[asterisk-dev] Rate limiting traffic to address potential DoS issues?

Kevin P. Fleming kpfleming at digium.com
Fri Oct 6 09:50:24 MST 2006


----- John Lange <j.lange at epic.ca> wrote:
> This particular suggestion was in response to one specific type of
> attack. At the moment Asterisk has a limit on the number of
> authentication requests it can handle at one time. An attacker simply
> has to flood the server with a number of 1/2 open authentication
> requests and Asterisk's authentication table will fill and stop
> responding.

There is no 'authentication table'. There is a linked list of structures for open calls, and that list can grow very large and cause SIP channel processing to get very slow, but it can never get full (except for a server getting to completely memory starved).

In IAX2 there is a hard limit on the number of outstanding connections, so when this issue was raised we added a 'maxauthreq' parameter to IAX2 users to limit the number of half-open connections a single user could have. It would certainly make some sense to add the same sort of limiting for SIP users.

-- 
Kevin P. Fleming
Senior Software Engineer
Digium, Inc.



More information about the asterisk-dev mailing list