Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

DOS attack UDP flood

Posted on 2011-02-11
7
1,967 Views
1 Endorsement
Last Modified: 2012-05-11
Hi, I've got a SIP Server running behind a firewall/router connected up to an ISP via ADSL2+.

All works fine normally and phones behind the router can make calls in and out.

Problem is that a particular ip address is currently trying to access the SIP server's 5060 port, sending authentication packets in UDP and flooding the bandwidth.

Though the flooding is small like 500-600KB/sec, because of this, legit calls using RTP streams and even DNS (which uses UDP) cannot be used. Calls get one way traffic (obviously) and DNS don't work (sometimes it works ...)...

The attack is blocked at my firewall level.

It's been going on for more than a day. I've called up the ISP and was on the phone to a useless tech and then another one for 4 hours and somehow they said they could help but it's just taking too long.

Based on everyone's experience, what is the best way to get around this the fastest way .. less involvement on the ISP is better as they are completely useless.

They explained that the process is to lodge it with their abuse team and then they will escalate it blah blah blah ... it'll take like 20 centuries....

I'm asking them to give me a new IP address but that's not going to happen overnight with them.

Any help here is much appreciated!
1
Comment
Question by:binele
  • 4
  • 3
7 Comments
 
LVL 15

Expert Comment

by:dave4dl
ID: 34875590
the attack is blocked at your firewall?  So the packets are never reaching your SIP server right?  It sounds like your firewall isn't handling this well.  Is the firewall dropping the legitimate packets?  Is it getting overwhelmed?

If it is dropping legit packets then maybe your rule to block it at the firewall is too broad.

If it is getting overwhelmed, could you set up a simpler rule on the firewall that it could process more efficiently (e.g. drop everything from this certain IP)?  If it is already simple you may just want to buy a better firewall (you may want to do this anyway).
0
 

Author Comment

by:binele
ID: 34875615
The firewall/router is a draytek 2820.
The rule is specific and blocking only that particular IP address. However, there's a constant stream from the attacker.

The DNS services time out.... and calls relying on VOIP are not being able to get it timely. Thus everything is stuffed.

0
 
LVL 15

Expert Comment

by:dave4dl
ID: 34875891
It sounds like your firewall is getting overwhelmed.  I would recommend a more industrial strength one like the Cisco ASA 5500 series.

Or you could hire a service to protect you (like http://www.blockdos.net/).
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:binele
ID: 34875926
Thanks for your reply. Would the ASA 5500 series do well here? Wouldn't it be the same if the bandwidth is used up by the DOS attack anyways?
0
 
LVL 15

Accepted Solution

by:
dave4dl earned 500 total points
ID: 34876014
You said you are only getting 500KBps of incoming requests which I assume is much less than your available download bandwidth.  If it is in fact less, then one of the firewalls in the ASA 5500 series should do the trick.  There is a huge range in this series based on your size up to appliances like this: http://www.amazon.com/Cisco-ASA-5580-40-Firewall-rack-mountable/dp/B002A1MZVY/ref=sr_1_1?s=electronics&ie=UTF8&qid=1297466071&sr=1-1 (only costs a little over $91,000, you save almost $39,000! :).  From what you are using now I am guessing something more like http://www.amazon.com/Cisco-5505-Security-Appliance-Networks/dp/B000JVTTPW/ref=sr_1_3?s=electronics&ie=UTF8&qid=1297467072&sr=1-3 or http://www.amazon.com/Cisco-ASA-5510-Appliance-ASA5510-BUN-K9/dp/B0009PRC84/ref=sr_1_2?s=electronics&ie=UTF8&qid=1297467072&sr=1-2 would be sufficient.

If your total incoming bandwidth is saturated then you have to talk to your ISP and/or a DOS/DDOS protection service because there isn't really anything you can do about that from your end (you have to stop the packets closer to the backbone where it is not saturating the entire pipe).
0
 
LVL 15

Expert Comment

by:dave4dl
ID: 34876067
if it is really just coming from a single IP, you could try contacting their ISP (assuming it is coming from a country for which you speak the language).  Use something like http://www.ip2location.com/free.asp
0
 

Author Closing Comment

by:binele
ID: 34877264
OK,thanks for the advice. I've got the ISP to change my IP address in the end. After 6 hours of back and forth with them on the phone. It's a new record for me.

I'll be evaluating the ASA device for future implementations.

Thanks
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question