[asterisk-bugs] [Asterisk 0017386]: Proposed method of avoiding registration probing bots

Asterisk Bug Tracker noreply at bugs.digium.com
Mon May 24 13:06:34 CDT 2010 

A NOTE has been added to this issue. 
====================================================================== 
https://issues.asterisk.org/view.php?id=17386 
====================================================================== 
Reported By:                jcovert
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   17386
Category:                   Channels/chan_sip/Registration
Reproducibility:            always
Severity:                   major
Priority:                   normal
Status:                     feedback
Asterisk Version:           1.6.2.8-rc1 
JIRA:                        
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2010-05-24 12:39 CDT
Last Modified:              2010-05-24 13:06 CDT
====================================================================== 
Summary:                    Proposed method of avoiding registration probing
bots
Description: 
As every Unix hacker knows, you can enter bogus usernames at the login:
prompt and you'll still get a password prompt (except for an account which
deliberately has no password).  This is so that someone cannot feed a
dictionary of possible usernames at a system looking for valid usernames to
crack.

SIP registration, however, immediately returns "404 not found" for bogus
usernames, allowing just such an attack, and these attacks are now
happening ALL THE TIME from bots located all over the internet.

I propose (and plan to implement, if no one else has) a modification to
SIP registration which, when presented with a bad username, will treat it
as though it were good, challenging for authentication, which will, of
course, fail.  My client (who was just hacked to the tune of many thousands
of dollars in calls [which I am certain did not transfer information; they
just ran up the bill] to Sierra Leone) wishes to have this working this
week, and I plan to implement it this Wednesday.
====================================================================== 

---------------------------------------------------------------------- 
 (0122306) jcovert (reporter) - 2010-05-24 13:06
 https://issues.asterisk.org/view.php?id=17386#c122306 
---------------------------------------------------------------------- 
good.

Then I propose making it the default.  I strongly believe that it is
important to do so. 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2010-05-24 13:06 jcovert        Note Added: 0122306                          
======================================================================

More information about the asterisk-bugs mailing list