Hello Jeff,
You can't stop them from sending packets, but usually if you drop them in the firewall (as you have done) they'll stop sending when they realize that they're not getting anything back. If it really is a DOS attack then the packets are going to come anyway. Your only recourse then I think is to contact the ISP concerned.
A: Done this, was hillarious. Ended up with a Mr Chen who asked me for the IP and could not undertand number in English. I wrote to him 3-4 times, no action to date, so I moved the server onto another IP address earlier tonight. I do not think its a DOS attack, its just a very stubben script kiddy wanting to make a name for himself. The trouble is , he got plenty of bandwidth.
You can't hide Asterisk in the sense that if you want to have Internet calls arriving and departing then the good guys have to be able to find you and that means that the bad guys can also find you. You could move Asterisk off port 5060 to some other port but you'd have to check with your VoIP carriers to see if they can handle it and you will have to reset your phones to use the new port. Might be an option though.
A: Yes. I still wonder if we could not block access to 5060 to all except one of more IP address (we need to cater for multiple trunks - right?). Problem is I do not know how to do this....
This way, they may not "see" an asterisk server? When scanning, the first thing they see using sipvicious is:
[chris@canopus sipvicious-0.2.4]$ ./svmap.py <IP range>
| SIP Device | User Agent | Fingerprint |
----------------------------------------------------------------------------
| 60.242.xxx.xxx:5060 | Asterisk PBX | Asterisk / Linksys/PAP2T-3.1.15(LS) |
Bingo, thery know an Asterrisk box is there, and can start serious scanning. If 5060 was blocked to all except my ISP, they may not see the signature above, and go away?
-------------------------------------------------------------------------------
Did you set the alwaysauthreject=yes field we discussed? It seems to work OK and it confuses the "tame" attack robot we have here (we use it internally for testing Asterisk).
A: Yes, the version of of 2.5 I installed a while back has this by default.
We've also been playing with OSSEC and it works well (at least for us) in catching SIP attacks early. It automatically updates the firewall to drop packets from the offender (it also reports it so you have the option to permanently block the IP manually in the same way you've done it). You might want to give it a try. It won't stop a true DOS attack but I'm not sure what will, other than contacting the ISP.
OK< I would like to find out more about this, where do I go? Is this included in latest software for 2.5??
I think that deploying Asterisk server is becoming more problematic given the availability of cracking tooks (sipvicious et al, there are a few now...)
Thanks for you time Jeff.
Best
chris