[asterisk-dev] Asterisk servers as UDP amplifier

John Todd jtodd at loligo.com
Sat Apr 15 17:29:31 MST 2006


At 10:20 AM +1000 4/16/06, Edwin Groothuis wrote:
>Hello Denis,
>
>On Sat, Apr 15, 2006 at 09:22:46PM +0400, Denis Smirnov wrote:
>>  On Sat, Apr 15, 2006 at 10:45:30PM +1000, Edwin Groothuis wrote:
>>  EG>   Doing this, my smallest packet was 85 bytes, giving me an
>>  EG>   answer of 289 bytes and thus an amplification of less than 4.
>>
>>  Can you post your patch to bugtracker?
>
>At this moment I'm still in the discussion phase (until last night,
>did you consider this an issue). People will complain that not
>answering packets without a proper SIP header will break specs,
>people will complain that it will interfere with operational issues
>etc etc etc. For what it is worth, I don't even know right now what
>others people opinion about it is, so no, I don't have patches yet.
>First discuss things which break things, then implement. Otherwise
>I'll be wasting time on making them and then The Powers That Be
>reject them because they don't understand the issue.
>
>Happy easter-eggs, Edwin
>--
>Edwin Groothuis      |            Personal website: http://www.mavetju.org
>edwin at mavetju.org    |          Weblog: http://weblog.barnet.com.au/edwin/


I would suggest that the patch then include a small bit of code that 
allows the non-RFC-compliant (or "secure", depending on your 
preference) responses to be selected on a global basis in sip.conf. 
This will remove the ability for anyone to complain about mandatory 
modifications that they disagree with.  I think this a worthwhile 
patch, though perhaps it would be more useful if it was larger in 
scope.

Next: How do you eliminate amplification attacks via INVITE, or SUBSCRIBE?

JT




More information about the asterisk-dev mailing list