[asterisk-bugs] [JIRA] (ASTERISK-24506) 403 Forbidden Fix for Big Loaded systems

Michael L. Young (JIRA) noreply at issues.asterisk.org
Fri Nov 7 10:26:29 CST 2014 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-24506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=223402#comment-223402 ] 

Michael L. Young edited comment on ASTERISK-24506 at 11/7/14 10:26 AM:
-----------------------------------------------------------------------

I am not seeing why this patch is necessary.  In fact, it looks like the patch would create a security issue in that it would leak out whether they have a valid username or not.

What you should be using is the security log.  The security log will give you the necessary information to determine if someone is attempting to scan for usernames.  The security log together with another tool such as fail2ban should be sufficient to block these kind of attacks / scans.



was (Author: elguero):
I am not see why this patch is necessary.  In fact, it looks like it would create a security issue in that it would leak out whether they have a valid username or not.

What you should be using is the security log.  The security log will give you the necessary information to determine if someone is attempting to scan for usernames.  The security log together with another tool such as fail2ban should be sufficient to block these kind of attacks / scans.


> 403 Forbidden Fix for Big Loaded systems 
> -----------------------------------------
>
>                 Key: ASTERISK-24506
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24506
>             Project: Asterisk
>          Issue Type: Improvement
>      Security Level: None
>          Components: Channels/chan_sip/General
>    Affects Versions: 13.0.0-beta2, 13.0.0-beta3, 13.0.0
>            Reporter: HZMI8gkCvPpom0tM
>         Attachments: chan_sip403.patch, new.patch
>
>
> On big loaded systems with more than 40k subscribers 403 Forbidden (Bad auth) is only way to detect and block username scans which can create REALTIME database deny of service. As practice show - for frauders absolutely no matter is it 403 Forbidden or 403 Forbidden (Bad auth) they continue to send hundreds thousands registrations and invites with different credentials until finish their list.  Usage 403 Forbidden (Bad auth) best style to detect such attacks and stop them on firewall side instead to pass them through whole infrastructure to database. I included patch which return back 403 Forbidden (Bad auth) in chan_sip. 



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list