[asterisk-dev] Another IAX2 problem with the latest security fix ...
Nic Bellamy
nicb-lists at vadacom.co.nz
Thu May 29 17:22:32 CDT 2008
Russell Bryant wrote:
> My proposed fix is to change the logic for enforcing accurate destination call
> numbers. Since this was done to combat traffic amplification, I propose that
> this enforcement is only done on frames that are responsible for completing the
> handshake to start a call. Essentially, that means _only_ doing this
> enforcement on an ACK, and no other full frames.
>
> The benefit to this is that we prevent traffic amplification from hosts that
> have no way to figure out the destination call number, while doing so in such a
> way that doesn't introduce problems with older Asterisk versions.
>
> --- Conclusion
>
> I plan on implementing and committing the proposed fix. However, I wanted to
> explain my logic and give everyone a chance to review all of the information and
> disagree, in case I am missing something.
>
This approach sounds sane to me.
If you're quick off the mark with a patch, there's a long weekend coming
up here that'd be perfect for some production environment testing :-)
Cheers,
Nic.
--
Nic Bellamy,
Head Of Engineering, Vadacom Ltd - http://www.vadacom.co.nz/
More information about the asterisk-dev
mailing list