[asterisk-bugs] [Asterisk 0017386]: Proposed method of avoiding registration probing bots
Asterisk Bug Tracker
noreply at bugs.digium.com
Fri Jun 25 09:12:32 CDT 2010
The following issue has been UPDATED.
======================================================================
https://issues.asterisk.org/view.php?id=17386
======================================================================
Reported By: jcovert
Assigned To:
======================================================================
Project: Asterisk
Issue ID: 17386
Category: Channels/chan_sip/Registration
Reproducibility: always
Severity: major
Priority: normal
Status: closed
Asterisk Version: 1.6.2.8-rc1
JIRA:
Regression: No
Reviewboard Link:
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Request Review:
Resolution: suspended
Fixed in Version:
======================================================================
Date Submitted: 2010-05-24 12:39 CDT
Last Modified: 2010-06-25 09:12 CDT
======================================================================
Summary: Proposed method of avoiding registration probing
bots
Description:
As every Unix hacker knows, you can enter bogus usernames at the login:
prompt and you'll still get a password prompt (except for an account which
deliberately has no password). This is so that someone cannot feed a
dictionary of possible usernames at a system looking for valid usernames to
crack.
SIP registration, however, immediately returns "404 not found" for bogus
usernames, allowing just such an attack, and these attacks are now
happening ALL THE TIME from bots located all over the internet.
I propose (and plan to implement, if no one else has) a modification to
SIP registration which, when presented with a bad username, will treat it
as though it were good, challenging for authentication, which will, of
course, fail. My client (who was just hacked to the tune of many thousands
of dollars in calls [which I am certain did not transfer information; they
just ran up the bill] to Sierra Leone) wishes to have this working this
week, and I plan to implement it this Wednesday.
======================================================================
----------------------------------------------------------------------
(0123876) pabelanger (manager) - 2010-06-25 09:12
https://issues.asterisk.org/view.php?id=17386#c123876
----------------------------------------------------------------------
Suspending for now. As mentioned before this should be discussed on
asterisk-dev mailing list or #asterisk-dev on IRC.
Any patches are welcome.
---
Suspended due to lack of activity. Please request a bug marshal in
#asterisk-bugs on the IRC network irc.freenode.net to reopen the issue
should you have the additional information requested.
Further information can be found at
http://www.asterisk.org/developers/bug-guidelines
Issue History
Date Modified Username Field Change
======================================================================
2010-06-25 09:12 pabelanger Note Added: 0123876
2010-06-25 09:12 pabelanger Status feedback => closed
2010-06-25 09:12 pabelanger Resolution open => suspended
======================================================================
More information about the asterisk-bugs
mailing list