On Thu, 2009-08-06 at 13:47 +0100, Keith Gearty wrote: > Scott Lawrence wrote: > > >As long as any call to the PSTN requires some permission, an attacker > >needs to be able to guess the password of a user with that permission. > > > Out of interest, is there any brute-force detection & lock-out in SipXecs?
No - the basic problem with such things is that they are a built-in denial of service attack. Peter Selc adds: > A mechanism, where sipxecs can detect, that extension XYZ tries to > register 1000x times in 1minute -> it can be a brute force attack -> i > will block this IP and this XYZ extension for 1hour even if > credentials > are OK. So all I need to kill your account is your phone number - I don't need your password, I just need to deliberately fail to register by using a known bad password (very easy to guess :-) ). In a few seconds, I can disable your account so that _you_ can't register. As a point of interest - we see these streams of very fast registration attempts pretty frequently when someone connects a buggy phone to the network, so the tool to implement those DoS attacks already exists. _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/
