[asterisk-bugs] [JIRA] (ASTERISK-23673) Security: DOS by consuming the number of allowed HTTP connections.

Matt Jordan (JIRA) noreply at issues.asterisk.org
Fri Jun 13 01:43:56 CDT 2014


     [ https://issues.asterisk.org/jira/browse/ASTERISK-23673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Matt Jordan updated ASTERISK-23673:
-----------------------------------

    Target Release Version/s:     (was: 12.3.1)
                                  (was: 11.10.1)
                                  (was: 1.8.28.1)
                              1.8.28.2
                              11.10.2
                              12.3.2

> Security: DOS by consuming the number of allowed HTTP connections.
> ------------------------------------------------------------------
>
>                 Key: ASTERISK-23673
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-23673
>             Project: Asterisk
>          Issue Type: Bug
>          Components: Core/HTTP
>    Affects Versions: 1.8.27.0, 11.9.0, 12.2.0
>            Reporter: Richard Mudgett
>            Assignee: Richard Mudgett
>            Severity: Critical
>              Labels: Security
>      Target Release: 1.8.28.2, 11.10.2, 12.3.2
>
>
> Simply establishing a TCP connection and never sending anything to the configured HTTP port in http.conf will tie up a HTTP connection.  Since there is a maximum number of open HTTP sessions allowed at a time you can block legitimate connections.
> A similar problem exists if a HTTP request is started but never finished.
> A timeout needs to be implemented to mitigate this kind of attack.
> I'm fairly certain that this has always existed in Asterisk's HTTP implementation.  It has just become more serious with the addition of ARI.



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list