Solved

DOS attack UDP flood

Posted on 2011-02-11
7
1,984 Views
1 Endorsement
Last Modified: 2012-05-11
Hi, I've got a SIP Server running behind a firewall/router connected up to an ISP via ADSL2+.

All works fine normally and phones behind the router can make calls in and out.

Problem is that a particular ip address is currently trying to access the SIP server's 5060 port, sending authentication packets in UDP and flooding the bandwidth.

Though the flooding is small like 500-600KB/sec, because of this, legit calls using RTP streams and even DNS (which uses UDP) cannot be used. Calls get one way traffic (obviously) and DNS don't work (sometimes it works ...)...

The attack is blocked at my firewall level.

It's been going on for more than a day. I've called up the ISP and was on the phone to a useless tech and then another one for 4 hours and somehow they said they could help but it's just taking too long.

Based on everyone's experience, what is the best way to get around this the fastest way .. less involvement on the ISP is better as they are completely useless.

They explained that the process is to lodge it with their abuse team and then they will escalate it blah blah blah ... it'll take like 20 centuries....

I'm asking them to give me a new IP address but that's not going to happen overnight with them.

Any help here is much appreciated!
1
Comment
Question by:binele
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 15

Expert Comment

by:dave4dl
ID: 34875590
the attack is blocked at your firewall?  So the packets are never reaching your SIP server right?  It sounds like your firewall isn't handling this well.  Is the firewall dropping the legitimate packets?  Is it getting overwhelmed?

If it is dropping legit packets then maybe your rule to block it at the firewall is too broad.

If it is getting overwhelmed, could you set up a simpler rule on the firewall that it could process more efficiently (e.g. drop everything from this certain IP)?  If it is already simple you may just want to buy a better firewall (you may want to do this anyway).
0
 

Author Comment

by:binele
ID: 34875615
The firewall/router is a draytek 2820.
The rule is specific and blocking only that particular IP address. However, there's a constant stream from the attacker.

The DNS services time out.... and calls relying on VOIP are not being able to get it timely. Thus everything is stuffed.

0
 
LVL 15

Expert Comment

by:dave4dl
ID: 34875891
It sounds like your firewall is getting overwhelmed.  I would recommend a more industrial strength one like the Cisco ASA 5500 series.

Or you could hire a service to protect you (like http://www.blockdos.net/).
0
Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

 

Author Comment

by:binele
ID: 34875926
Thanks for your reply. Would the ASA 5500 series do well here? Wouldn't it be the same if the bandwidth is used up by the DOS attack anyways?
0
 
LVL 15

Accepted Solution

by:
dave4dl earned 500 total points
ID: 34876014
You said you are only getting 500KBps of incoming requests which I assume is much less than your available download bandwidth.  If it is in fact less, then one of the firewalls in the ASA 5500 series should do the trick.  There is a huge range in this series based on your size up to appliances like this: http://www.amazon.com/Cisco-ASA-5580-40-Firewall-rack-mountable/dp/B002A1MZVY/ref=sr_1_1?s=electronics&ie=UTF8&qid=1297466071&sr=1-1 (only costs a little over $91,000, you save almost $39,000! :).  From what you are using now I am guessing something more like http://www.amazon.com/Cisco-5505-Security-Appliance-Networks/dp/B000JVTTPW/ref=sr_1_3?s=electronics&ie=UTF8&qid=1297467072&sr=1-3 or http://www.amazon.com/Cisco-ASA-5510-Appliance-ASA5510-BUN-K9/dp/B0009PRC84/ref=sr_1_2?s=electronics&ie=UTF8&qid=1297467072&sr=1-2 would be sufficient.

If your total incoming bandwidth is saturated then you have to talk to your ISP and/or a DOS/DDOS protection service because there isn't really anything you can do about that from your end (you have to stop the packets closer to the backbone where it is not saturating the entire pipe).
0
 
LVL 15

Expert Comment

by:dave4dl
ID: 34876067
if it is really just coming from a single IP, you could try contacting their ISP (assuming it is coming from a country for which you speak the language).  Use something like http://www.ip2location.com/free.asp
0
 

Author Closing Comment

by:binele
ID: 34877264
OK,thanks for the advice. I've got the ISP to change my IP address in the end. After 6 hours of back and forth with them on the phone. It's a new record for me.

I'll be evaluating the ASA device for future implementations.

Thanks
0

Featured Post

Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question