FYI from unknown Attack, how to block ?

[turalo]

Hi guys, since latest few months I get to many attacks to my server that comes from unknown.
hereunder is an example of atack that's going on right now, if I try to tail -f the log file it's full of it
and it's not stopping. normally I also see the IP but here I cannot see the IP of the attacker.
anybody can advise how to block this ?


[2014-07-25 15:13:59] VERBOSE[13780] logger.c: -- Executing [45660@from-sip-external:2] Set("SIP/xxx.xxx.xxx.xxx-c512e100", "DID=45660") in new stack
[2014-07-25 15:13:59] VERBOSE[13780] logger.c: -- Executing [45660@from-sip-external:3] Goto("SIP/xxx.xxx.xxx.xxx-c512e100", "s|1") in new stack
[2014-07-25 15:13:59] VERBOSE[13780] logger.c: -- Goto (from-sip-external,s,1)
[2014-07-25 15:13:59] VERBOSE[13780] logger.c: -- Executing [s@from-sip-external:1] GotoIf("SIP/xxx.xxx.xxx.xxx-c512e100", "0?checklang:noanonymous") in new stack
[2014-07-25 15:13:59] VERBOSE[13780] logger.c: -- Goto (from-sip-external,s,5)
[2014-07-25 15:13:59] VERBOSE[13780] logger.c: -- Executing [s@from-sip-external:5] Set("SIP/xxx.xxx.xxx.xxx-c512e100", "TIMEOUT(absolute)=15") in new stack
[2014-07-25 15:13:59] VERBOSE[13780] logger.c: -- Channel will hangup at 2014-07-25 13:14:14 UTC.
[2014-07-25 15:13:59] VERBOSE[13599] logger.c: -- Executing [s@from-sip-external:9] PlayTones("SIP/xxx.xxx.xxx.xxx-c4b404a0", "congestion") in new stack
[2014-07-25 15:13:59] VERBOSE[13599] logger.c: -- Executing [s@from-sip-external:10] Congestion("SIP/xxx.xxx.xxx.xxx-c4b404a0", "5") in new stack
[2014-07-25 15:13:59] VERBOSE[13780] logger.c: -- Executing [s@from-sip-external:6] Answer("SIP/xxx.xxx.xxx.xxx-c512e100", "") in new stack
[2014-07-25 15:13:59] VERBOSE[13780] logger.c: -- Executing [s@from-sip-external:7] Wait("SIP/xxx.xxx.xxx.xxx-c512e100", "2") in new stack
[2014-07-25 15:13:59] VERBOSE[13741] logger.c: -- Executing [s@from-sip-external:8] Playback("SIP/xxx.xxx.xxx.xxx-c42fbe60", "ss-noservice") in new stack
[2014-07-25 15:13:59] VERBOSE[13741] logger.c: -- <SIP/xxx.xxx.xxx.xxx-c42fbe60> Playing 'ss-noservice' (language 'en')
[2014-07-25 15:13:59] VERBOSE[13742] logger.c: -- Executing [s@from-sip-external:8] Playback("SIP/xxx.xxx.xxx.xxx-c49c72f0", "ss-noservice") in new stack
[2014-07-25 15:13:59] VERBOSE[13742] logger.c: -- <SIP/xxx.xxx.xxx.xxx-c49c72f0> Playing 'ss-noservice' (language 'en')
[2014-07-25 15:13:59] VERBOSE[13443] logger.c: == Spawn extension (from-sip-external, s, 10) exited non-zero on 'SIP/xxx.xxx.xxx.xxx-c4f3d720'
[2014-07-25 15:13:59] VERBOSE[13443] logger.c: -- Executing [h@from-sip-external:1] Hangup("SIP/xxx.xxx.xxx.xxx-c4f3d720", "") in new stack
[2014-07-25 15:13:59] VERBOSE[13443] logger.c: == Spawn extension (from-sip-external, h, 1) exited non-zero on 'SIP/xxx.xxx.xxx.xxx-c4f3d720'
[2014-07-25 15:13:59] VERBOSE[13743] logger.c: -- Executing [s@from-sip-external:8] Playback("SIP/xxx.xxx.xxx.xxx-c40e6fa0", "ss-noservice") in new stack
[2014-07-25 15:13:59] VERBOSE[13743] logger.c: -- <SIP/xxx.xxx.xxx.xxx-c40e6fa0> Playing 'ss-noservice' (language 'en')
[2014-07-25 15:13:59] WARNING[10377] chan_sip.c: Maximum retries exceeded on transmission 3168642181 for seqno 1 (Critical Response)
[2014-07-25 15:13:59] VERBOSE[13744] logger.c: -- Executing [s@from-sip-external:8] Playback("SIP/xxx.xxx.xxx.xxx-c49b1d10", "ss-noservice") in new stack
[2014-07-25 15:13:59] VERBOSE[13744] logger.c: -- <SIP/xxx.xxx.xxx.xxx-c49b1d10> Playing 'ss-noservice' (language 'en')
[2014-07-25 15:13:59] VERBOSE[13745] logger.c: -- Executing [s@from-sip-external:8] Playback("SIP/xxx.xxx.xxx.xxx-c4fba410", "ss-noservice") in new stack
[2014-07-25 15:13:59] VERBOSE[13745] logger.c: -- <SIP/xxx.xxx.xxx.xxx-c4fba410> Playing 'ss-noservice' (language 'en')
[2014-07-25 15:13:59] VERBOSE[13781] logger.c: -- Executing [45661@from-sip-external:1] NoOp("SIP/xxx.xxx.xxx.xxx-c4ab61b0", "Received incoming SIP connection from unknown peer to 45661") in new stack
