Kevin P. Fleming wrote:
Here is the final program and scripts for your guys to test. It started as something targeted towards SIP in general not solely Asterisk.I'm sorry it took me so long to get back to this thread... there have been many good points raised and I'm happy to see that the general sense in the community is along the same lines as my original thinking :-)The issue that started this discussion is NOT an extreme volume of proper/valid signaling; instead, it is properly-formatted but otherwise bogus signaling that Asterisk has to respond to because the RFCs require it (in general). There is some evidence that if you send enough of this stuff at Asterisk, it will start to drop calls and otherwise behave badly. While we can do some work to try to make this have less drastic side effects, there are always going to be limits to how much traffic we can handle before falling over. If we can improve the code to handle 100 packets per second, is that really an improvement since the attacker can just send 200 packets per second instead? It seems that maybe the best proposal at this time is to just provide a method for counting the number of improper/bogus signaling packets received in a given time frame (per second, per minute, etc.) and then dropping (without response) any signaling that is not known to be valid beyond that limit.
http://www.infiltrated.net/5e5135b617a29d14f034614d24378cc9.tarCisco has a PSIRT case opened since they are testing it against CCM/CME. Avaya opened one, CERT has one as well. I will hold off for a while before I post anything. One thing to take note of is, I use an nCite SBC and it does little to deter this. If I set things to block out based on address, if the program goes on long enough to find a match on say IP address, let's say my address is 22.22.22.22, it will block legitimate calls. I set it to send bad IP info but didn't bother doing a "true IP spoofing" function. Right now I see 6 DoS attacks when it is run:
1) ICMP DoS gets returned from Asterisk (Asterisk replies to bogus requests) 2) Channels fill up (bogus calls) 3) Space fills up (logs) 4) Kills all versions of Asterisk 5) Will not allow valid callers through since resources are locked up6) Soundfiles open till the machine starts to choke (depending on the amount sent to server)
Take note I didn't send this to the list in hopes no idiots play with this thing. I'd hope some remedy comes out since I run * servers as a VoIP business.
-- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government. John Adams
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- asterisk-dev mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev
