[asterisk-dev] Rate limiting traffic to address potential DoS
issues?
John Lange
j.lange at epic.ca
Wed Sep 27 07:54:56 MST 2006
On the surface its actually pretty easy to draw a line between what
Asterisk should handle and what should be left for firewalls or the OS
to handle.
Simply, if its an application layer issue then the application
(Asterisk) should handle it, if its a lower layer then the OS or routers
should handle it.
How much should Asterisk do to mitigate attacks? I'm on the same page as
what others have suggested; Asterisk should have some parameters with
the ability to rate limit connections similar to Apache.
An Asterisk administrator should be able to tune his installation so
that attacks would not drop existing calls.
I know its a lot easier said than done but having nothing in place
leaves the system frail because mitigating application layer attacks
with only firewall rules is very very difficult.
A while back I posted a suggestion for limiting the impact of 1/2 open
SIP authentication attacks based on the principal of syncookies:
http://lists.digium.com/pipermail/asterisk-dev/2006-July/021709.html
It didn't seem to generate any interest but I still think its a good
idea so it might be worth some people having a second look at and its
on-topic for this conversation.
John
On Tue, 2006-09-26 at 14:30 -0500, Kevin P. Fleming wrote:
> A community member has communicated to me a couple of issues where if he sends large volumes of correctly-formatted (but otherwise invalid) packets at Asterisk channel drivers, Asterisk behaves quite poorly. In general it does not crash, but it will lose calls, respond very slowly, etc.
>
> I have been loath to start trying to build remediation for this into Asterisk itself, since that's a very slippery slope and we could end up spending the next six months trying to come up with new attack vectors and then coding to deal with them. In addition, at least in my opinion, there are good, free tools already to do this sort of thing (rate limiting of incoming traffic), as well as solid commercial products.
>
> However, I'd like to get the opinions of our developer community... do you think this is something we should attempt to address within Asterisk itself, or we are better off to post some 'best practices' documents that demonstrate ways that existing tools can be used to combat these attacks?
>
More information about the asterisk-dev
mailing list