On 25 June 2012 19:06, Matthias Cramer <cra...@freestone.net> wrote: > Hi Marios > > On 25/06/12 18:50, Marios Makassikis wrote: >>>> I would consider having PF rate-limit connections to your SIP PBX, and >>>> add any host >>>> that goes over the limit to your badguys table. >>>> An example is described here: >> http://home.nuug.no/~peter/pf/en/bruteforce.html >>> >>> I saw this. But the problem is, the attacker allways comes with the same >> IP/Port Combo >>> so the is allways the same session for pf. So this method does not work! >> My understanding of this, is that the fact that PF creates a state, >> and uses it for the other >> communications with the attacker. Considering there is no other state >> created, it will never >> reach the limit to be added to the table. > > Exactly that's the case. > >> If that is the case, the question remains: how do you detect the >> attack ? Is the PBX rendered >> unusable for other clients ? > > Yes, It becomes more or less unusable... >
In that case, the ALTQ trick is pointless. >> I think a more accurate description of the attack would be helpful to >> find a solution to the problem. > > I now have a script, which watches the PBX for unsuccessful authentication > and > adds the IP, if there are 10 unsuccessful tries in 5 seconds, via ssh to the > table on > the OpenBSD box, that solves all my problems greatly. > Seeing your solution ( glad you solved your problem by the way :) ), it looks like someone is bruteforcing your server. Which implies that the first step prior to attempting to authenticate is to establish a connection. I'm surprised PF doesn't catch it though. Even if the attacker is using the exact same packets, I recall reading that PF tracks connections by looking at source and destination transport addresses, but also ISNs. (Of course, you shouldn't take my word for it, as I couldn't find any source that backs this up.) In that case, it would mean your server is using weak ISNs and using modulate state instead of keep state would help mitigate the issue, as new states would be created for each connection and you can effectively do some rate limiting. There's also the possibility that your software keeps the connection open upon a failed auth, instead of closing after a predefined number of attempts. If that's the case, I'd send a bug report to the developers. >>> >>> Is there a way to so something simmilar by packets per second ? >>> >> packets per second sounds like a unit for bandwidth, which would >> suggest using something >> like ALTQ to throttle traffic. The problem remains though, since you >> may end up throttling all >> connections to your PBX, including legitimate clients. > > I considered ALTQ, but that is in my opinion not a very nice way to solve this > problem. > > Regards > > Mattthias > > -- > Matthias Cramer, Erachfeldstrasse 1b, CH-8180 Bülach, Switzerland > http://www.freestone.net > GnuPG 1024D/2D208250 = DBC6 65B6 7083 1029 781E 3959 B62F DF1C 2D20 8250 > > [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
