DOS attack UDP flood
Posted on 2011-02-11
Hi, I've got a SIP Server running behind a firewall/router connected up to an ISP via ADSL2+.
All works fine normally and phones behind the router can make calls in and out.
Problem is that a particular ip address is currently trying to access the SIP server's 5060 port, sending authentication packets in UDP and flooding the bandwidth.
Though the flooding is small like 500-600KB/sec, because of this, legit calls using RTP streams and even DNS (which uses UDP) cannot be used. Calls get one way traffic (obviously) and DNS don't work (sometimes it works ...)...
The attack is blocked at my firewall level.
It's been going on for more than a day. I've called up the ISP and was on the phone to a useless tech and then another one for 4 hours and somehow they said they could help but it's just taking too long.
Based on everyone's experience, what is the best way to get around this the fastest way .. less involvement on the ISP is better as they are completely useless.
They explained that the process is to lodge it with their abuse team and then they will escalate it blah blah blah ... it'll take like 20 centuries....
I'm asking them to give me a new IP address but that's not going to happen overnight with them.
Any help here is much appreciated!