[Asterisk-Security] Day early and a dollar short? (IAX2 and SIP
problems)
Kevin P. Fleming
kpfleming at digium.com
Tue Jul 18 09:34:26 MST 2006
----- John Todd <jtodd at loligo.com> wrote:
> Are we just as vulnerable with SIP from a
> similar threat?
In a way, yes. The real problem with IAX2 is the inherent limit in the number of calls that a single IAX2 implementation can be involved in (due to the 15-bit call number limit). However, a SIP server is vulnerable as well; if a peer sends INVITEs for a username that requires authentication but never responds to the 401/407 messages that are returned, the server will have to hold the dialog info state for those INVITEs in memory until the session timers expire. Even without a built-in limitation in the protocol, it's still ridiculously easy to consume large amounts of memory/CPU on the target server.
--
Kevin P. Fleming
Senior Software Engineer
Digium, Inc.
More information about the Asterisk-Security
mailing list