Page 1 of 1

Bandwidth used by attack

Posted: Wed Apr 24, 2013 9:32 pm
by maestro
Hi, I am currently experiencing a brute force attack on my VoIP system (Asterisk on a Linux box) where a single IP address in Egypt (188.138.127.199) has been trying to guess my passwords for about 5 hours.

Initially picked up by Fail2Ban, I have now manually blocked the IP address (both of these use iptables DENY). The attacker does not appear to detect that they have been blocked and their UDP packets are still being received at a rate of 0.5Mb/s.

I have tried changing the firewall to iptables REJECT (which would send an ICMP reject packet back to the attacker) but the packets are still coming in.

I normally only get 1.5Mb/s connection due to a bad line, but have exceeded my quota this month and now get 1Mb/s. The 0.5 Mb/s attack bandwidth has now halved my internet speed and it is quite noticable.

I estimate that they have already run my quota up by an additional Gigabyte (I only have 30GB to start with).

What can I do to stop these packets from clogging up my pipe?


Thanks

Re: Bandwidth used by attack

Posted: Wed Apr 24, 2013 10:03 pm
by Dazzled
He doesn't sound overly bright. They wouldn't be sipvicious packets (friendly-scanner) from some halfwit who has googled up a script would they? See eg http://www.onsip.com/blog/2011/11/15/do ... pt-kiddies

Re: Bandwidth used by attack

Posted: Wed Apr 24, 2013 10:19 pm
by maestro
Dazzled wrote:He doesn't sound overly bright. They wouldn't be sipvicious packets (friendly-scanner) from some halfwit who has googled up a script would they? See eg http://www.onsip.com/blog/2011/11/15/do ... pt-kiddies
Thanks for the info... It is sipvicious (the packets are from friendly-scanner), however it doesn't appear to be susceptible to this vulnerability. I have run the svcrash.py script and verified with a packet capture that the responses are actually sent, but the attack still continues. I guess there's been plenty of time for patched versions of sipvicious to have been distributed since 2011.

Re: Bandwidth used by attack

Posted: Thu Apr 25, 2013 6:58 am
by maestro
Well, the attack is still ongoing, for more than 14 hours now. Definitely a dumb script kiddie as all packets are getting dropped at the firewall, however the DOS effects are still bugging me.

So far this has used about 2.5GB on my link (almost 10% of my monthly quota).

Re: Bandwidth used by attack

Posted: Thu Apr 25, 2013 8:14 am
by EroshanJ
maestro wrote:Well, the attack is still ongoing, for more than 14 hours now. Definitely a dumb script kiddie as all packets are getting dropped at the firewall, however the DOS effects are still bugging me.

So far this has used about 2.5GB on my link (almost 10% of my monthly quota).
You can change your WAN IP from the members facility and check whether the issue persists.

Re: Bandwidth used by attack

Posted: Thu Apr 25, 2013 4:47 pm
by maestro
EroshanJ wrote:You can change your WAN IP from the members facility and check whether the issue persists.
Thank you. Good idea. I didn't think of that.

The attack ended just after midday today. I'll check periodically to see if it recurs.

Re: Bandwidth used by attack

Posted: Sun Jan 19, 2014 10:31 pm
by maestro
A belated update... I had stuffed up the command line parameters when trying to run that script. I ran it about 10 minutes later and the attack stopped.

Furthermore, about a week ago, I got home after a weekend away and found about 5.7GB more of my quote was used than I had expected (my quota is 30GB per month, so this hurts!). There was another sipvicious attack underway which that script also stopped.

So thank you Dazzled, for the link.

Re: Bandwidth used by attack

Posted: Mon Jan 20, 2014 9:19 am
by Dazzled
Thanks for the feedback.

Marvellous isn't it - that stunt was defeated years ago and the kiddies are still at it. I wonder if they know why their sipvicious crashed?

Do you have scapy (http://www.secdev.org/projects/scapy/) to monitor, and to allow svcrash.py to run in auto mode, if this nuisance gets more frequent?