[asterisk-bugs] [JIRA] (ASTERISK-29013) res_pjsip: Asterisk doesn't stop sending invites (with auth) on 407 replies
Asterisk Team (JIRA)
noreply at issues.asterisk.org
Thu Nov 12 06:54:18 CST 2020
[ https://issues.asterisk.org/jira/browse/ASTERISK-29013?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Asterisk Team updated ASTERISK-29013:
-------------------------------------
Target Release Version/s: 16.15.0
> res_pjsip: Asterisk doesn't stop sending invites (with auth) on 407 replies
> ---------------------------------------------------------------------------
>
> Key: ASTERISK-29013
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-29013
> Project: Asterisk
> Issue Type: Bug
> Components: Resources/res_pjsip, Resources/res_pjsip_authenticator_digest
> Affects Versions: 17.6.0
> Environment: Debian Buster, Asterisk Package built from sources
> Reporter: Sebastian Damm
> Assignee: Unassigned
> Severity: Minor
> Target Release: 13.37.1, 16.14.1, 17.8.1, 18.0.1, 13.38.0, 16.15.0
>
> Attachments: asterisk407.tar.gz
>
>
> We have the following setup. (From our pjsip.conf)
> [domain.de](generic_endpoint)
> auth=domain_internal_auth
> outbound_auth=domain_internal_auth
> from_domain=domain.de
> outbound_proxy=sip:sip.domain.net\;lr
> aors=domain.de_aor
> [domain.de_aor]
> type=aor
> contact=sip:domain.de
> outbound_proxy=sip:sip.domain.net\;lr
> [domain_internal_auth]
> type=auth
> auth_type=userpass
> username=happyuser
> password=reallysecret
> This endpoint is used to reach our registered customer devices, with a Kamailio proxy in between. Now when we send out a call through this endpoint, the proxy server asks for Auth. Asterisk responds to the challenge, and normally the call goes through. But we have a client device (an Asterisk server) behind the proxy server asking for authentication, too. (Of course, we don't know any password for this client device.)
> In that scenario, Asterisk17 does not stop sending INVITEs toward the proxy. When the first 407 is received, an Proxy-Authorizationheader for authenticating against the proxy server gets created, and when the second 407 is received, Asterisk sends out the next INVITE with two Proxy-Authorization headers.
> {{Proxy-Authorization: Digest username="happyuser", realm="domain.de", nonce="Xxl+ZF8ZfTg2/dTjNjcsTCYGI3Z+f85d", uri="sip:004926439482507 at domain.de", response="cc3cdb70fa0451b51aa8cbf9ccfb6426"}}
> {{Proxy-Authorization: Digest username="happyuser", realm="asterisk", nonce="545e619d", uri="sip:004926439482507 at domain.de", response="66400b176d5c9d2c3f0aad26d3683391", algorithm=MD5}}
> After 30 seconds, the caller cancels the call, Asterisk sends out a CANCEL request, which - again - gets rejected with a 407 by the end user device. Asterisk does not re-send the CANCEL message, but does not stop sending out the INVITE requests. And this goes on forever.
> We have only noticed this behavior, because we saw a massive amount of memory getting used by the Asterisk process. And we didn't send any new traffic to Asterisk and {{core show channels}} didn't show any calls anymore, the INVITEs to this device kept on going.
> This could result in a DOS, if you know the setup and can setup a scenario like this and send a lot of calls through this setup. Multiple calls result in Asterisk using all of the available memory twice as fast.
> In my opinion, Asterisk should stop sending out INVITEs after receiving a maximum of 3 407 responses. Our old Asterisk11 boxes behave that way, when handling calls to the same customer device.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list