[asterisk-bugs] [Asterisk 0015611]: Frequent SIP registrations cause firewall packet drop cycle

Asterisk Bug Tracker noreply at bugs.digium.com
Wed Jul 29 18:39:11 CDT 2009


The following issue has been SUBMITTED. 
====================================================================== 
https://issues.asterisk.org/view.php?id=15611 
====================================================================== 
Reported By:                davidstrauss
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   15611
Category:                   Channels/chan_sip/Registration
Reproducibility:            always
Severity:                   major
Priority:                   normal
Status:                     new
Asterisk Version:           1.4.21.2 
Regression:                 No 
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2009-07-29 18:39 CDT
Last Modified:              2009-07-29 18:39 CDT
====================================================================== 
Summary:                    Frequent SIP registrations cause firewall packet
drop cycle
Description: 
There is often a firewall between an Asterisk box and a SIP peer. When
registrations occur through a firewall, an Asterisk box can fall into a
cycle of contacting the SIP peer very regularly and very quickly. This can
cause registration packets from the Asterisk box to be dropped by the
firewall. (The firewall may see it as a low-grade DOS attack.) Because the
Asterisk box responds by continuing to spam the firewall with packets, it
continues to be blacklisted.

The current solution is to increase the re-registration delay, but finding
this number requires guesswork. When the guess is too low, administrators
have to give the box a manual registration "cool down" period. When the
guess is too high, the system may not stay registered or may not register
quickly after an IP change.

I suggest an ethernet/SMS-style solution to this problem. In short, when
there is an ethernet packet collision, the two NICs involved each randomly
wait an increasingly long time with each contiguous collision. SMS delivery
works a similar way when message delivery fails by increasing delays
between delivery attempts.

Asterisk ought to increase the delay between each re-registration attempt
so it doesn't end up in a retry/blacklist loop. Like ethernet and SMS, the
delay time should go up exponentially, possibly with an upper threshold.
This could all be configurable, but even a hard-coded solution is
preferable to the current behavior.
====================================================================== 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2009-07-29 18:39 davidstrauss   New Issue                                    
2009-07-29 18:39 davidstrauss   Asterisk Version          => 1.4.21.2        
2009-07-29 18:39 davidstrauss   Regression                => No              
2009-07-29 18:39 davidstrauss   SVN Branch (only for SVN checkouts, not tarball
releases) => N/A             
======================================================================




More information about the asterisk-bugs mailing list