[asterisk-dev] Asterisk security components...

Andrew Swerdlow swerdlow at gmail.com
Sat Dec 9 08:17:31 MST 2006


Do you have any other docs on asterisk security?  Have there been any
other pen tests?

Thanx

Andrew

On 12/8/06, J. Oquendo <sil at infiltrated.net> wrote:
> Hey all,
>
> For the past few couple of weeks, I've been trying to put
> together an "Asterisk Intrusion Detection/Prevention"
> program for Asterisk. So far I am able to mitigate
> subscribe attacks, bogus caller ID attacks, and am
> working on others. Would any other engineer be willing
> to dissect what I have (doing these in modules) and
> offer advice or modifications?
>
> So far the parameters I am using for the registration
> spoofing is something like this: This is a spoofed
> message I created:
>
> SIP/2.0 404 Not found
> Via: SIP/2.0/UDP 192.168.1.128:5060;received=192.168.1.128
> From: "1586" <sip:1586 at 192.168.1.128>
> To: "1586" <sip:1586 at 192.168.1.128>;tag=as7fd2ecda
> Call-ID: 1586 at 192.168.1.128
> CSeq: 101 REGISTER
> User-Agent: Asterisk PBX
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
> Content-Length: 0
>
>
> I can tell based on Call-ID alone this should be
> blocked... But for legitimate registrations, what I
> decided for this was, if someone is registering more
> than one number in _X_ amount of times, say, +10 per
> second, indeed this user needs to be blocked.
>
> So I've been thinking about this, and it brings to
> mind, what if someone is doing some funky PAT/NAT,
> say a company? I wouldn't want to autoblock them
> but I would want to know what is going on, on the
> network...
>
> This is how I'm flow charting this portion... I've
> worked on, and am working on the messages piece-meal...
> Registers, Subscribes, Options, Notifies, etc...
> Any input is greatly appreciated.
>
>
>
> --
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> echo @infiltrated|sed 's/^/sil/g;s/$/.net/g'
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
>
> "How a man plays the game shows something of his
> character - how he loses shows all" - Mr. Luckey
> _______________________________________________
> --Bandwidth and Colocation provided by Easynews.com --
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-dev
>


-- 
Andrew Swerdlow


More information about the asterisk-dev mailing list