[asterisk-dev] chan_iax2: Change delayreject default to on
Mark Michelson
mmichelson at digium.com
Mon Nov 11 15:49:51 CST 2013
On 11/09/2013 05:59 AM, Eugene Varnavsky wrote:
> Hello!
>
> Delayreject option means that, if auth is unsuccessful, delay reject
> answer by 1000 ms.
> It's off by default.
>
> I see no reason to have it off. Only if we want to help bruteforcers.
>
> I think default value should be changed to 'on' and I see no drawbacks
> in this.
I've been giving this a look, and I don't like this idea. Someone with
more IAX2 knowledge can feel free to correct me about specifics, but in
general it feels wrong to treat auth rejection replies differently than
other rejection replies.
If I'm attacking an Asterisk system with a variety of IAX2 messages and
I start noticing that rejection replies start having a one second delay
on them, I know that I am triggering chan_iax2's code to check
authentication, and that is where my attempt is failing. I know now that
I am not in violation of anything that may have prevented my call from
even reaching authentication code. Similarly, if my attack attempts
initially start by receiving rejections with a one second delay, but
then they all of a sudden don't, that's even worse. It means I have
successfully cracked an account and password and that there is something
much milder that is preventing me from making my malicious calls. In
either case, if the option is not in use, then there is no easy way for
me to know why my attacks are failing.
In all, this option feels more like a "security through obscurity"
option anyway. Good encryption and password selection is better than
delaying rejection attempts by an extra second.
Just my two cents.
Mark Michelson
More information about the asterisk-dev
mailing list