[Asterisk-Dev] Denial of service attack.

Stephen J. Wilcox steve at telecomplete.co.uk
Tue Apr 13 15:15:32 MST 2004 

Hi Derek,
 so in either scenario you need access to the network medium to sniff packets? 
Probably bad by the time this is possible and your network is compromised.

Not saying you cant stick soem challenges in there for security but your DoS 
does require the network be open..

Steve

On Wed, 14 Apr 2004, Derek Smithies wrote:

> Hi,
>  I have made a few calls with firefly and other iax clients.
> Then, I examined packet dumps of the calls, and Frank Millers
> documentation..
> I have been through a packet dump supplied by Ben Lear, which is
> from recent cvs code (thanks Ben)
> 
> I had a bit of help from ethereal - the absolute latest version has an 
> iax2 parser in it.
> 
> It seems there is a reasonably simple denial of service attack.
> Suppose A is talking with B.
> 
> C is listening, and hears the conversation.
> 
> C builds a hangup packet, and sends it to B
> C has to spoof the ip address of  A
> C has to know the source call number, dest call number, iseqno and 
>    oseqno. To get the correct values, C has to wait until a full frame 
>    goes past. Once C has the full frame, it can build a valid hangup 
>    packet.
> 
> Alternatively,
>    C does not have to wait for a full frame.
>    C can listen, and see the mini frames with voice, and deduce the source 
>       call number and dest call number.
>    C can say, the iseqno and oseqno is typically between 1..5
>    C then sends of 16 hangup packets, each with different iseqno/oseqno.
>       One of them will kill the call....
> 
> =============================================
> 
> I did look at the authentication issue. The calls I looked at had no 
> authentication on the last frame. Further, I did not see it evidence of
> checking authentication in the cvs code.
> The packet parser code at the receiving end is::
>                                 
> case IAX_COMAND_HANGUP:
> iaxs[fr.callno]->alreadygone = 1;                                
> ast_log(LOG_DEBUG, "Immediately destroying %d, having received hangup\n", fr.callno);
>                                 /* Send ack immediately, before we destroy */
> send_command_immediate(iaxs[fr.callno], AST_FRAME_IAX, IAX_COMMAND_ACK, fr.ts, NULL, 0,fr.iseqno);
> iax2_destroy_nolock(fr.callno);                                
> break;
>    
> 
> 
> Derek.
> ===============================
> 
> 
> 
>

More information about the asterisk-dev mailing list