[Asterisk-Dev] Denial of service attack.

Derek Smithies derek at indranet.co.nz
Tue Apr 13 15:09:52 MST 2004 

Hi,
 I have made a few calls with firefly and other iax clients.
Then, I examined packet dumps of the calls, and Frank Millers
documentation..
I have been through a packet dump supplied by Ben Lear, which is
from recent cvs code (thanks Ben)

I had a bit of help from ethereal - the absolute latest version has an 
iax2 parser in it.

It seems there is a reasonably simple denial of service attack.
Suppose A is talking with B.

C is listening, and hears the conversation.

C builds a hangup packet, and sends it to B
C has to spoof the ip address of  A
C has to know the source call number, dest call number, iseqno and 
   oseqno. To get the correct values, C has to wait until a full frame 
   goes past. Once C has the full frame, it can build a valid hangup 
   packet.

Alternatively,
   C does not have to wait for a full frame.
   C can listen, and see the mini frames with voice, and deduce the source 
      call number and dest call number.
   C can say, the iseqno and oseqno is typically between 1..5
   C then sends of 16 hangup packets, each with different iseqno/oseqno.
      One of them will kill the call....

=============================================

I did look at the authentication issue. The calls I looked at had no 
authentication on the last frame. Further, I did not see it evidence of
checking authentication in the cvs code.
The packet parser code at the receiving end is::
                                
case IAX_COMAND_HANGUP:
iaxs[fr.callno]->alreadygone = 1;                                
ast_log(LOG_DEBUG, "Immediately destroying %d, having received hangup\n", fr.callno);
                                /* Send ack immediately, before we destroy */
send_command_immediate(iaxs[fr.callno], AST_FRAME_IAX, IAX_COMMAND_ACK, fr.ts, NULL, 0,fr.iseqno);
iax2_destroy_nolock(fr.callno);                                
break;
   


Derek.
===============================



-- 
Derek Smithies Ph.D.                           This PC runs pine on linux for email
IndraNet Technologies Ltd.                     If you find a virus apparently from me, it has
Email: derek at indranet.co.nz                    forged  the e-mail headers on someone else's machine
ph +64 3 365 6485                              Please do not notify me when (apparently) receiving a
Web: http://www.indranet-technologies.com/     windows virus from me......

More information about the asterisk-dev mailing list