Our multi-tenant PBX recently came under a dictionary attack. Somebody was trying to brute force SIP registrations in order to gain access to our system for calls. This is something that happens from time to time when you have your Asterisk server sitting on the Internet. We do have a large number of devices that may have to register from unknown locations, so our firewall has to be fairly permissive as far as ports go. Instead, we have had good results with Fail2ban, which detects unsuccessful connection attempts and blocks the source IP after a certain number of failures.
We were surprised to see that fail2ban was not actually killing the dictionary attack in this case. We did see the required number of failed registration attempts, but the attack continued. Rather than wait while we determined the issue with fail2ban, we simply blocked the source IP in our firewall, expecting that to resolve the issue. It did not.
Most firewall rules allow established connections to continue. Even though UDP is stateless and we only use SIP over UDP, the firewall determined that the connection had been established and the attack was continuing over this established attack. Our sysadmin turned to the utility “conntrack”. It allows you to look at the connections that the Linux kernel is aware of and, among other things, allows you to delete connections. We chose to delete the connection. Once we did so, the firewall rules applied and the attack ended.
Another description of the attack and resolution can be found here.