[asterisk-biz] IAX Channels limit on Asterisk 1.4.17

Wed Jan 16 18:18:26 CST 2008

On Jan 16, 2008 6:47 PM, Trixter aka Bret McDanel <trixter at 0xdecafbad.com>
wrote:

>
> On Thu, 2008-01-17 at 10:33 +1100, Craig Lawrence wrote:
> > I was simply asking whether any other service provider had found a
> > workaround for the issue. To ask a tech question on a biz list is simply
> > not kosha / Halal / Vegan or whatever.
> >
> Yeah, although this did have a tie into the business case for iax, or
> lack there of, and why it just doesnt make business sense to me to do
> it.
>
> So as it stands now only one person said they did but they think it may
> have been before some of the more recent changes, so its a 'maybe' with
> current code as originally asked.
>
> To bring this back to a biz sitaution, do you enable any type of DDoS
> mitigation techniques with iax?  If so what products do you use?
>
> Given that media and signalling are on the same port, and generally
> sender port/ip will be the same for multiple calls, simple rate limiting
> isnt really a good option.  This means that you can run the risk of
> either having that port open to the world for flooding or have some
> controls that degrade customer call quality.  Either is bad.
>
> If there is a reasonable solution for that, even if commercial, I would
> like to know since there isnt a good business case for that much
> exposure in my mind.
>
>
> > BTW - to use the term "Telco Grade Asterisk" is possibly premature.
> >
> never have :)
>

A server behind a firewall with OpenVPN and a single port open, customers
setup to connect over VPN.
An appliance before the asterisk box with ACLs or a PIX that is updated to
let specific inbound traffic by IP.
At what level do accept and deny either in IPtables or iax.conf work?  I
suppose they wouldn't really stop a true DDoS attack.
There are certainly appliances that can detect DoS attacks and block them.
http://www.radware.com/Products/ApplicationNetworkSecurity/default.aspx?source=google&gclid=CKyq0s7--5ACFQNzHgod7GcIrA

I am a huge fan of OpenVPN.

Thanks,
Steve Totaro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-biz/attachments/20080116/4962cf2a/attachment.htm 