[asterisk-dev] Rate limiting traffic to address potential DoS issues?

Steven critch at basesys.com
Tue Sep 26 14:26:23 MST 2006


On Tue, 2006-09-26 at 14:30 -0500, Kevin P. Fleming wrote:
> A community member has communicated to me a couple of issues where if
> he sends large volumes of correctly-formatted (but otherwise invalid)
> packets at Asterisk channel drivers, Asterisk behaves quite poorly. In
> general it does not crash, but it will lose calls, respond very
> slowly, etc.
> 
> I have been loath to start trying to build remediation for this into
> Asterisk itself, since that's a very slippery slope and we could end
> up spending the next six months trying to come up with new attack
> vectors and then coding to deal with them. In addition, at least in my
> opinion, there are good, free tools already to do this sort of thing
> (rate limiting of incoming traffic), as well as solid commercial
> products.
> 
> However, I'd like to get the opinions of our developer community... do
> you think this is something we should attempt to address within
> Asterisk itself, or we are better off to post some 'best practices'
> documents that demonstrate ways that existing tools can be used to
> combat these attacks?

Heading off all attacks is not going to be worth the effort. But some
attacks should be handled. My not neccesarily well educated opinion is
that we steer for a middle ground. I think we have already been
following this course. It is document best practices and patch for poor
behaviour when we find it. 

I am of the opinion that asterisk shouldn't start losing calls just
because it is getting loaded. But I know call quality will be affected
as the load goes up. 

Without knowing more about the proposed attack and the variations that
could be applied, I don't know what could be done. But then again, I
don't work with VoIP enough nor the protocols to know how to defend
against it to give any further meaningful advice.

-- 
Steven <critch at basesys.com>



More information about the asterisk-dev mailing list