Solved

DOS attack UDP flood

Posted on 2011-02-11
7
1,976 Views
1 Endorsement
Last Modified: 2012-05-11
Hi, I've got a SIP Server running behind a firewall/router connected up to an ISP via ADSL2+.

All works fine normally and phones behind the router can make calls in and out.

Problem is that a particular ip address is currently trying to access the SIP server's 5060 port, sending authentication packets in UDP and flooding the bandwidth.

Though the flooding is small like 500-600KB/sec, because of this, legit calls using RTP streams and even DNS (which uses UDP) cannot be used. Calls get one way traffic (obviously) and DNS don't work (sometimes it works ...)...

The attack is blocked at my firewall level.

It's been going on for more than a day. I've called up the ISP and was on the phone to a useless tech and then another one for 4 hours and somehow they said they could help but it's just taking too long.

Based on everyone's experience, what is the best way to get around this the fastest way .. less involvement on the ISP is better as they are completely useless.

They explained that the process is to lodge it with their abuse team and then they will escalate it blah blah blah ... it'll take like 20 centuries....

I'm asking them to give me a new IP address but that's not going to happen overnight with them.

Any help here is much appreciated!
1
Comment
Question by:binele
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 15

Expert Comment

by:dave4dl
ID: 34875590
the attack is blocked at your firewall?  So the packets are never reaching your SIP server right?  It sounds like your firewall isn't handling this well.  Is the firewall dropping the legitimate packets?  Is it getting overwhelmed?

If it is dropping legit packets then maybe your rule to block it at the firewall is too broad.

If it is getting overwhelmed, could you set up a simpler rule on the firewall that it could process more efficiently (e.g. drop everything from this certain IP)?  If it is already simple you may just want to buy a better firewall (you may want to do this anyway).
0
 

Author Comment

by:binele
ID: 34875615
The firewall/router is a draytek 2820.
The rule is specific and blocking only that particular IP address. However, there's a constant stream from the attacker.

The DNS services time out.... and calls relying on VOIP are not being able to get it timely. Thus everything is stuffed.

0
 
LVL 15

Expert Comment

by:dave4dl
ID: 34875891
It sounds like your firewall is getting overwhelmed.  I would recommend a more industrial strength one like the Cisco ASA 5500 series.

Or you could hire a service to protect you (like http://www.blockdos.net/).
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:binele
ID: 34875926
Thanks for your reply. Would the ASA 5500 series do well here? Wouldn't it be the same if the bandwidth is used up by the DOS attack anyways?
0
 
LVL 15

Accepted Solution

by:
dave4dl earned 500 total points
ID: 34876014
You said you are only getting 500KBps of incoming requests which I assume is much less than your available download bandwidth.  If it is in fact less, then one of the firewalls in the ASA 5500 series should do the trick.  There is a huge range in this series based on your size up to appliances like this: http://www.amazon.com/Cisco-ASA-5580-40-Firewall-rack-mountable/dp/B002A1MZVY/ref=sr_1_1?s=electronics&ie=UTF8&qid=1297466071&sr=1-1 (only costs a little over $91,000, you save almost $39,000! :).  From what you are using now I am guessing something more like http://www.amazon.com/Cisco-5505-Security-Appliance-Networks/dp/B000JVTTPW/ref=sr_1_3?s=electronics&ie=UTF8&qid=1297467072&sr=1-3 or http://www.amazon.com/Cisco-ASA-5510-Appliance-ASA5510-BUN-K9/dp/B0009PRC84/ref=sr_1_2?s=electronics&ie=UTF8&qid=1297467072&sr=1-2 would be sufficient.

If your total incoming bandwidth is saturated then you have to talk to your ISP and/or a DOS/DDOS protection service because there isn't really anything you can do about that from your end (you have to stop the packets closer to the backbone where it is not saturating the entire pipe).
0
 
LVL 15

Expert Comment

by:dave4dl
ID: 34876067
if it is really just coming from a single IP, you could try contacting their ISP (assuming it is coming from a country for which you speak the language).  Use something like http://www.ip2location.com/free.asp
0
 

Author Closing Comment

by:binele
ID: 34877264
OK,thanks for the advice. I've got the ISP to change my IP address in the end. After 6 hours of back and forth with them on the phone. It's a new record for me.

I'll be evaluating the ASA device for future implementations.

Thanks
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question