[asterisk-dev] Rate limiting traffic to address potential DoS issues?

Kevin P. Fleming kpfleming at digium.com
Fri Oct 6 09:56:03 MST 2006


I'm sorry it took me so long to get back to this thread... there have been many good points raised and I'm happy to see that the general sense in the community is along the same lines as my original thinking :-)

The issue that started this discussion is NOT an extreme volume of proper/valid signaling; instead, it is properly-formatted but otherwise bogus signaling that Asterisk has to respond to because the RFCs require it (in general). There is some evidence that if you send enough of this stuff at Asterisk, it will start to drop calls and otherwise behave badly.

While we can do some work to try to make this have less drastic side effects, there are always going to be limits to how much traffic we can handle before falling over. If we can improve the code to handle 100 packets per second, is that really an improvement since the attacker can just send 200 packets per second instead?

It seems that maybe the best proposal at this time is to just provide a method for counting the number of improper/bogus signaling packets received in a given time frame (per second, per minute, etc.) and then dropping (without response) any signaling that is not known to be valid beyond that limit.

-- 
Kevin P. Fleming
Senior Software Engineer
Digium, Inc.



More information about the asterisk-dev mailing list