[asterisk-dev] Rate limiting traffic to address potential DoS
issues?
Martin Vít
vit at lam.cz
Wed Sep 27 15:38:36 MST 2006
Kevin P. Fleming wrote:
> A community member has communicated to me a couple of issues where if he sends large volumes of correctly-formatted (but otherwise invalid) packets at Asterisk channel drivers, Asterisk behaves quite poorly. In general it does not crash, but it will lose calls, respond very slowly, etc.
>
> I have been loath to start trying to build remediation for this into Asterisk itself, since that's a very slippery slope and we could end up spending the next six months trying to come up with new attack vectors and then coding to deal with them. In addition, at least in my opinion, there are good, free tools already to do this sort of thing (rate limiting of incoming traffic), as well as solid commercial products.
>
> However, I'd like to get the opinions of our developer community... do you think this is something we should attempt to address within Asterisk itself, or we are better off to post some 'best practices' documents that demonstrate ways that existing tools can be used to combat these attacks?
>
>
there is option with one IPTABLES rule and dstlimit MATCH EXTENSIONS.
This rule can limit packets per/second and per source IP adress. however
it is not defense for all possible dos attacks but this can eliminate
and log every try.
More information about the asterisk-dev
mailing list