[asterisk-dev] [Code Review] IAX REGAUTH loop

Matt Riddell lists at venturevoip.com
Tue May 5 18:06:13 CDT 2009


On 6/05/2009 6:52 a.m., David Vossel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> http://reviewboard.digium.com/r/245/
> -----------------------------------------------------------
>
> Review request for Asterisk Developers and Tilghman Lesher.
>
>
> Summary
> -------
>
> If an IAX2 device attempts to register with an invalid username, (one that does not exist in iax.conf), then Asterisk sends a REGAUTH containing a random MD5 or RSA challenge in response.  If the device answers the fake challenge request then Asterisk sends another REGAUTH rather than terminating the registration.  This starts a loop.
>
> REGREQ -->
>                                            <-- REGAUTH (with challenge)
> REGREQ (with challenge response) -->
>                                            <-- REGAUTH (with challenge)
> REGREQ (with challenge response -->
> ...ect
>
> A side affect of this is that it spams the cli with notices that no registration was found for the peer. [Apr 9 01:22:20] NOTICE[24066]: chan_iax2.c:5686 register_verify: No registration for peer 'friend' (from x.x.x.x)
>
> Solution:  If the username does not exist in iax.conf go ahead and send the random challenge.  If the device using the nonexistent username responds to the challenge, send an AUTHREJ to terminate the registration.

Am I right in assuming that this is the same response that would be 
provided if the password was wrong but username correct?  Just thinking 
about account harvesting

-- 
Kind Regards,

Matt Riddell
Director
_______________________________________________

http://www.venturevoip.com (Great new VoIP end to end solution)
http://www.venturevoip.com/news.php (Daily Asterisk News - html)
http://www.venturevoip.com/newrssfeed.php (Daily Asterisk News - rss)



More information about the asterisk-dev mailing list