[asterisk-dev] Asterisk servers as UDP amplifier

Edwin Groothuis edwin at mavetju.org
Sat Apr 15 05:45:30 MST 2006 

Greetings,

Recently the DNS protocol came under attack again, when people
started to abuse open recursive DNS servers for DDoS attacks. My
personal DNS server was involved too, see
http://weblog.barnet.com.au/edwin/000122.html for more details.

A discussion on several DNS related mailinglists came up, and despite
that there has flown a lot of water to the sea, there is still no
solution for this problem. Well, if ISPs got their act together and
blocked traffic from their userlans with wrong IP addresses, but
euhms... this might take a while. If ever.

The DNS attack has an amplification of 100 times: for every fourty
bytes send, 4000 bytes were sent out.


Now back to Asterisk, or SIP in general.  Also UDP based, and thus
prone for the same kind of attack. The shortest packet I could
create to which Asterisk replied was 15 bytes, giving me 223 bytes
in answer:

22:20:41.429219 IP 10.10.12.2.62487 > 10.10.99.1.5060: SIP, length: 15
22:20:41.462792 IP 10.10.99.1.5060 > 10.10.12.2.62487: SIP, length: 223

U 10.10.12.2:62487 -> 10.10.99.1.5060
OPTIONS
CSeq: 1

U 10.10.99.1.5060 -> 10.10.12.2:62487
SIP/2.0 404 Not Found.
To: ;tag=as72710291.
CSeq: 1.
User-Agent: Asterisk PBX.
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY.
Contact: <sip:10.10.99.1>.
Accept: application/sdp.
Content-Length: 0.
.


That's nearly a 15 times amplification. But what is worse... Would
I be able to disable it on the DNS server, there is no way I can
disable this on Asterisk.


I'm not going to predict the downfall of SIP and Asterisk and VoIP
with this: DNS servers are still much easier to abuse. But there
should be a configurable limitation to who should be able to send
OPTIONS:

- SIP peers

- Answers only on valid requests
  (chan_sip.c:6535 get_destination: Huh?  Not a SIP header ()?)
  (chan_sip.c:3773 copy_header: No field 'From' present to copy)
  (chan_sip.c:3773 copy_header: No field 'Call-ID' present to copy)
  (chan_sip.c:3853 copy_via_headers: No header field 'Via' present to copy)
  Doing this, my smallest packet was 85 bytes, giving me an
  answer of 289 bytes and thus an amplification of less than 4.


Edwin

-- 
Edwin Groothuis      |            Personal website: http://www.mavetju.org
edwin at mavetju.org    |          Weblog: http://weblog.barnet.com.au/edwin/

More information about the asterisk-dev mailing list