[asterisk-bugs] [JIRA] (ASTERISK-29013) res_pjsip: Asterisk doesn't stop sending invites (with auth) on 407 replies

Sebastian Damm (JIRA) noreply at issues.asterisk.org
Tue Jul 28 04:30:25 CDT 2020 

Sebastian Damm created ASTERISK-29013:
-----------------------------------------

             Summary: res_pjsip: Asterisk doesn't stop sending invites (with auth) on 407 replies
                 Key: ASTERISK-29013
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29013
             Project: Asterisk
          Issue Type: Bug
      Security Level: None
          Components: Resources/res_pjsip, Resources/res_pjsip_authenticator_digest
    Affects Versions: 17.6.0
         Environment: Debian Buster, Asterisk Package built from sources
            Reporter: Sebastian Damm


We have the following setup. (From our pjsip.conf)

[domain.de](generic_endpoint)
auth=domain_internal_auth
outbound_auth=domain_internal_auth
from_domain=domain.de
outbound_proxy=sip:sip.domain.net\;lr
aors=domain.de_aor

[domain.de_aor]
type=aor
contact=sip:domain.de
outbound_proxy=sip:sip.domain.net\;lr

[domain_internal_auth]
type=auth
auth_type=userpass
username=happyuser
password=reallysecret

This endpoint is used to reach our registered customer devices, with a Kamailio proxy in between. Now when we send out a call through this endpoint, the proxy server asks for Auth. Asterisk responds to the challenge, and normally the call goes through. But we have a client device (an Asterisk server) behind the proxy server asking for authentication, too. (Of course, we don't know any password for this client device.)

In that scenario, Asterisk17 does not stop sending INVITEs toward the proxy. When the first 407 is received, an Proxy-Authorizationheader for authenticating against the proxy server gets created, and when the second 407 is received, Asterisk sends out the next INVITE with two Proxy-Authorization headers.

{{Proxy-Authorization: Digest username="happyuser", realm="domain.de", nonce="Xxl+ZF8ZfTg2/dTjNjcsTCYGI3Z+f85d", uri="sip:004926439482507 at domain.de", response="cc3cdb70fa0451b51aa8cbf9ccfb6426"}}
{{Proxy-Authorization: Digest username="happyuser", realm="asterisk", nonce="545e619d", uri="sip:004926439482507 at domain.de", response="66400b176d5c9d2c3f0aad26d3683391", algorithm=MD5}}

After 30 seconds, the caller cancels the call, Asterisk sends out a CANCEL request, which - again - gets rejected with a 407 by the end user device. Asterisk does not re-send the CANCEL message, but does not stop sending out the INVITE requests. And this goes on forever. 

We have only noticed this behavior, because we saw a massive amount of memory getting used by the Asterisk process. And we didn't send any new traffic to Asterisk and {{core show channels}} didn't show any calls anymore, the INVITEs to this device kept on going.

This could result in a DOS, if you know the setup and can setup a scenario like this and send a lot of calls through this setup. Multiple calls result in Asterisk using all of the available memory twice as fast.

In my opinion, Asterisk should stop sending out INVITEs after receiving a maximum of 3 407 responses. Our old Asterisk11 boxes behave that way, when handling calls to the same customer device. 



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list