Solved

DOS attack UDP flood

Posted on 2011-02-11
7
1,965 Views
1 Endorsement
Last Modified: 2012-05-11
Hi, I've got a SIP Server running behind a firewall/router connected up to an ISP via ADSL2+.

All works fine normally and phones behind the router can make calls in and out.

Problem is that a particular ip address is currently trying to access the SIP server's 5060 port, sending authentication packets in UDP and flooding the bandwidth.

Though the flooding is small like 500-600KB/sec, because of this, legit calls using RTP streams and even DNS (which uses UDP) cannot be used. Calls get one way traffic (obviously) and DNS don't work (sometimes it works ...)...

The attack is blocked at my firewall level.

It's been going on for more than a day. I've called up the ISP and was on the phone to a useless tech and then another one for 4 hours and somehow they said they could help but it's just taking too long.

Based on everyone's experience, what is the best way to get around this the fastest way .. less involvement on the ISP is better as they are completely useless.

They explained that the process is to lodge it with their abuse team and then they will escalate it blah blah blah ... it'll take like 20 centuries....

I'm asking them to give me a new IP address but that's not going to happen overnight with them.

Any help here is much appreciated!
1
Comment
Question by:binele
  • 4
  • 3
7 Comments
 
LVL 15

Expert Comment

by:dave4dl
ID: 34875590
the attack is blocked at your firewall?  So the packets are never reaching your SIP server right?  It sounds like your firewall isn't handling this well.  Is the firewall dropping the legitimate packets?  Is it getting overwhelmed?

If it is dropping legit packets then maybe your rule to block it at the firewall is too broad.

If it is getting overwhelmed, could you set up a simpler rule on the firewall that it could process more efficiently (e.g. drop everything from this certain IP)?  If it is already simple you may just want to buy a better firewall (you may want to do this anyway).
0
 

Author Comment

by:binele
ID: 34875615
The firewall/router is a draytek 2820.
The rule is specific and blocking only that particular IP address. However, there's a constant stream from the attacker.

The DNS services time out.... and calls relying on VOIP are not being able to get it timely. Thus everything is stuffed.

0
 
LVL 15

Expert Comment

by:dave4dl
ID: 34875891
It sounds like your firewall is getting overwhelmed.  I would recommend a more industrial strength one like the Cisco ASA 5500 series.

Or you could hire a service to protect you (like http://www.blockdos.net/).
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:binele
ID: 34875926
Thanks for your reply. Would the ASA 5500 series do well here? Wouldn't it be the same if the bandwidth is used up by the DOS attack anyways?
0
 
LVL 15

Accepted Solution

by:
dave4dl earned 500 total points
ID: 34876014
You said you are only getting 500KBps of incoming requests which I assume is much less than your available download bandwidth.  If it is in fact less, then one of the firewalls in the ASA 5500 series should do the trick.  There is a huge range in this series based on your size up to appliances like this: http://www.amazon.com/Cisco-ASA-5580-40-Firewall-rack-mountable/dp/B002A1MZVY/ref=sr_1_1?s=electronics&ie=UTF8&qid=1297466071&sr=1-1 (only costs a little over $91,000, you save almost $39,000! :).  From what you are using now I am guessing something more like http://www.amazon.com/Cisco-5505-Security-Appliance-Networks/dp/B000JVTTPW/ref=sr_1_3?s=electronics&ie=UTF8&qid=1297467072&sr=1-3 or http://www.amazon.com/Cisco-ASA-5510-Appliance-ASA5510-BUN-K9/dp/B0009PRC84/ref=sr_1_2?s=electronics&ie=UTF8&qid=1297467072&sr=1-2 would be sufficient.

If your total incoming bandwidth is saturated then you have to talk to your ISP and/or a DOS/DDOS protection service because there isn't really anything you can do about that from your end (you have to stop the packets closer to the backbone where it is not saturating the entire pipe).
0
 
LVL 15

Expert Comment

by:dave4dl
ID: 34876067
if it is really just coming from a single IP, you could try contacting their ISP (assuming it is coming from a country for which you speak the language).  Use something like http://www.ip2location.com/free.asp
0
 

Author Closing Comment

by:binele
ID: 34877264
OK,thanks for the advice. I've got the ISP to change my IP address in the end. After 6 hours of back and forth with them on the phone. It's a new record for me.

I'll be evaluating the ASA device for future implementations.

Thanks
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question