[asterisk-dev] chan_iax2: Change delayreject default to on

Scott Griepentrog sgriepentrog at digium.com
Tue Nov 12 09:13:25 CST 2013


But does the brute force speed limit enforced as a limitation of the
protocol, or the implementation of iax2-brute waiting for the failure of
one request before starting another?

Inotherwords, is it possible to have multiple simultaneous authorization
requests pending (i.e. performed in parallel) without breaking the ability
to receive a positive response for a valid password, even if that requires
rewriting iax-brute to achieve it?  Or even breaking the protocol spec, so
long as a positive response to a valid password is still received.



On Tue, Nov 12, 2013 at 12:40 AM, Eugene Varnavsky <varnavruz at gmail.com>wrote:

> A very simple test.
>
> nmap -sU -p 4569 --script iax2-brute 192.168.1.19
>
> With delayreject=no:
>
> | iax2-brute:
> |   Accounts
> |     No valid accounts found
> |   Statistics
> |     Performed 1964 guesses in 7 seconds, average tps: 280
> |
> |_ ERROR: Too many retries, aborted ...
>
> With delayreject=yes:
>
> | iax2-brute:
> |   Accounts
> |     No valid accounts found
> |   Statistics
> |     Performed 10 guesses in 1 seconds, average tps: 10
> |
> |_ ERROR: Too many retries, aborted ...
>
> So, in short, delayreject=yes DOES help to protect against brute force
> attacks.
>
> 2013/11/12 Scott Griepentrog <sgriepentrog at digium.com>
>
>> Does the delayed reply also delay the next auth request from being
>> processed?  I'm not familiar enough with the protocol to know if
>> overlapping requests are prevented.  If not, then an attacker simply
>> ignores all negative responses regardless of delay and looks for a positive
>> response, negating any benefit by using delayreject.
>>
>>
>>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-dev
>



-- 
[image: Digium logo]
*Scott Griepentrog*
Digium, Inc · Software Developer
445 Jan Davis Drive NW · Huntsville, AL 35806 · US
direct/fax: +1 256 428 6239 · mobile: +1 317 507 4029
Check us out at: http://digium.com <http://www.digium.com> ·
http://asterisk.org <http://www.asterisk.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20131112/9778be6a/attachment-0001.html>


More information about the asterisk-dev mailing list