[asterisk-security] Asterisk and DoS attack: What has been done so far?
Jeremy Jackson
jerj at coplanar.net
Wed Jan 30 09:10:30 CST 2008
Take a look at IKE, the Internet Key Exchange protocol used in IPSEC.
It issues a challenge-response to weed out spoofed addresses. So, it
has DDoS protection built in. Sadly, most legacy protocols don't. TCP
has had RST and SYN cookies "hacked" into it, as well as MD5 preshared
keys.
The basic security flaw of the internet is the DDoS, a flood of packets
with spoofed source addresses. I don't know of any backbone networks
which do ingress filtering, so most of the time you need to take the
approach of IPSEC. If your connection is filled up by the resulting
traffic, well then you're out of luck.
It is possible to mitigate a DDoS flood from "the internet", if your
network (Autonomous System) has some non-transit peers, such as private
peering, or public peering at an internet exchange. Your network (or
preferably your peer's) can do address filtering, such that spoofed
addresses are minimized. You can then prioritize those peers/networks
such that a flood from "the internet" will only cut off traffic from
"the internet", and your peer networks with the hightened security
(ingress filtering) can enjoy un-interrupted VOIP (and other services).
To be clear, I believe the DDoS issues can only be addressed at the
Autonomous System level, which is typically an ISP or large hosting
company.
Regards,
Jeremy
On Thu, 2008-01-31 at 01:52 +1100, Duane wrote:
> Abu 'Ubayd Fadil wrote:
>
> > If someone is flooding 100,000 INVITE packets to Asterisk, then what
> > should we do? Because we know, filtering the packets would only increase
> > the workload..
>
> Maybe have a look how other software has dealt with the issue...
>
--
Jeremy Jackson
W: (419)489-4903
Coplanar Networks
http://www.coplanar.net
More information about the asterisk-security
mailing list