Detecting DoS Attacks Via SIP

Home » Asterisk Users » Detecting DoS Attacks Via SIP
Asterisk Users 10 Comments

Hi all,

Lately, I’ve seen an increase in the number of attacks against my system from the so-called “Friendly Scanner.” When one of these script kiddies targets my server, all I see for symptoms is a few of my trunks become lagged due to server load and a stream of messages on the console that resemble this:

[Aug 2 20:27:50] == Using SIP VIDEO CoS mark 6
[Aug 2 20:27:50] == Using SIP RTP TOS bits 24
[Aug 2 20:27:50] == Using SIP RTP CoS mark 5
[Aug 2 20:32:47] == Using SIP VIDEO TOS bits 24
[Aug 2 20:32:47] == Using SIP VIDEO CoS mark 6
[Aug 2 20:32:47] == Using SIP RTP TOS bits 24
[Aug 2 20:32:47] == Using SIP RTP CoS mark 5
[Aug 2 20:34:26] == Using SIP VIDEO TOS bits 24
[Aug 2 20:34:26] == Using SIP VIDEO CoS mark 6

I have to turn on sip debugging to find out who’s hitting me. However, I can’t just leave it on because it would kill my logging system.

So, how are other people handling this? Is there an AMI event I want watch for? I watch for PeerStatus, but since there’s no actual peer in the attack, I don’t seem to get an event from AMI.

Any ideas?

Mike Diehl.

10 thoughts on - Detecting DoS Attacks Via SIP