Ian Darwin wrote: > In case anybody didn't notice, there is a significant denial-of-service > attack that is fixed in 1.2.16. Basically, if you run SIP and can be > reached from the Internet, your * server can be crashed in under a > second by any script kiddy, anywhere in the world. There is an exploit > available and I tested it on my backup * server, which crashed before I > got my finger off the return key.
While unlikely the same thing, I found something much much worst that could be VERY VERY abused and I don't know of many ways to prevent it. When I was building scripts to test SIP routes I accidentally managed to DoS someone who was helping me test just by opening a bunch of SIP calls and having the RTP hitting his IP and then failing to tear down the call. The funny thing is you don't even have to be running anything to be hit by this. -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://e164.org - Because e164.arpa is a tax on VoIP "In the long run the pessimist may be proved right, but the optimist has a better time on the trip."
