Too many 127.0.0. register being attacked?

when using “sip show channels”,it display this? being attacked, how to resolved it ?

127.0.0.1 (None) 474453026 00101/00001 0x0 (nothing) No Rx: REGISTER
127.0.0.1 (None) 1949722020 00101/00001 0x0 (nothing) No Rx: REGISTER
127.0.0.1 (None) 873574725 00101/00001 0x0 (nothing) No Rx: REGISTER
127.0.0.1 (None) 2855066952 00101/00001 0x0 (nothing) No Rx: REGISTER
127.0.0.1 (None) 87128933 00101/00001 0x0 (nothing) No Rx: REGISTER
127.0.0.1 (None) 3444681057 00101/00001 0x0 (nothing) No Rx: REGISTER
127.0.0.1 (None) 4004343825 00101/00001 0x0 (nothing) No Rx: REGISTER
127.0.0.1 (None) 4197649599 00101/00001 0x0 (nothing) No Rx: REGISTER
127.0.0.1 (None) 271647012 00101/00001 0x0 (nothing) No Rx: REGISTER
127.0.0.1 (None) 499313700 00101/00001 0x0 (nothing) No Rx: REGISTER
127.0.0.1 (None) 131825891 00101/00001 0x0 (nothing) No Rx: REGISTER
127.0.0.1 (None) 2935022192 00101/00001 0x0 (nothing) No Rx: REGISTER
127.0.0.1 (None) 802100661 00101/00001 0x0 (nothing) No Rx: REGISTER
127.0.0.1 (None) 162301051 00101/00001 0x0 (nothing) No Rx: REGISTER
127.0.0.1 (None) 3154924486 00101/00001 0x0 (nothing) No Rx: REGISTER
127.0.0.1 (None) 574732516 00101/00001 0x0 (nothing) No Rx: REGISTER
127.0.0.1 (None) 4280501391 00101/00001 0x0 (nothing) No Rx: REGISTER
127.0.0.1 (None) 808389896 00101/00001 0x0 (nothing) No Rx: REGISTER
127.0.0.1 (None) 3705261333 00101/00001 0x0 (nothing) No Rx: REGISTER
5726 active SIP channels

If you are being attacked with a source address of 127.0.0.1 and the attacker isn’t on your machine, you have a basic configuration error in your firewall. The firewall should have blocks on source addresses of 127/8, 10/8, 192.168/16 and at least one more that I forget, for packets arriving from the internet.

Of course, an attack on register will fail if you only use peers with static addresses, or if you have strongly random names and passwords.

I’m not sure where the Peer field is actually taken from, so it might not be the IP source address, in which case its value is conveying no real information, and is just there to slightly obfuscate the source.

thanks! resolved. use fail2ban to ban it.

fail2ban will rate limit but not stop attacks.

If the attacks are purporting to come from an IP address of 127.0.0.1, fail2ban is useless, because you need to include that address in its exclusions as it is always one of your own addresses, and whilst Asterisk might not break, a lot of things will break.

If the real contact address appears in the logs, it might be effective, but I’d need more research.