Hi Marios On 25/06/12 18:50, Marios Makassikis wrote: >>> I would consider having PF rate-limit connections to your SIP PBX, and >>> add any host >>> that goes over the limit to your badguys table. >>> An example is described here: > http://home.nuug.no/~peter/pf/en/bruteforce.html >> >> I saw this. But the problem is, the attacker allways comes with the same > IP/Port Combo >> so the is allways the same session for pf. So this method does not work! > My understanding of this, is that the fact that PF creates a state, > and uses it for the other > communications with the attacker. Considering there is no other state > created, it will never > reach the limit to be added to the table.
Exactly that's the case. > If that is the case, the question remains: how do you detect the > attack ? Is the PBX rendered > unusable for other clients ? Yes, It becomes more or less unusable... > I think a more accurate description of the attack would be helpful to > find a solution to the problem. I now have a script, which watches the PBX for unsuccessful authentication and adds the IP, if there are 10 unsuccessful tries in 5 seconds, via ssh to the table on the OpenBSD box, that solves all my problems greatly. >> >> Is there a way to so something simmilar by packets per second ? >> > packets per second sounds like a unit for bandwidth, which would > suggest using something > like ALTQ to throttle traffic. The problem remains though, since you > may end up throttling all > connections to your PBX, including legitimate clients. I considered ALTQ, but that is in my opinion not a very nice way to solve this problem. Regards Mattthias -- Matthias Cramer, Erachfeldstrasse 1b, CH-8180 Bülach, Switzerland http://www.freestone.net GnuPG 1024D/2D208250 = DBC6 65B6 7083 1029 781E 3959 B62F DF1C 2D20 8250 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
