[asterisk-dev] chan_iax2: Change delayreject default to on
Eugene Varnavsky
varnavruz at gmail.com
Tue Nov 12 00:40:56 CST 2013
A very simple test.
nmap -sU -p 4569 --script iax2-brute 192.168.1.19
With delayreject=no:
| iax2-brute:
| Accounts
| No valid accounts found
| Statistics
| Performed 1964 guesses in 7 seconds, average tps: 280
|
|_ ERROR: Too many retries, aborted ...
With delayreject=yes:
| iax2-brute:
| Accounts
| No valid accounts found
| Statistics
| Performed 10 guesses in 1 seconds, average tps: 10
|
|_ ERROR: Too many retries, aborted ...
So, in short, delayreject=yes DOES help to protect against brute force
attacks.
2013/11/12 Scott Griepentrog <sgriepentrog at digium.com>
> Does the delayed reply also delay the next auth request from being
> processed? I'm not familiar enough with the protocol to know if
> overlapping requests are prevented. If not, then an attacker simply
> ignores all negative responses regardless of delay and looks for a positive
> response, negating any benefit by using delayreject.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20131112/4fe90caa/attachment.html>
More information about the asterisk-dev
mailing list