www.secdev.org/projects/scapy/) to monitor, and to allow svcrash.py to run in auto mode, if this nuisance gets more frequent?

Post Reply