[asterisk-dev] Rate limiting traffic to address potential DoS
issues?
Kristian Kielhofner
kris at krisk.org
Tue Sep 26 15:04:42 MST 2006
Kevin P. Fleming wrote:
> A community member has communicated to me a couple of issues where if
> he sends large volumes of correctly-formatted (but otherwise invalid)
> packets at Asterisk channel drivers, Asterisk behaves quite poorly.
> In general it does not crash, but it will lose calls, respond very
> slowly, etc.
>
> I have been loath to start trying to build remediation for this into
> Asterisk itself, since that's a very slippery slope and we could end
> up spending the next six months trying to come up with new attack
> vectors and then coding to deal with them. In addition, at least in
> my opinion, there are good, free tools already to do this sort of
> thing (rate limiting of incoming traffic), as well as solid
> commercial products.
>
> However, I'd like to get the opinions of our developer community...
> do you think this is something we should attempt to address within
> Asterisk itself, or we are better off to post some 'best practices'
> documents that demonstrate ways that existing tools can be used to
> combat these attacks?
>
Kevin,
I envision something like the pike module from OpenSER/SER:
http://www.openser.org/docs/modules/1.1.x/pike.html
Something like this in SER/OpenSER would help:
if (!allow_trusted) && (!pike_check_req()) {
sl_send_reply(403, "You are DOSing me\n");
exit;
};
While that isn't totally syntactically correct, it gives the general
idea. Basically, if your host isn't in the trusted DB table and it
fails the conditions for the pike module, bounce the call. Some could
argue that you shouldn't send a reply at all (a good way to amplify the
DOS) and just drop it: exit;.
This doesn't completely solve the problems you've outlined, but it is
certainly a step in the right direction.
I hate to say it, but has your guy considered putting SER up in front
of Asterisk to try to enforce some sanity? I don't know if it would do
any better than Asterisk, or if it would even result in a net gain, but
it would sure be interesting to see... Either way, I'd like to see
something like pike in Asterisk.
--
Kristian Kielhofner
More information about the asterisk-dev
mailing list