... using it as a tool and understanding what it does... So one part of it's toolset identifys valid SIP accounts - and I was under the impression that alwaysauthreject=yes was supposed to stop this...
However, it sends a request for a highly probably non-existent account, then sends requests for probably existing accounts and I guess compares the results - account not found vs. bad username or password... It thus trivially, and very quickly finds valid accounts when fed with a list of accounts to try in the first place (e.g. 100-999, or 1000-9999, etc.) I wonder if it's time to introduce yet another parameter to it - which will cause asterisk to return the same error code for all 3 conditions - and return the "not found" error, even on bad username or password. It breaks the RFC even more, but might it be worth it? (I've just had 30GB of sipvicious traffic sent to my hosted servers in a 12-hour period - it came from what looked like a VPS host in France - trivially firewalled out, but even dropping the packets didn't stop the flood! It's so badly written it appears to just ignore any return codes that it doesn't want, or even no returns at all!) Gordon -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
