DOS Attacks

RichE · November 23, 2014, 12:05pm

For the last week my router has been getting a lot of DOS attacks, My FreePBX has a lot of repeated enteries in the log. Nothing in the CDR list but the logs show a entry for

[2014-11-23 11:47:02] NOTICE[31347] pbx_spool.c: Call completed to Local/s@tc-maint

Which is odd as it says call completed but nobody was in at the time.

[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [2@timeconditions:6] Set(“Local/s@tc-maint-00001bd3;2”, “DEVICE_STATE(Custom:TC2)=INUSE”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [2@timeconditions:7] ExecIf(“Local/s@tc-maint-00001bd3;2”, “0?Set(NOT_INUSE)”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [2@timeconditions:8] GotoIf(“Local/s@tc-maint-00001bd3;2”, “0?timeconditions,3,1”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [2@timeconditions:9] Set(“Local/s@tc-maint-00001bd3;2”, “TCSTATE=false”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [2@timeconditions:10] Return(“Local/s@tc-maint-00001bd3;2”, “”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [s@tc-maint:5] Gosub(“Local/s@tc-maint-00001bd3;2”, “timeconditions,3,1()”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [3@timeconditions:1] Set(“Local/s@tc-maint-00001bd3;2”, “DB(TC/3/INUSESTATE)=INUSE”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [3@timeconditions:2] Set(“Local/s@tc-maint-00001bd3;2”, “DB(TC/3/NOT_INUSESTATE)=NOT_INUSE”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [3@timeconditions:3] GotoIfTime(“Local/s@tc-maint-00001bd3;2”, “08:30-12:00,sat,,?truestate”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [3@timeconditions:4] GotoIf(“Local/s@tc-maint-00001bd3;2”, “0?truegoto”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [3@timeconditions:5] ExecIf(“Local/s@tc-maint-00001bd3;2”, “0?Set(DB(TC/3)=)”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [3@timeconditions:6] Set(“Local/s@tc-maint-00001bd3;2”, “DEVICE_STATE(Custom:TC3)=INUSE”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [3@timeconditions:7] ExecIf(“Local/s@tc-maint-00001bd3;2”, “0?Set(NOT_INUSE)”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [3@timeconditions:8] GotoIf(“Local/s@tc-maint-00001bd3;2”, “0?ivr-1,s,1”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [3@timeconditions:9] Set(“Local/s@tc-maint-00001bd3;2”, “TCSTATE=false”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [3@timeconditions:10] Return(“Local/s@tc-maint-00001bd3;2”, “”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [s@tc-maint:6] System(“Local/s@tc-maint-00001bd3;2”, “/var/lib/asterisk/bin/schedtc.php 60 /var/spool/asterisk/outgoing 1”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: – Executing [s@tc-maint:7] Answer(“Local/s@tc-maint-00001bd3;2”, “”) in new stack
[2014-11-23 11:47:02] VERBOSE[31348][C-00001c01] pbx.c: == Spawn extension (tc-maint, s, 7) exited non-zero on ‘Local/s@tc-maint-00001bd3;2’
[2014-11-23 11:47:02] NOTICE[31347] pbx_spool.c: Call completed to Local/s@tc-maint

tonyclewis · November 23, 2014, 2:03pm

tc-maint is not a actual call. Its the application that keeps time condition BLFs in sync.

RichE · November 23, 2014, 2:24pm

Thanks Tony

How often would you expect to see this in the logs, as its filling up with the same repeated pattern every minute

lgaetz · November 23, 2014, 4:27pm

You can enable/disable as well as set the frequency under Settings, Advanced Settings, Time Condition Module:

Enable Maintenance Polling
Maintenance Polling Interval

RichE · November 23, 2014, 10:01pm

lgaetz

Thanks, is it recommended as every minute ? will leave if for now as i now know what causing the log event.

alan · November 23, 2014, 11:19pm

If you decrease the interval at which tc-maint runs it will increase the time it takes for the time condition BLF to reflect the status of the time conditions.I supose if you were not using the feature to could set a high interval of disable it.