[asterisk-bugs] [Asterisk 0018051]: SIP brute force attemps having a DoS effect
Asterisk Bug Tracker
noreply at bugs.digium.com
Thu Dec 9 16:19:59 CST 2010
A NOTE has been added to this issue.
======================================================================
https://issues.asterisk.org/view.php?id=18051
======================================================================
Reported By: eeman
Assigned To: twilson
======================================================================
Project: Asterisk
Issue ID: 18051
Category: Channels/chan_sip/General
Reproducibility: have not tried
Severity: major
Priority: normal
Status: closed
Asterisk Version: SVN
JIRA: SWP-2343
Regression: No
Reviewboard Link:
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Request Review:
Resolution: fixed
Fixed in Version:
======================================================================
Date Submitted: 2010-09-24 19:00 CDT
Last Modified: 2010-12-09 16:19 CST
======================================================================
Summary: SIP brute force attemps having a DoS effect
Description:
We've all seen the brute force attempts where a script blasts asterisk with
thousands of attempts to learn valid accounts
example:
[Sep 24 15:46:51] NOTICE[19686] chan_sip.c: Registration from
'"9941"<sip:9941 at 1.2.3.4>' failed for '81.31.148.109' - No matching peer
found
[Sep 24 15:46:51] NOTICE[19686] chan_sip.c: Registration from
'"9942"<sip:9942 at 1.2.3.4>' failed for '81.31.148.109' - No matching peer
found
[Sep 24 15:46:51] NOTICE[19686] chan_sip.c: Registration from
'"9943"<sip:9943 at 1.2.3.4>' failed for '81.31.148.109' - No matching peer
found
[Sep 24 15:46:51] NOTICE[19686] chan_sip.c: Registration from
'"9944"<sip:9944 at 1.2.3.4>' failed for '81.31.148.109' - No matching peer
found
this seems to be having a second effect of creating a DoS attack on
inbound calls. It seems that the instigating attacker's IP finds its way
into legitimate SIP messages as the Contact: url. The result is the ACK
messages to the corresponding 200 messages are sent instead to this IP.
Observe the Contact header in this simple ACK message (i sanitized the IP
addresses except for the script running ass; he can get his own DoS from
this post for all i care):
rUJy`\=EX+U.HFE at SIP/2.0 200 OK
Via: SIP/2.0/UDP
4.3.2.1:5060;branch=z9hG4bK78126bc7;received=4.3.2.1;rport=5060
From: "BLUEGRASSNET" <sip:+18598064913 at 4.3.2.1>;tag=as684e24f7
To: <sip:+18129442733 at 1.2.3.4>;tag=as52fe0a2e
Call-ID: 4544269969f074577549d403673538de at 4.3.2.1
CSeq: 103 INVITE
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
Supported: replaces
Contact: <sip:+18129442733 at 81.31.148.109>
Content-Type: application/sdp
Content-Length: 211
v=0
o=root 19653 19653 IN IP4 1.2.3.4
s=session
c=IN IP4 1.2.3.4
t=0 0
m=audio 14936 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=sendrecv
as a result the ACK messages and BYE messages get sent to an IP
81.31.148.109 in the RIPE number space.
======================================================================
----------------------------------------------------------------------
(0129520) svnbot (reporter) - 2010-12-09 16:19
https://issues.asterisk.org/view.php?id=18051#c129520
----------------------------------------------------------------------
Repository: asterisk
Revision: 297972
_U trunk/
U trunk/channels/chan_sip.c
------------------------------------------------------------------------
r297972 | twilson | 2010-12-09 16:19:58 -0600 (Thu, 09 Dec 2010) | 35
lines
Merged revisions 297965 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.8
................
r297965 | twilson | 2010-12-09 16:18:19 -0600 (Thu, 09 Dec 2010) | 28
lines
Merged revisions 297960 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.6.2
................
r297960 | twilson | 2010-12-09 16:10:31 -0600 (Thu, 09 Dec 2010) | 21
lines
Merged revisions 297959 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.4
........
r297959 | twilson | 2010-12-09 16:00:30 -0600 (Thu, 09 Dec 2010) |
14 lines
Ignore spurious REGISTER requests
If a REGISTER request with a Call-ID matching an existing
transaction is received
it was possible that the REGISTER request would overwrite the
initreq of the
private structure. This info is used to generate messages for other
responses in
the transaction. This patch ignores REGISTER requests that match
non-REGISTER
transactions.
(closes issue https://issues.asterisk.org/view.php?id=18051)
Reported by: eeman
Tested by: twilson
Review: https://reviewboard.asterisk.org/r/1050/
........
................
................
------------------------------------------------------------------------
http://svn.digium.com/view/asterisk?view=rev&revision=297972
Issue History
Date Modified Username Field Change
======================================================================
2010-12-09 16:19 svnbot Checkin
2010-12-09 16:19 svnbot Note Added: 0129520
======================================================================
More information about the asterisk-bugs
mailing list