[2014-07-25 15:13:59] VERBOSE[13781] logger.c: -- Executing [45661@from-sip-external:2] Set("SIP/xxx.xxx.xxx.xxx-c4ab61b0", "DID=45661") in new stack
[2014-07-25 15:13:59] VERBOSE[13781] logger.c: -- Executing [45661@from-sip-external:3] Goto("SIP/xxx.xxx.xxx.xxx-c4ab61b0", "s|1") in new stack
[2014-07-25 15:13:59] VERBOSE[13781] logger.c: -- Goto (from-sip-external,s,1)
[2014-07-25 15:13:59] VERBOSE[13781] logger.c: -- Executing [s@from-sip-external:1] GotoIf("SIP/xxx.xxx.xxx.xxx-c4ab61b0", "0?checklang:noanonymous") in new stack
[2014-07-25 15:13:59] VERBOSE[13781] logger.c: -- Goto (from-sip-external,s,5)
[2014-07-25 15:13:59] VERBOSE[13781] logger.c: -- Executing [s@from-sip-external:5] Set("SIP/xxx.xxx.xxx.xxx-c4ab61b0", "TIMEOUT(absolute)=15") in new stack
[2014-07-25 15:13:59] VERBOSE[13781] logger.c: -- Channel will hangup at 2014-07-25 13:14:14 UTC.
[2014-07-25 15:13:59] VERBOSE[13781] logger.c: -- Executing [s@from-sip-external:6] Answer("SIP/xxx.xxx.xxx.xxx-c4ab61b0", "") in new stack
[2014-07-25 15:13:59] VERBOSE[13781] logger.c: -- Executing [s@from-sip-external:7] Wait("SIP/xxx.xxx.xxx.xxx-c4ab61b0", "2") in new stack
[2014-07-25 15:13:59] VERBOSE[13444] logger.c: == Spawn extension (from-sip-external, s, 10) exited non-zero on 'SIP/xxx.xxx.xxx.xxx-c4f41a60'
[2014-07-25 15:13:59] VERBOSE[13444] logger.c: -- Executing [h@from-sip-external:1] Hangup("SIP/xxx.xxx.xxx.xxx-c4f41a60", "") in new stack
[2014-07-25 15:13:59] VERBOSE[13444] logger.c: == Spawn extension (from-sip-external, h, 1) exited non-zero on 'SIP/xxx.xxx.xxx.xxx-c4f41a60'
[2014-07-25 15:13:59] VERBOSE[13746] logger.c: -- Executing [s@from-sip-external:8] Playback("SIP/xxx.xxx.xxx.xxx-c4384ff0", "ss-noservice") in new stack
[2014-07-25 15:13:59] VERBOSE[13746] logger.c: -- <SIP/xxx.xxx.xxx.xxx-c4384ff0> Playing 'ss-noservice' (language 'en')
[2014-07-25 15:13:59] WARNING[10377] chan_sip.c: Maximum retries exceeded on transmission 398353129 for seqno 1 (Critical Response)
[2014-07-25 15:13:59] VERBOSE[13600] logger.c: -- Executing [s@from-sip-external:9] PlayTones("SIP/xxx.xxx.xxx.xxx-c514d280", "congestion") in new stack
[2014-07-25 15:13:59] VERBOSE[13600] logger.c: -- Executing [s@from-sip-external:10] Congestion("SIP/xxx.xxx.xxx.xxx-c514d280", "5") in new stack
[2014-07-25 15:13:59] WARNING[10377] chan_sip.c: Maximum retries exceeded on transmission 2237589783 for seqno 1 (Critical Response)
[2014-07-25 15:13:59] VERBOSE[13601] logger.c: -- Executing [s@from-sip-external:9] PlayTones("SIP/xxx.xxx.xxx.xxx-c4a873c0", "congestion") in new stack
[2014-07-25 15:13:59] VERBOSE[13601] logger.c: -- Executing [s@from-sip-external:10] Congestion("SIP/xxx.xxx.xxx.xxx-c4a873c0", "5") in new stack
[2014-07-25 15:13:59] VERBOSE[13747] logger.c: -- Executing [s@from-sip-external:8] Playback("SIP/xxx.xxx.xxx.xxx-c4c20220", "ss-noservice") in new stack
[2014-07-25 15:13:59] VERBOSE[13747] logger.c: -- <SIP/xxx.xxx.xxx.xxx-c4c20220> Playing 'ss-noservice' (language 'en')
[2014-07-25 15:13:59] WARNING[10377] chan_sip.c: Maximum retries exceeded on transmission 3456329643 for seqno 1 (Critical Response)
[2014-07-25 15:13:59] VERBOSE[13602] logger.c: -- Executing [s@from-sip-external:9] PlayTones("SIP/xxx.xxx.xxx.xxx-c43b0ec0", "congestion") in new stack
[2014-07-25 15:13:59] VERBOSE[13602] logger.c: -- Executing [s@from-sip-external:10] Congestion("SIP/xxx.xxx.xxx.xxx-c43b0ec0", "5") in new stack

 

[billsimon]

Your dialplan is blocking the calls, as the log shows. There is nothing you need to do.

If you really want to block the IP with a firewall, enable SIP debug as described in this thread and after you determine the nuisance IP, block it with iptables.

 

[turalo]

Your dialplan is blocking the calls, as the log shows. There is nothing you need to do.

If you really want to block the IP with a firewall, enable SIP debug as described in this thread and after you determine the nuisance IP, block it with iptables.

Ok, I was also thinking in that direction. because otherwise I would not see the IP.

thanks.