[asterisk-dev] Fwd: Asterisk Sip Registration Hooks
Mike Myhre
digium at aeisecure.com
Fri Jul 29 14:17:31 CDT 2011
I have been looking at writing a security module for asterisk that will
provide much better defense against BFD attacks. Currently it appears
the best method (if you need to leave your server open to registrations
from any IP) is to scan the log files on a regular basis. Even scanning
once a minute, that can give the attacker thousands of attempts to find
a valid peer. My add-on module will add to the iptables and block within
just a few attempts since the signature of the BFD attacks are to
register multiple peers that are invalid from the same IP in under a
second. Legitimate peers that are registering my have invalid if someone
mistyped the info, but even if they happen in a short time, they will be
the same information. There are more qualifications to ban a registering
peer so as not to get a false positive, but that is an easy thing for my
module to do very well; much better than a log scanner.
There are other needs to hook into the registrations as they come into
asterisk like when you are setting up a new phone, the first thing you
want to know is did it register. These things can be done in other ways
(like a monitor interface), but having the ability to create a module
(or several) that will take action when a SIP registration happens
(successful or not), is desperately needed and will create a much more
secure environment.
I have modified the chan_sip.c file on my 1.6.2.19.1 version of asterisk
to provide two functions that register and unregister a handler function.
What are the chances of being able to include this code in the next
release of the current branches (1.6, 1.8 and 10)?
I am sure other developers can take advantage of this option, and it is
very low risk (modeled after the logger.h verboser methods).
Thanks,
Mike Myhre
More information about the asterisk-dev
mailing list