DOS attack UDP flood
Hi, I've got a SIP Server running behind a firewall/router connected up to an ISP via ADSL2+.
All works fine normally and phones behind the router can make calls in and out.
Problem is that a particular ip address is currently trying to access the SIP server's 5060 port, sending authentication packets in UDP and flooding the bandwidth.
Though the flooding is small like 500-600KB/sec, because of this, legit calls using RTP streams and even DNS (which uses UDP) cannot be used. Calls get one way traffic (obviously) and DNS don't work (sometimes it works ...)...
The attack is blocked at my firewall level.
It's been going on for more than a day. I've called up the ISP and was on the phone to a useless tech and then another one for 4 hours and somehow they said they could help but it's just taking too long.
Based on everyone's experience, what is the best way to get around this the fastest way .. less involvement on the ISP is better as they are completely useless.
They explained that the process is to lodge it with their abuse team and then they will escalate it blah blah blah ... it'll take like 20 centuries....
I'm asking them to give me a new IP address but that's not going to happen overnight with them.
Any help here is much appreciated!
All works fine normally and phones behind the router can make calls in and out.
Problem is that a particular ip address is currently trying to access the SIP server's 5060 port, sending authentication packets in UDP and flooding the bandwidth.
Though the flooding is small like 500-600KB/sec, because of this, legit calls using RTP streams and even DNS (which uses UDP) cannot be used. Calls get one way traffic (obviously) and DNS don't work (sometimes it works ...)...
The attack is blocked at my firewall level.
It's been going on for more than a day. I've called up the ISP and was on the phone to a useless tech and then another one for 4 hours and somehow they said they could help but it's just taking too long.
Based on everyone's experience, what is the best way to get around this the fastest way .. less involvement on the ISP is better as they are completely useless.
They explained that the process is to lodge it with their abuse team and then they will escalate it blah blah blah ... it'll take like 20 centuries....
I'm asking them to give me a new IP address but that's not going to happen overnight with them.
Any help here is much appreciated!
ASKER
The firewall/router is a draytek 2820.
The rule is specific and blocking only that particular IP address. However, there's a constant stream from the attacker.
The DNS services time out.... and calls relying on VOIP are not being able to get it timely. Thus everything is stuffed.
The rule is specific and blocking only that particular IP address. However, there's a constant stream from the attacker.
The DNS services time out.... and calls relying on VOIP are not being able to get it timely. Thus everything is stuffed.
It sounds like your firewall is getting overwhelmed. I would recommend a more industrial strength one like the Cisco ASA 5500 series.
Or you could hire a service to protect you (like http://www.blockdos.net/).
Or you could hire a service to protect you (like http://www.blockdos.net/).
ASKER
Thanks for your reply. Would the ASA 5500 series do well here? Wouldn't it be the same if the bandwidth is used up by the DOS attack anyways?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
if it is really just coming from a single IP, you could try contacting their ISP (assuming it is coming from a country for which you speak the language). Use something like http://www.ip2location.com/free.asp
ASKER
OK,thanks for the advice. I've got the ISP to change my IP address in the end. After 6 hours of back and forth with them on the phone. It's a new record for me.
I'll be evaluating the ASA device for future implementations.
Thanks
I'll be evaluating the ASA device for future implementations.
Thanks
If it is dropping legit packets then maybe your rule to block it at the firewall is too broad.
If it is getting overwhelmed, could you set up a simpler rule on the firewall that it could process more efficiently (e.g. drop everything from this certain IP)? If it is already simple you may just want to buy a better firewall (you may want to do this anyway).