Finding a SIP DoS attack via flow analysis

I’m leaving my getting hit in the head lesson when the boss calls.  Some unmentionable orifice is firing DOS attacks at a couple of our SIP servers.  My mission, should I choose to accept it, is to find and block the attackers.  (Should I choose to not accept it, then my mission will be to listen to Fearless Leader whine about it.  I can’t stand whining.)  Fortunately, I have flow data for one of the servers under attack.

What do I know that I can use to find the attacker?

  • The time the attack started (just after 8PM)
  • The server under attack (
  • The protocol used in the attack (UDP)

That’s enough to start with.  I grab all the flow files for the 8PM hour, filter on those characteristics, and see what hosts have sent that type of traffic to my victim host, sorting by the number of connections sent to the host, and look for unknown traffic.

# flow-cat ft-v05.2010-08-23.20* | flow-nfilter -F ip-addr -v ADDR= | flow-nfilter -F udp | flow-report -v TYPE=ip-address -v SORT=+flows
#  --- ---- ---- Report Information --- --- ---
# build-version:        flow-tools
# name:                 default
# type:                 ip-address
# options:              +header,+xheader,+totals
# ip-src-addr-type:     address
# ip-dst-addr-type:     address
# sort_field:           +flows
# fields:               +key,+flows,+octets,+packets,+duration,+other
# records:              8
# first-flow:           1282608021 Mon Aug 23 20:00:21 2010
# last-flow:            1282611590 Mon Aug 23 20:59:50 2010
# now:                  1282842486 Thu Aug 26 13:08:06 2010
# mode:                 streaming
# compress:             off
# byte order:           little
# stream version:       3
# export version:       5
#  ['/usr/local/bin/flow-rptfmt', '-f', 'ascii']
ip-address      flows octets    packets duration     419   618683608 1524833 14124064   162   197187940 486751  6886912        125   27891     154     60332   118   421460896 1037910 7176284      8     608       8       0     2     2547      4       272      2     2519      4       264        2     1207      2       0

All of the hosts in private IP space are hosts that should be talking to this machine.  The hosts in bold shouldn’t be talking to my SIP servers.  The number of flows that they generate don’t seem sufficient for a DoS attack, but many poorly-written attack tools use a single source port over and over again.  Remember, a UDP flow is identified by a unique combination of sender and receiver’s IP and port.  If your attack tool opens 500 connections from a single UDP port to the SIP port 5060, you’ll see those 500 connections as a single flow.  Judging from the amount of traffic sent from these addresses, though, and knowing that a single SIP request is very small, these hosts have sent millions of connection requests to my servers.

I block these IPs, and the /24 ranges they’re in, at the border, the problems stop, and I get to bed on time, which is what’s really important after a couple hours of martial arts practice.