[asterisk-dev] chan_iax2: Change delayreject default to on

Mark Michelson mmichelson at digium.com
Mon Nov 11 15:49:51 CST 2013

On 11/09/2013 05:59 AM, Eugene Varnavsky wrote:
> Hello!
> Delayreject option means that, if auth is unsuccessful, delay reject 
> answer by 1000 ms.
> It's off by default.
> I see no reason to have it off. Only if we want to help bruteforcers.
> I think default value should be changed to 'on' and I see no drawbacks 
> in this.

I've been giving this a look, and I don't like this idea. Someone with 
more IAX2 knowledge can feel free to correct me about specifics, but in 
general it feels wrong to treat auth rejection replies differently than 
other rejection replies.

If I'm attacking an Asterisk system with a variety of IAX2 messages and 
I start noticing that rejection replies start having a one second delay 
on them, I know that I am triggering chan_iax2's code to check 
authentication, and that is where my attempt is failing. I know now that 
I am not in violation of anything that may have prevented my call from 
even reaching authentication code. Similarly, if my attack attempts 
initially start by receiving rejections with a one second delay, but 
then they all of a sudden don't, that's even worse. It means I have 
successfully cracked an account and password and that there is something 
much milder that is preventing me from making my malicious calls. In 
either case, if the option is not in use, then there is no easy way for 
me to know why my attacks are failing.

In all, this option feels more like a "security through obscurity" 
option anyway. Good encryption and password selection is better than 
delaying rejection attempts by an extra second.

Just my two cents.
Mark Michelson

More information about the asterisk-dev mailing list