Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

DOS attack UDP flood

Posted on 2011-02-11
7
Medium Priority
?
1,990 Views
1 Endorsement
Last Modified: 2012-05-11
Hi, I've got a SIP Server running behind a firewall/router connected up to an ISP via ADSL2+.

All works fine normally and phones behind the router can make calls in and out.

Problem is that a particular ip address is currently trying to access the SIP server's 5060 port, sending authentication packets in UDP and flooding the bandwidth.

Though the flooding is small like 500-600KB/sec, because of this, legit calls using RTP streams and even DNS (which uses UDP) cannot be used. Calls get one way traffic (obviously) and DNS don't work (sometimes it works ...)...

The attack is blocked at my firewall level.

It's been going on for more than a day. I've called up the ISP and was on the phone to a useless tech and then another one for 4 hours and somehow they said they could help but it's just taking too long.

Based on everyone's experience, what is the best way to get around this the fastest way .. less involvement on the ISP is better as they are completely useless.

They explained that the process is to lodge it with their abuse team and then they will escalate it blah blah blah ... it'll take like 20 centuries....

I'm asking them to give me a new IP address but that's not going to happen overnight with them.

Any help here is much appreciated!
1
Comment
Question by:binele
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 15

Expert Comment

by:dave4dl
ID: 34875590
the attack is blocked at your firewall?  So the packets are never reaching your SIP server right?  It sounds like your firewall isn't handling this well.  Is the firewall dropping the legitimate packets?  Is it getting overwhelmed?

If it is dropping legit packets then maybe your rule to block it at the firewall is too broad.

If it is getting overwhelmed, could you set up a simpler rule on the firewall that it could process more efficiently (e.g. drop everything from this certain IP)?  If it is already simple you may just want to buy a better firewall (you may want to do this anyway).
0
 

Author Comment

by:binele
ID: 34875615
The firewall/router is a draytek 2820.
The rule is specific and blocking only that particular IP address. However, there's a constant stream from the attacker.

The DNS services time out.... and calls relying on VOIP are not being able to get it timely. Thus everything is stuffed.

0
 
LVL 15

Expert Comment

by:dave4dl
ID: 34875891
It sounds like your firewall is getting overwhelmed.  I would recommend a more industrial strength one like the Cisco ASA 5500 series.

Or you could hire a service to protect you (like http://www.blockdos.net/).
0
Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

 

Author Comment

by:binele
ID: 34875926
Thanks for your reply. Would the ASA 5500 series do well here? Wouldn't it be the same if the bandwidth is used up by the DOS attack anyways?
0
 
LVL 15

Accepted Solution

by:
dave4dl earned 2000 total points
ID: 34876014
You said you are only getting 500KBps of incoming requests which I assume is much less than your available download bandwidth.  If it is in fact less, then one of the firewalls in the ASA 5500 series should do the trick.  There is a huge range in this series based on your size up to appliances like this: http://www.amazon.com/Cisco-ASA-5580-40-Firewall-rack-mountable/dp/B002A1MZVY/ref=sr_1_1?s=electronics&ie=UTF8&qid=1297466071&sr=1-1 (only costs a little over $91,000, you save almost $39,000! :).  From what you are using now I am guessing something more like http://www.amazon.com/Cisco-5505-Security-Appliance-Networks/dp/B000JVTTPW/ref=sr_1_3?s=electronics&ie=UTF8&qid=1297467072&sr=1-3 or http://www.amazon.com/Cisco-ASA-5510-Appliance-ASA5510-BUN-K9/dp/B0009PRC84/ref=sr_1_2?s=electronics&ie=UTF8&qid=1297467072&sr=1-2 would be sufficient.

If your total incoming bandwidth is saturated then you have to talk to your ISP and/or a DOS/DDOS protection service because there isn't really anything you can do about that from your end (you have to stop the packets closer to the backbone where it is not saturating the entire pipe).
0
 
LVL 15

Expert Comment

by:dave4dl
ID: 34876067
if it is really just coming from a single IP, you could try contacting their ISP (assuming it is coming from a country for which you speak the language).  Use something like http://www.ip2location.com/free.asp
0
 

Author Closing Comment

by:binele
ID: 34877264
OK,thanks for the advice. I've got the ISP to change my IP address in the end. After 6 hours of back and forth with them on the phone. It's a new record for me.

I'll be evaluating the ASA device for future implementations.

Thanks
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question