DOS Attacks

RichE · November 23, 2014, 12:05pm

For the last week my router has been getting a lot of DOS attacks, My FreePBX has a lot of repeated enteries in the log. Nothing in the CDR list but the logs show a entry for

[2014-11-23 11:47:02] NOTICE[31347] pbx_spool.c: Call completed to Local/[email protected]

Which is odd as it says call completed but nobody was in at the time.

[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [[email protected]:6] Set(“Local/[email protected];2”, “DEVICE_STATE(Custom:TC2)=INUSE”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [[email protected]:7] ExecIf(“Local/[email protected];2”, “0?Set(NOT_INUSE)”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [[email protected]:8] GotoIf(“Local/[email protected];2”, “0?timeconditions,3,1”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [[email protected]:9] Set(“Local/[email protected];2”, “TCSTATE=false”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [[email protected]:10] Return(“Local/[email protected];2”, “”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [[email protected]:5] Gosub(“Local/[email protected];2”, “timeconditions,3,1()”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [[email protected]:1] Set(“Local/[email protected];2”, “DB(TC/3/INUSESTATE)=INUSE”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [[email protected]:2] Set(“Local/[email protected];2”, “DB(TC/3/NOT_INUSESTATE)=NOT_INUSE”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [[email protected]:3] GotoIfTime(“Local/[email protected];2”, “08:30-12:00,sat,,?truestate”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [[email protected]:4] GotoIf(“Local/[email protected];2”, “0?truegoto”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [[email protected]:5] ExecIf(“Local/[email protected];2”, “0?Set(DB(TC/3)=)”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [[email protected]:6] Set(“Local/[email protected];2”, “DEVICE_STATE(Custom:TC3)=INUSE”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [[email protected]:7] ExecIf(“Local/[email protected];2”, “0?Set(NOT_INUSE)”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [[email protected]:8] GotoIf(“Local/[email protected];2”, “0?ivr-1,s,1”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [[email protected]:9] Set(“Local/[email protected];2”, “TCSTATE=false”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [[email protected]:10] Return(“Local/[email protected];2”, “”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [[email protected]:6] System(“Local/[email protected];2”, “/var/lib/asterisk/bin/schedtc.php 60 /var/spool/asterisk/outgoing 1”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [[email protected]:7] Answer(“Local/[email protected];2”, “”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: == Spawn extension (tc-maint, s, 7) exited non-zero on ‘Local/[email protected];2’
[2014-11-23 11:47:02] NOTICE[31347] pbx_spool.c: Call completed to Local/[email protected]

tonyclewis · November 23, 2014, 2:03pm

tc-maint is not a actual call. Its the application that keeps time condition BLFs in sync.

RichE · November 23, 2014, 2:24pm

Thanks Tony

How often would you expect to see this in the logs, as its filling up with the same repeated pattern every minute

lgaetz · November 23, 2014, 4:27pm

You can enable/disable as well as set the frequency under Settings, Advanced Settings, Time Condition Module:

Enable Maintenance Polling
Maintenance Polling Interval

RichE · November 23, 2014, 10:01pm

lgaetz

Thanks, is it recommended as every minute ? will leave if for now as i now know what causing the log event.

alan · November 23, 2014, 11:19pm

If you decrease the interval at which tc-maint runs it will increase the time it takes for the time condition BLF to reflect the status of the time conditions.I supose if you were not using the feature to could set a high interval of disable it.