[asterisk-dev] Rate limiting traffic to address potential DoS issues?

John Lange j.lange at epic.ca
Thu Sep 28 09:13:02 MST 2006


On Thu, 2006-09-28 at 12:05 +0100, Brian Candler wrote:
> John Lange wrote:
> > A while back I posted a suggestion for limiting the impact of 1/2 open
> > SIP authentication attacks based on the principal of syncookies:
> > 
> > http://lists.digium.com/pipermail/asterisk-dev/2006-July/021709.html
> > 
> > It didn't seem to generate any interest but I still think its a good
> > idea so it might be worth some people having a second look at and its
> > on-topic for this conversation.
> 
> I think that it's definitely worth exploring.
> 
> However in the form proposed, it seems only to apply to connections which
> must be authenticated. It would not help with an INVITE flood to a SIP proxy
> which accepts incoming calls from the public Internet.

This particular suggestion was in response to one specific type of
attack. At the moment Asterisk has a limit on the number of
authentication requests it can handle at one time. An attacker simply
has to flood the server with a number of 1/2 open authentication
requests and Asterisk's authentication table will fill and stop
responding.

This technique eliminates that possibility but is only one small
improvement that deals with one specific case.

Other techniques would have to be utilized for the other cases.

John




More information about the asterisk-dev mailing list