If I’m not mistaken, flooding rules only limit packets from individual IP addresses. So, if I impose a 5 packet per second rule and I’m hit with a DDoS attack from a million IP addresses, that’s still 5 million packets per second. So my machine gets disabled?? Can’t run my business that way. Wouldn’t a whitelist be a better solution?
That’s certainly true. You could limit by port or protocol. But, if you write a rule to deny or limit by either of these, IPtables doesn’t discriminate between the DDoS attackers and your legitimate users. So the DDoS attack would bring down your SIP ports which means your users would be dead in the water along with the attackers. That, of course, is exactly the result the attackers want. So, I repeat, the only way to protect against DDoS attackers using IPtables without also bringing down your system for legit users is to use a whitelist of IP addresses. The only other approach that might work is to block IP address access to your server by everyone and only accept access via an obscure FQDN. Wouldn’t work for VoIP.ms, but it would be fine in most corporate PBX environments.
Your sip server will legitimately get a few connects a minute from each endpoint max, Look at the CSF rules for the how to build such a set of limiting filters (you are not limited to one) that accepts friends but notices ddos’s. But that is just a start . . .
As to your other ‘open’ services, which are likely the greater target of these latest exploit, you can certainly ‘pin-hole’ your sip providers if they insist on UDP/5060, deny TCP/5038 on your WAN side and indeed use obscure but certified domains and ports above the ‘low hanging ones’ for phone calls (SIP) and provisioning, I do that and rarely see untoward connections.
Personally I like to keep my main 443 site open to all for UCP users and I also allow FOP2 but only allow trusted users to the FPBX gui , using a proxy (ha-proxy in my case) you can drop ip based connections before they leak anything by setting a strict SNI policy (and it makes your cert management much easier as that is handled by the proxy, only http is passed to the servers.)