[asterisk-biz] IAX Channels limit on Asterisk 1.4.17

Matt Riddell matt at venturevoip.com
Thu Jan 17 00:23:09 CST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Trixter aka Bret McDanel wrote:
> On Thu, 2008-01-17 at 15:47 +1300, Matt Riddell wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> You can't really block a DDoS attack - if you have 10Mbit of bandwidth
>> it takes 10Mbit of traffic to DDos you.  If you have 100Mbit then it
>> will take 100Mbit.  The only way to avoid it is to get someone upstream
>> with more bandwidth to block it.
> 
> no but iax makes it harder to do mitigation techniques.  This is becasue
> media and signalling are on the same port.  Why I was asking about that
> specifically.  
> 
> You cant rate limit packets very well since 10 calls from a given
> endpoint will look the same on an IP level as 1 call, just a larger
> volume, so if you do rate limit the audio quality, and potentially
> signalling information will be impaired.

I agree if you're talking about DDoS via amplification attack or
resource exhaustion, but anyone who seriously wants to take you out will
just increase the rate.

I guess if you're not doing any VoIP and yet have remote logins
permitted on the machine that rate limiting packets might solve it, but
most people who have SIP/IAX2 accessible from the Internet will be doing
so for a reason.

I suppose if you're trying to protect against someone who has a megabit
or two at their disposal then rate limiting them at ingress may help.

But surely you could do this on packets from an address for an IAX2
destination.  Unless it's someone doing something "bad" from inside a
company you normally consider "good".

Also, if your only place you can drop packets is closer in to the
PBX/Switch then maybe you don't know the source address and again in
this case it may be easier to limit SIP than IAX2.

- --
Kind Regards,

Matt Riddell
Director
_______________________________________________

http://www.venturevoip.com (Great new VoIP end to end solution)
http://www.venturevoip.com/news.php (Daily Asterisk News - html)
http://www.venturevoip.com/newrssfeed.php (Daily Asterisk News - rss)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHjvRNDQNt8rg0Kp4RAhLRAJwPmb4gnduKS/kYQijKf9LiB5or5QCeKBQ2
xHARUdrQ/DXlB3l70UvMhu8=
=rUFi
-----END PGP SIGNATURE-----

More information about the asterisk-biz mailing list