[asterisk-dev] Rate limiting traffic to address potential DoS issues?

J. Oquendo sil at infiltrated.net
Fri Oct 6 11:07:28 MST 2006


Kevin P. Fleming wrote:
> I'm sorry it took me so long to get back to this thread... there have been many good points raised and I'm happy to see that the general sense in the community is along the same lines as my original thinking :-)
>
> The issue that started this discussion is NOT an extreme volume of proper/valid signaling; instead, it is properly-formatted but otherwise bogus signaling that Asterisk has to respond to because the RFCs require it (in general). There is some evidence that if you send enough of this stuff at Asterisk, it will start to drop calls and otherwise behave badly.
>
> While we can do some work to try to make this have less drastic side effects, there are always going to be limits to how much traffic we can handle before falling over. If we can improve the code to handle 100 packets per second, is that really an improvement since the attacker can just send 200 packets per second instead?
>
> It seems that maybe the best proposal at this time is to just provide a method for counting the number of improper/bogus signaling packets received in a given time frame (per second, per minute, etc.) and then dropping (without response) any signaling that is not known to be valid beyond that limit.
>
>   
Here is the final program and scripts for your guys to test. It started 
as something targeted towards SIP in general not solely Asterisk.

http://www.infiltrated.net/5e5135b617a29d14f034614d24378cc9.tar

Cisco has a PSIRT case opened since they are testing it against CCM/CME. 
Avaya opened one, CERT has one as well. I will hold off for a while 
before I post anything. One thing to take note of is, I use an nCite SBC 
and it does little to deter this. If I set things to block out based on 
address, if the program goes on long enough to find a match on say IP 
address, let's say my address is 22.22.22.22, it will block legitimate 
calls. I set it to send bad IP info but didn't bother doing a "true IP 
spoofing" function. Right now I see 6 DoS attacks when it is run:

1) ICMP DoS gets returned from Asterisk (Asterisk replies to bogus requests)
2) Channels fill up (bogus calls)
3) Space fills up (logs)
4) Kills all versions of Asterisk
5) Will not allow valid callers through since resources are locked up
6) Soundfiles open till the machine starts to choke (depending on the 
amount sent to server)

Take note I didn't send this to the list in hopes no idiots play with 
this thing. I'd hope some remedy comes out since I run * servers as a 
VoIP business.

-- 
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net 

The happiness of society is the end of government.
John Adams

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5157 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.digium.com/pipermail/asterisk-dev/attachments/20061006/4e6cc204/smime-0001.bin


More information about the asterisk-dev mailing list