[asterisk-bugs] [JIRA] (ASTERISK-29013) res_pjsip: Asterisk doesn't stop sending invites (with auth) on 407 replies
Joshua C. Colp (JIRA)
noreply at issues.asterisk.org
Wed Nov 4 03:38:15 CST 2020
[ https://issues.asterisk.org/jira/browse/ASTERISK-29013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=252640#comment-252640 ]
Joshua C. Colp edited comment on ASTERISK-29013 at 11/4/20 3:38 AM:
--------------------------------------------------------------------
We'll take being a VoIP service provider into consideration next time for determining if something is a security issue, as that is actually a different perspective then has been taken in the past generally. Issues like this are always difficult to decide on.
Thank you for your feedback.
was (Author: jcolp):
We'll take being a VoIP service provider into consideration next time for determining if something is a security issue. Issues like this are always difficult to decide on.
> res_pjsip: Asterisk doesn't stop sending invites (with auth) on 407 replies
> ---------------------------------------------------------------------------
>
> Key: ASTERISK-29013
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-29013
> Project: Asterisk
> Issue Type: Bug
> Components: Resources/res_pjsip, Resources/res_pjsip_authenticator_digest
> Affects Versions: 17.6.0
> Environment: Debian Buster, Asterisk Package built from sources
> Reporter: Sebastian Damm
> Assignee: Unassigned
> Severity: Minor
> Attachments: asterisk407.tar.gz
>
>
> We have the following setup. (From our pjsip.conf)
> [domain.de](generic_endpoint)
> auth=domain_internal_auth
> outbound_auth=domain_internal_auth
> from_domain=domain.de
> outbound_proxy=sip:sip.domain.net\;lr
> aors=domain.de_aor
> [domain.de_aor]
> type=aor
> contact=sip:domain.de
> outbound_proxy=sip:sip.domain.net\;lr
> [domain_internal_auth]
> type=auth
> auth_type=userpass
> username=happyuser
> password=reallysecret
> This endpoint is used to reach our registered customer devices, with a Kamailio proxy in between. Now when we send out a call through this endpoint, the proxy server asks for Auth. Asterisk responds to the challenge, and normally the call goes through. But we have a client device (an Asterisk server) behind the proxy server asking for authentication, too. (Of course, we don't know any password for this client device.)
> In that scenario, Asterisk17 does not stop sending INVITEs toward the proxy. When the first 407 is received, an Proxy-Authorizationheader for authenticating against the proxy server gets created, and when the second 407 is received, Asterisk sends out the next INVITE with two Proxy-Authorization headers.
> {{Proxy-Authorization: Digest username="happyuser", realm="domain.de", nonce="Xxl+ZF8ZfTg2/dTjNjcsTCYGI3Z+f85d", uri="sip:004926439482507 at domain.de", response="cc3cdb70fa0451b51aa8cbf9ccfb6426"}}
> {{Proxy-Authorization: Digest username="happyuser", realm="asterisk", nonce="545e619d", uri="sip:004926439482507 at domain.de", response="66400b176d5c9d2c3f0aad26d3683391", algorithm=MD5}}
> After 30 seconds, the caller cancels the call, Asterisk sends out a CANCEL request, which - again - gets rejected with a 407 by the end user device. Asterisk does not re-send the CANCEL message, but does not stop sending out the INVITE requests. And this goes on forever.
> We have only noticed this behavior, because we saw a massive amount of memory getting used by the Asterisk process. And we didn't send any new traffic to Asterisk and {{core show channels}} didn't show any calls anymore, the INVITEs to this device kept on going.
> This could result in a DOS, if you know the setup and can setup a scenario like this and send a lot of calls through this setup. Multiple calls result in Asterisk using all of the available memory twice as fast.
> In my opinion, Asterisk should stop sending out INVITEs after receiving a maximum of 3 407 responses. Our old Asterisk11 boxes behave that way, when handling calls to the same customer device.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list