Asterisk runs at 100% CPU

Home » Asterisk Users » Asterisk runs at 100% CPU
Asterisk Users 3 Comments

Dear asterisk users,

A few weeks ago I’ve been attacked by a DOS on REGISTER that I’ve
solved with a fail2ban script.
Now, since a few hours, I have my asterisk 1.4.21.2 running at 100% CPU again.

I’ve checked the log and it shows nothing related to failed register
or whatever. It just tells me that some of my peers are lagged, even
with a verbosity of 10000

I’ve made a “SIP SHOW CHANNELS” and I’ve a very strange thing, I got
between 4000 and 5000 active channels from peer 127.0.0.1. I have no
sip phone on localhost. Here is an excerpt of my command

Peer User/ANR Call ID Seq (Tx/Rx) Format
Hold Last Message
127.0.0.1 (None) 385677377 00101/00001 0x0 (nothing)
No Rx: REGISTER
127.0.0.1 (None) 1623666249 00101/00001 0x0 (nothing)
No Rx: REGISTER
127.0.0.1 (None) 1478349241 00101/00001 0x0 (nothing)
No Rx: REGISTER
127.0.0.1 (None) 1830524844 00101/00001 0x0 (nothing)
No Rx: REGISTER
127.0.0.1 (None) 1688182896 00101/00001 0x0 (nothing)
No Rx: REGISTER
127.0.0.1 (None) 1391124899 00101/00001 0x0 (nothing)
No Rx: REGISTER
127.0.0.1 (None) 2692644729 00101/00001 0x0 (nothing)
No Rx: REGISTER
127.0.0.1 (None) 2043438815 00101/00001 0x0 (nothing)
No Rx: REGISTER
127.0.0.1 (None) 3226298375 00101/00001 0x0 (nothing)
No Rx: REGISTER
127.0.0.1 (None) 170429466 00101/00001 0x0 (nothing)
No Rx: REGISTER

It is not a configuration issue causing loops because my config has
not changed since months.

Any help is appreciated

Best regards,
Patrick

3 thoughts on - Asterisk runs at 100% CPU

  • I also forgot to add that my bandwidth is highly used (mostly out
    traffic) since I’ve detected the “attack”

  • Sounds like your box has been compromised. Check the running processes and lock down remote ssh access to your server.

    Thanks,

  • Patrick,

    I observed this same behavior on a system a few weeks ago. If Asterisk
    was not running, the CPU load would be normal. There were no ‘failed’
    attempts in any of the logs. There was a relatively large amount of
    bandwidth coming from a specific IP address. (I used iftop to determine
    the offending address).

    You probably should upgrade to a newer version of Asterisk. 1.4.21 is
    pretty old and likely has several security holes which were fixed in
    newer releases.

    Darrick