Good evening to all,
i'm just thinking about how to deal with the following task:
I've a big PBX, using also SIP for outgoing and incoming connections (Outgoing to use cheaper VoIP providers for international calls, incoming i.e. if i'm on a business trip, connecting from outside).
I've had an issue some months ago, where a hacked server from Hongkong "tried" to get on my SIP (which is not the big deal as it would need to find out the username AND password), but it came in with more than 2MBit/s, bringing down my poor PBX with several hundret tries per second. I was here , so i was able to block this IP in my DD-WRT, which i've used this time.
Now, i'm thinking about ways to prevent this in the future in an automated way. With tomato, i would be able to throttle down an incoming connection to an incredible low priority after a transfer of 1 Megabyte. A normal used SIP will not produce that much traffic on the command connection. However, if i'll stay connected from outside for a day, the (wanted) traffic will add up during the time.
So, is there any time limit for the trigger "KB transferred" in Tomato? Will it count the bytes on a connection (but how should this work on UDP in that case?) or from/to an IP address? Is there a time period in what the count will be reset?
What about adding the ability to check for a configurable "bytes per time period" which can prevent such service ports from incoming DDOS attacks?