[asterisk-bugs] [Asterisk 0010078]: IAX2 protocol flaw in IC_NEW could cause reflective amplification DoS

noreply at bugs.digium.com noreply at bugs.digium.com
Tue Apr 22 18:17:36 CDT 2008 

The following issue has been UPDATED. 
====================================================================== 
http://bugs.digium.com/view.php?id=10078 
====================================================================== 
Reported By:                javantea
Assigned To:                russell
====================================================================== 
Project:                    Asterisk
Issue ID:                   10078
Category:                   Channels/chan_iax2
Reproducibility:            always
Severity:                   minor
Priority:                   normal
Status:                     closed
Asterisk Version:           1.6.0-beta7.1 
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Disclaimer on File?:        No 
Request Review:              
Resolution:                 fixed
Fixed in Version:           
====================================================================== 
Date Submitted:             06-27-2007 16:52 CDT
Last Modified:              04-22-2008 18:17 CDT
====================================================================== 
Summary:                    IAX2 protocol flaw in IC_NEW could cause reflective
amplification DoS
Description: 
The IAX2 protocol allows an IC_NEW packet to start a call. This is a udp
packet that is only 18 bytes long. A call can be quite long and contains a
lot of data. Specifically my simple answering machine sends 26307 bytes in
723 packets in 32.0032 seconds. That is 6576.75 bits per second. Using uLaw
or another higher bitrate codec, this rate can be increased.

Since UDP can be spoofed, it seems possible that an asterisk server can be
tricked into sending megabits per second (until it chokes) at a target with
a very low cost to the attacker (18 byte udp packet). I have not tested
spoofing an address, but I suspect that it will work.

Since this is a protocol flaw and there are hardware implementations that
would be broken by changing the protocol, this does not seem to be fixable.
If someone with knowledge of these type of issues could discuss this with
me, I would be much more confident in this.

I wrote a python implementation of IAX2 protocol to fuzz the IAX2 protocol
and I found this by accident in my first test.

======================================================================
Relationships       ID      Summary
----------------------------------------------------------------------
has duplicate       0012478 IC_NEW + IC_ACK recreates reflective am...
====================================================================== 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
04-22-08 18:17  russell        Asterisk Version          1.2.13  =>
1.6.0-beta7.1
04-22-08 18:17  russell        SVN Branch (only for SVN checkouN/A  => N/A      
  
04-22-08 18:17  russell        Category                 Core/General =>
Channels/chan_iax2
04-22-08 18:17  russell        View Status              private => public   
======================================================================

More information about the asterisk-bugs mailing list