[asterisk-bugs] [JIRA] (ASTERISK-29013) res_pjsip: Asterisk doesn't stop sending invites (with auth) on 407 replies

Asterisk Team (JIRA) noreply at issues.asterisk.org
Tue Jul 28 05:00:25 CDT 2020


     [ https://issues.asterisk.org/jira/browse/ASTERISK-29013?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Asterisk Team updated ASTERISK-29013:
-------------------------------------

    Assignee: Asterisk Team  (was: Sebastian Damm)
      Status: Triage  (was: Waiting for Feedback)

> res_pjsip: Asterisk doesn't stop sending invites (with auth) on 407 replies
> ---------------------------------------------------------------------------
>
>                 Key: ASTERISK-29013
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29013
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_pjsip, Resources/res_pjsip_authenticator_digest
>    Affects Versions: 17.6.0
>         Environment: Debian Buster, Asterisk Package built from sources
>            Reporter: Sebastian Damm
>            Assignee: Asterisk Team
>
> We have the following setup. (From our pjsip.conf)
> [domain.de](generic_endpoint)
> auth=domain_internal_auth
> outbound_auth=domain_internal_auth
> from_domain=domain.de
> outbound_proxy=sip:sip.domain.net\;lr
> aors=domain.de_aor
> [domain.de_aor]
> type=aor
> contact=sip:domain.de
> outbound_proxy=sip:sip.domain.net\;lr
> [domain_internal_auth]
> type=auth
> auth_type=userpass
> username=happyuser
> password=reallysecret
> This endpoint is used to reach our registered customer devices, with a Kamailio proxy in between. Now when we send out a call through this endpoint, the proxy server asks for Auth. Asterisk responds to the challenge, and normally the call goes through. But we have a client device (an Asterisk server) behind the proxy server asking for authentication, too. (Of course, we don't know any password for this client device.)
> In that scenario, Asterisk17 does not stop sending INVITEs toward the proxy. When the first 407 is received, an Proxy-Authorizationheader for authenticating against the proxy server gets created, and when the second 407 is received, Asterisk sends out the next INVITE with two Proxy-Authorization headers.
> {{Proxy-Authorization: Digest username="happyuser", realm="domain.de", nonce="Xxl+ZF8ZfTg2/dTjNjcsTCYGI3Z+f85d", uri="sip:004926439482507 at domain.de", response="cc3cdb70fa0451b51aa8cbf9ccfb6426"}}
> {{Proxy-Authorization: Digest username="happyuser", realm="asterisk", nonce="545e619d", uri="sip:004926439482507 at domain.de", response="66400b176d5c9d2c3f0aad26d3683391", algorithm=MD5}}
> After 30 seconds, the caller cancels the call, Asterisk sends out a CANCEL request, which - again - gets rejected with a 407 by the end user device. Asterisk does not re-send the CANCEL message, but does not stop sending out the INVITE requests. And this goes on forever. 
> We have only noticed this behavior, because we saw a massive amount of memory getting used by the Asterisk process. And we didn't send any new traffic to Asterisk and {{core show channels}} didn't show any calls anymore, the INVITEs to this device kept on going.
> This could result in a DOS, if you know the setup and can setup a scenario like this and send a lot of calls through this setup. Multiple calls result in Asterisk using all of the available memory twice as fast.
> In my opinion, Asterisk should stop sending out INVITEs after receiving a maximum of 3 407 responses. Our old Asterisk11 boxes behave that way, when handling calls to the same customer device. 



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list