said by pquesinb:
Fail2Ban is a good way of mitigating such attacks w/FS
Not if you use FS on Windows platform (like e.g. I do).
Of course one must also keep in mind that these are volunteers and we're not paying them to work on the free software they're providing. Still, decent documentation doesn't really seem like too much to ask if they're truly serious about the project... especially if they don't want to answer questions about it.
I've seen many, many free projects that don't exhibit that problem. This case is a big exception in my experience though... And I completely agree with you. Any common sense dictates that if you don't want to answer simple questions coming again and again form different people (many could be new to this project) - make simple answers in help pages and don't be rude, when you see someone try to ask it nevertheless... We all are people, you know...
Getting back to the issue of DDoS attacks, when the scanners like SipVicious or botnets, etc. are making registration attempts, do most of the SIP servers like FS close the network connection on an unsuccessful attempt (send an RST, etc.), forcing the scanner to open a new connection with each attempt or are they able to just keep scanning without re-opening the connection each time?
Usually SIP communications are made using UTP (connectionless protocol). But in any case, it's obvious if the same host tries to register many different users during a limited time, it should signal an attack. Stop responding for a couple of minutes. If then it tries do to the same - just block it and log the offending host for further investigation... It's very simple, but nevertheless extremely effective approach.
If the servers dump the connection on each failed attempt, that would make it much easier to deal with the attack from the firewall side, by implementing rate limiting and blacklisting after so many failed attempts per second, minute, etc.
Agree with you. The only problem here, developers should realize that it is security problem and not point on users - "it's your problem, not ours..." and ignore it all.--
Keep it simple, it'll become complex by itself...