My network was attacked

I should add that everything sits behind an el cheapo consumer grade Linksys router so the server is assigned to a private IP on the 192.168.1.0 subnet. How would a bot scan this server? The SIP port 5060 was actually forwarded to the trixbox that supports the external trunks which is on its own static private IP. Somehow the hackers changed the port forwarding to send all the Register requests on port 5060 to the FreeSwitch instead of the trixbox. I find it curious that this happened right after installing FreePBX. I think the coincidence behind this is rather curious. I've been running my own mail and web servers since I got DSL in 2001 and have seen some attacks but nothing to this scale. I regularly check the router bounce logs and see the bots but nothing ever gets through the D-Link router. Ever since I started this VOIP project I've been continuously monitoring this network and I've never seen a bot get through to scan anything in the network (although I only look at samples of traffic).

Granted I have UPnP turned on the Linksys router (the router on the other subnet that has the mail and web server has UPnP off) but I would assume that something inside my network changed the port forwarding. Since I was working on the FreePBX installation, and then this happened, when nothing like this has happened in the last 3 months working with trixboxes and other pbxs, and nothing like this bad in the last 9 years of running my own network, I can only assume that FreePBX actively did something but I don't know what since wireshark crashed losing all the traffic data.

I also realized how crappy a router Linksys is since it wouldn't even block IP ranges that would have perhaps helped out a lot. I'm going to be looking for a much better router for this subnet -- that is if I ever get it up and running again. I'm glad I didn't put the VOIP network on the same subnet with the web and mail servers.

I'm getting thousands of UDP packets per second from a single IP address (75.101.244.9). They look like SIP registration requests.

The IP belongs to Amazon's EC2 cloud computing services. It's impossible to tell if this is maliciousness or a fluke. I tried calling up Amazon's abuse department, but apparently one does not exist. I got customer support instead, and they were un-helpful. My ISP can't do anything other than shut off the T1 circuit (which I don't want). At one time my PBX had about 6600+ channels open. All of them REGISTER messages.

I have my firewall dropping the packets, but this UDP flood is using up 90% of my downstream bandwidth.

I have had attacks three times from the Amazon cloud, the latest was yesterday from IP 204.236.211.33. I have reported it to Amazon abuse:

RAbuseName: Amazon EC2 Abuse
RAbusePhone: +1-206-266-4064
RAbuseEmail: ec2-abuse@amazon.com

hopefully they will do something about it!

It really is essential to have fail2ban active, that catches these attacks and bans the ip address after the first attempts.

Installing Fail2ban is simple:

Follow the instructions at http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk exactly and once done add the following line to /etc/fail2ban/filter.d/asterisk.conf under the failregex section:

NOTICE.* .*: Registration from '.*' failed for '' - Peer is not supposed to register

Hope this helps

It looks like I need to buy a new router that does proper firewalling and keeps timestamped logs. Since my attacker uses the same IP, once I get a proper firewall I can drop my DOS attacker into a black hole and be done with them. They're still out there pounding away at my router but port 5060 is blocked. Luckily, for me, this is just an experimental network so I can do without the external trunks for awhile. Now whenever I open 5060 up the attacker slams the trixbox relentlessly. The tech people at my ISP said to send them a snippet of my router logs (with 5060 blocked) and they'll look into it but since my current router doesn't keep proper logs, I have to wait until I get a new router. I'm not sure what they can do since my attacker is from China. Once I do get proper logging it will be fascinating to see who's doing what on the other side of that router. It appears these VOIP PBXs are magnets to hackers and naerdowells.

Thanks for the info on fail2ban. That sounds like a useful thing to have. What I can't understand is the motivation behind these DOS attacks. If someone wanted to break into a box wouldn't it be better to be a little sneaky and send register attempts say once every five seconds or so that would probably go unnoticed? By slamming the box with a DOS they expose themselves fairly quickly and for what purpose? I have ports 25 and 80 open all the time and if they want to DOS me it would be fairly simple using them as well. If they're trying to exploit a buffer overflow, is there a vulnerability to this with the trixbox or any other open sourced VOIP PBX?

Now that I have my attacker cordoned off on the other side of the router I might play with him/her for awhile by setting up a trixbox for him/her to exploit. When the DOSer tried to hit my freeswitch they didn't get anywhere because I didn't even get to the point of opening up that port in the firewall. Which still puzzles me. Why when they knew that port was blocked didn't they employ some patience and wait for it to eventually open?

BTW: Not that it matters but, after a little investigation, I think freeswitch changed my port forwarding using UPnP. I saw that it does check UPnP upon boot up so I assume that it must have made the change (something other than me did). Since I hard coded the port forwarding in the router I never thought that UPnP could change that port. In the end I guess it turned out to be a good thing but I disabled UPnP regardless.

This is very weird. I'm getting different results depending upon which host I do the whois. The host where I originally did whois returned (and still does return) the following:

[mea@soyoserver ~]$ whois 58.20.61.56
[Querying whois.apnic.net]
[whois.apnic.net]
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 58.20.0.0 - 58.20.127.255
netname: changshacnc
country: CN
descr: CNC Group HuNan ChangSha network
descr: NO.376 , YouYi Street,
descr: ChangSha 410004
admin-c: CH444-AP
tech-c: CH444-AP
status: ASSIGNED NON-PORTABLE
changed: zoulei@chinaunicom.cn 20090104
mnt-by: MAINT-CNCGROUP-HN
source: APNIC

route: 58.20.0.0/16
descr: CNCGroup HuNan province network
country: CN
origin: AS9929
mnt-by: MAINT-CNCGROUP-RR
changed: hm-changed@apnic.net 20050427
source: APNIC

route: 58.20.0.0/16
descr: CNC Group CHINA169 Hunan Province Network
country: CN
origin: AS4837
mnt-by: MAINT-CNCGROUP-RR
changed: abuse@cnc-noc.net 20060601
source: APNIC

person: CNCGroup Hostmaster
nic-hdl: CH444-AP
e-mail: abuse@cnc-noc.net
address: No.156,Fu-Xing-Men-Nei Street,
address: Beijing,100031,P.R.China
phone: +86-10-82993155
fax-no: +86-10-82993144
country: CN
changed: abuse@cnc-noc.net 20041220
mnt-by: MAINT-CNCGROUP
source: APNIC

When I do a whois from brandylion, my web and mail server I get:

[mea@brandylion mea]$ whois 58.20.61.56
[Querying whois.arin.net]
[whois.arin.net]

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
ReferralServer: whois://whois.apnic.net

NetRange: 58.0.0.0 - 58.255.255.255
CIDR: 58.0.0.0/8
NetName: APNIC-58
NetHandle: NET-58-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS2.LACNIC.NET
NameServer: NS-SEC.RIPE.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://wq.apnic.net/apnic-bin/whois.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/apnic-info/whois_search2/abuse-and-spamming
RegDate: 2004-05-04
Updated: 2009-10-08

OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3188
OrgTechEmail: search-apnic-not-arin@apnic.net

# ARIN WHOIS database, last updated 2010-04-13 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at https://www.arin.net/whois_tou.html

If it matters, the brandylion server is using a different DNS server than soyo. They have their main and backups reversed but both DNS servers are my ISP's.