[asterisk-dev] Asterisk servers as UDP amplifier
John Todd
jtodd at loligo.com
Sat Apr 15 17:29:31 MST 2006
At 10:20 AM +1000 4/16/06, Edwin Groothuis wrote:
>Hello Denis,
>
>On Sat, Apr 15, 2006 at 09:22:46PM +0400, Denis Smirnov wrote:
>> On Sat, Apr 15, 2006 at 10:45:30PM +1000, Edwin Groothuis wrote:
>> EG> Doing this, my smallest packet was 85 bytes, giving me an
>> EG> answer of 289 bytes and thus an amplification of less than 4.
>>
>> Can you post your patch to bugtracker?
>
>At this moment I'm still in the discussion phase (until last night,
>did you consider this an issue). People will complain that not
>answering packets without a proper SIP header will break specs,
>people will complain that it will interfere with operational issues
>etc etc etc. For what it is worth, I don't even know right now what
>others people opinion about it is, so no, I don't have patches yet.
>First discuss things which break things, then implement. Otherwise
>I'll be wasting time on making them and then The Powers That Be
>reject them because they don't understand the issue.
>
>Happy easter-eggs, Edwin
>--
>Edwin Groothuis | Personal website: http://www.mavetju.org
>edwin at mavetju.org | Weblog: http://weblog.barnet.com.au/edwin/
I would suggest that the patch then include a small bit of code that
allows the non-RFC-compliant (or "secure", depending on your
preference) responses to be selected on a global basis in sip.conf.
This will remove the ability for anyone to complain about mandatory
modifications that they disagree with. I think this a worthwhile
patch, though perhaps it would be more useful if it was larger in
scope.
Next: How do you eliminate amplification attacks via INVITE, or SUBSCRIBE?
JT
More information about the asterisk-dev
mailing list