Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 2556 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Self Hosting VOIP server getting SIP attack

VSA Support

Hi Guys,

 

I have already open a few cases to support but not much help was provided. Which is why i am here. Here's the Infra details of our customer.

they have a self hosting VOIP in their infra. Right now they are experiencing SIP call attacks.

 

On the outgoing side, Customer request the VOIP to go out through specific IP. Hence the outbound address.


same here for Incoming.

 

i am not sure if Traffic shaping will help or not. but the current situation that we are facing is, SIP calls would be attacked.

SIP ALG has been unloaded as well.. Would anyone has any tips or suggestion?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to VSA Support

    Hi  

    As per my understanding, you have LAN to WAN firewall rule for Outbound SIP Connection and WAN to LAN for Inbound connection and as you have opened the connection for ANY for WAN zone, the firewall will allow the traffic, if you have specific IPs detected, you can ask your ISP to block them.

    For complete security, you have applied recommended settings in the SIP server as well or host-based security, IPS policy on LAN to WAN and WAN to LAN firewall rule in the firewall. You have to restrict the incoming traffic by specifying networks for WAN.

    Apply DOS setting for UDP flood based on your SIP traffic.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 in reply to Keyur

    Hi Keyur,

     

    sorry for the late reply, So far we are just dropping the attacker's IP from firewall.

     

    Keyur said:
    Apply DOS setting for UDP flood based on your SIP traffic.

    Are you referring to the IPS side?

Unfiltered HTML