[asterisk-dev] Asterisk security components...

[J. Oquendo]

Hey all,

For the past few couple of weeks, I've been trying to put
together an "Asterisk Intrusion Detection/Prevention"
program for Asterisk. So far I am able to mitigate
subscribe attacks, bogus caller ID attacks, and am
working on others. Would any other engineer be willing
to dissect what I have (doing these in modules) and
offer advice or modifications?

So far the parameters I am using for the registration
spoofing is something like this: This is a spoofed
message I created:

SIP/2.0 404 Not found
Via: SIP/2.0/UDP 192.168.1.128:5060;received=192.168.1.128
From: "1586" <sip:1586 at 192.168.1.128>
To: "1586" <sip:1586 at 192.168.1.128>;tag=as7fd2ecda
Call-ID: 1586 at 192.168.1.128
CSeq: 101 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Content-Length: 0


I can tell based on Call-ID alone this should be
blocked... But for legitimate registrations, what I
decided for this was, if someone is registering more
than one number in _X_ amount of times, say, +10 per
second, indeed this user needs to be blocked.

So I've been thinking about this, and it brings to
mind, what if someone is doing some funky PAT/NAT,
say a company? I wouldn't want to autoblock them
but I would want to know what is going on, on the
network...

This is how I'm flow charting this portion... I've
worked on, and am working on the messages piece-meal...
Registers, Subscribes, Options, Notifies, etc...
Any input is greatly appreciated.



-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
echo @infiltrated|sed 's/^/sil/g;s/$/.net/g'
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743

"How a man plays the game shows something of his
character - how he loses shows all" - Mr. Luckey