[asterisk-dev] Rate limiting traffic to address potential DoS issues?

Brian Candler B.Candler at pobox.com
Wed Sep 27 01:03:36 MST 2006


On Tue, Sep 26, 2006 at 05:02:56PM -0500, Jason Parker wrote:
> Let's look at other apps (say, apache) for an example of something
> similar.  What happens if you throw thousands of requests at apache per
> second?  It's going to die.  And why shouldn't it?  Stuff like this, in my
> opinion, is best handled at the firewall level, or perhaps with a load
> balancer of sorts.

I think you may be comparing apples and oranges there.

HTTP runs over TCP. There are well-known denial of service attacks against
TCP (e.g. half-open connections from spoofed source IP addresses) and
well-known defences which can be implemented in the kernel or in firewalls
(e.g. syn cookies). Therefore by the time Apache sees an incoming TCP
request, these have been filtered out.

SIP generally runs over UDP, and so you don't get this protection. In fact
there's very little generic protection that the kernel could offer.

In both Apache and Asterisk, as you say, if you overload the system with a
large number of *valid* requests then they may fall over. I suspect that's
not actually the problem under discussion; rather, that there are specific
denial-of-service attacks of the spoofed IP variety against SIP.

However, without disclosure of what the actual attacks under consideration
are, then it's very difficult to be specific about how they could be
handled.

Equally, it's clear that any sort of attack can be managed by a firewall if
it is sophisticated enough. But how many firewalls have full
application-layer stateful support for SIP? And if there are any, which ones
have been tested with Asterisk and certified by Digium?

Regards,

Brian.


More information about the asterisk-dev mailing list