[asterisk-bugs] [Asterisk 0015611]: Frequent SIP registrations cause firewall packet drop cycle
Asterisk Bug Tracker
noreply at bugs.digium.com
Mon Aug 31 08:59:41 CDT 2009
The following issue has been CLOSED
======================================================================
https://issues.asterisk.org/view.php?id=15611
======================================================================
Reported By: davidstrauss
Assigned To:
======================================================================
Project: Asterisk
Issue ID: 15611
Category: Channels/chan_sip/Registration
Reproducibility: always
Severity: major
Priority: normal
Status: closed
Asterisk Version: 1.4.21.2
Regression: No
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Request Review:
Resolution: open
Fixed in Version:
======================================================================
Date Submitted: 2009-07-29 18:39 CDT
Last Modified: 2009-08-31 08:59 CDT
======================================================================
Summary: Frequent SIP registrations cause firewall packet
drop cycle
Description:
There is often a firewall between an Asterisk box and a SIP peer. When
registrations occur through a firewall, an Asterisk box can fall into a
cycle of contacting the SIP peer very regularly and very quickly. This can
cause registration packets from the Asterisk box to be dropped by the
firewall. (The firewall may see it as a low-grade DOS attack.) Because the
Asterisk box responds by continuing to spam the firewall with packets, it
continues to be blacklisted.
The current solution is to increase the re-registration delay, but finding
this number requires guesswork. When the guess is too low, administrators
have to give the box a manual registration "cool down" period. When the
guess is too high, the system may not stay registered or may not register
quickly after an IP change.
I suggest an ethernet/SMS-style solution to this problem. In short, when
there is an ethernet packet collision, the two NICs involved each randomly
wait an increasingly long time with each contiguous collision. SMS delivery
works a similar way when message delivery fails by increasing delays
between delivery attempts.
Asterisk ought to increase the delay between each re-registration attempt
so it doesn't end up in a retry/blacklist loop. Like ethernet and SMS, the
delay time should go up exponentially, possibly with an upper threshold.
This could all be configurable, but even a hard-coded solution is
preferable to the current behavior.
======================================================================
----------------------------------------------------------------------
(0109841) lmadsen (administrator) - 2009-08-31 08:59
https://issues.asterisk.org/view.php?id=15611#c109841
----------------------------------------------------------------------
While this seems like a good idea, it is a feature request without a patch
provided. In order to keep this issue open we would need a patch to be
provided that creates this functionality. If you are able to do that, then
please reopen the issue and add the patch for review. Thanks!
Issue History
Date Modified Username Field Change
======================================================================
2009-08-31 08:59 lmadsen Note Added: 0109841
2009-08-31 08:59 lmadsen Status new => closed
======================================================================
More information about the asterisk-bugs
mailing list