[asterisk-bugs] [Asterisk 0015611]: Frequent SIP registrations cause firewall packet drop cycle

Asterisk Bug Tracker noreply at bugs.digium.com
Mon Aug 31 08:59:41 CDT 2009


The following issue has been CLOSED 
====================================================================== 
https://issues.asterisk.org/view.php?id=15611 
====================================================================== 
Reported By:                davidstrauss
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   15611
Category:                   Channels/chan_sip/Registration
Reproducibility:            always
Severity:                   major
Priority:                   normal
Status:                     closed
Asterisk Version:           1.4.21.2 
Regression:                 No 
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
Resolution:                 open
Fixed in Version:           
====================================================================== 
Date Submitted:             2009-07-29 18:39 CDT
Last Modified:              2009-08-31 08:59 CDT
====================================================================== 
Summary:                    Frequent SIP registrations cause firewall packet
drop cycle
Description: 
There is often a firewall between an Asterisk box and a SIP peer. When
registrations occur through a firewall, an Asterisk box can fall into a
cycle of contacting the SIP peer very regularly and very quickly. This can
cause registration packets from the Asterisk box to be dropped by the
firewall. (The firewall may see it as a low-grade DOS attack.) Because the
Asterisk box responds by continuing to spam the firewall with packets, it
continues to be blacklisted.

The current solution is to increase the re-registration delay, but finding
this number requires guesswork. When the guess is too low, administrators
have to give the box a manual registration "cool down" period. When the
guess is too high, the system may not stay registered or may not register
quickly after an IP change.

I suggest an ethernet/SMS-style solution to this problem. In short, when
there is an ethernet packet collision, the two NICs involved each randomly
wait an increasingly long time with each contiguous collision. SMS delivery
works a similar way when message delivery fails by increasing delays
between delivery attempts.

Asterisk ought to increase the delay between each re-registration attempt
so it doesn't end up in a retry/blacklist loop. Like ethernet and SMS, the
delay time should go up exponentially, possibly with an upper threshold.
This could all be configurable, but even a hard-coded solution is
preferable to the current behavior.
====================================================================== 

---------------------------------------------------------------------- 
 (0109841) lmadsen (administrator) - 2009-08-31 08:59
 https://issues.asterisk.org/view.php?id=15611#c109841 
---------------------------------------------------------------------- 
While this seems like a good idea, it is a feature request without a patch
provided. In order to keep this issue open we would need a patch to be
provided that creates this functionality. If you are able to do that, then
please reopen the issue and add the patch for review. Thanks! 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2009-08-31 08:59 lmadsen        Note Added: 0109841                          
2009-08-31 08:59 lmadsen        Status                   new => closed       
======================================================================




More information about the asterisk-bugs mailing list