On 07/26/2011 02:14 PM, Alex Balashov wrote:
On 07/26/2011 02:09 PM, CDR wrote:
Only way to cope with hackers would be that Digium comes to its
senses and accepts to disable any response to a REGISTER whose
username is unknown. I cannot think of a good reason why Digium
finds this proposal unacceptable, given the onslaught of hacking
that we are seeing in the industry. It may take a single line of
code and it would save millions of $$$. Not only because the
hackers will never get in, but because we would save a huge CPU
impact responding to hundreds of REGISTER attempts per minute. It
is a NO brainer. Can please the Powers that Be reconsider and add
this option to sip.conf? Please?
No, because that's absolutely ridiculous. The proper, RFC-compliant
behaviour is to return an authentication failure in response to invalid
credentials. This mechanism is relied upon for legitimate functionality,
such as letting the UAs of intended users know that they are sending
incorrect credentials.
As was pointed out before, Asterisk is a mostly application-level
construct. Applications usually have some rudimentary means of
self-defense such as ACLs, but applications are often conceptually
distinct from the most appropriate means of securing them. That's what
firewalls, SBCs, intrusion detection systems, etc. are for.
Your position is equivalent to saying that stock SSH should not return
authentication errors for invalid passwords. The proper solution to
dictionary attacks is to firewall the SSH service, use RSA keys, VPNs,
etc., not to tell the maintainers of the OpenSSH project to come to its
senses.
Two additional points to the ones Alex already made:
* We *must* behave identically for any REGISTER request, regardless of
whether the requested URI represents a 'known' or an 'unknown' address
of record (user). If that is not done, then it's easy for an attacker to
learn which usernames *are* valid, and focus their dictionary attack
efforts on those usernames.
* The processing workload in Asterisk for a REGISTER request is to
parse, validate and process it, *not* sending the failure (or
'authentication required') response. Making Asterisk not send the
response would *not* cause hackers to stop sending masses of REGISTER
requests; once they have *any* reason to suspect that a particular IP
address/port combination has a SIP registrar listening on it, they'll
attack it.
--
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
Jabber: [email protected] | SIP: [email protected] | Skype: kpfleming
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at www.digium.com & www.asterisk.org
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
