[asterisk-bugs] [JIRA] (ASTERISK-23673) Security: DOS by consuming the number of allowed HTTP connections.
Richard Mudgett (JIRA)
noreply at issues.asterisk.org
Fri Jun 13 00:44:57 CDT 2014
[ https://issues.asterisk.org/jira/browse/ASTERISK-23673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Richard Mudgett closed ASTERISK-23673.
--------------------------------------
> Security: DOS by consuming the number of allowed HTTP connections.
> ------------------------------------------------------------------
>
> Key: ASTERISK-23673
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-23673
> Project: Asterisk
> Issue Type: Bug
> Components: Core/HTTP
> Affects Versions: 1.8.27.0, 11.9.0, 12.2.0
> Reporter: Richard Mudgett
> Assignee: Richard Mudgett
> Severity: Critical
> Labels: Security
> Target Release: 1.8.28.1, 11.10.1, 12.3.1
>
>
> Simply establishing a TCP connection and never sending anything to the configured HTTP port in http.conf will tie up a HTTP connection. Since there is a maximum number of open HTTP sessions allowed at a time you can block legitimate connections.
> A similar problem exists if a HTTP request is started but never finished.
> A timeout needs to be implemented to mitigate this kind of attack.
> I'm fairly certain that this has always existed in Asterisk's HTTP implementation. It has just become more serious with the addition of ARI.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list