[asterisk-users] security on localhost connections

[David Burgess]

Asterisk Users -

We are presently try to operate a hybrid GSM/Asterisk cellular  
basestation at the Burning Man Festival in the Nevada desert.  (See  
http://openbts.sourceforge.net).  The architecture is basically one  
where cell phones are presented to Asterisk as SIP users, using the  
IMSI as the SIP user ID for convenience.  (It's running off of a wind  
turbine is the middle of a dust storm as my alkali-abused hands type  
this.)

When we first got this system running, we were getting hammered with  
service requests from phones that people left turned on.  We tried  
sending the magic GSM codes for "no roaming here", but some of them  
just kept coming back.  It was like a denial of service attack.  We  
figured out that the best way to shut those phones up was just to  
accept their registrations.  We'd send a corresponding SIP  
registration to Asterisk, that would fail, but we'd report success to  
the GMS handset anyway so that it would think it had service and stop  
retrying the registration.

Now we've discovered a new problem: Asterisk lets these non-existent  
make calls even though they are not listed as users in sip.conf.  We  
suspect that is happening because they are all localhost connections,  
and therefore bypassing some kind of authentication check.  These  
calls also show up in the CDR, but with the SIP ids of real,  
provisioned SIP users instead of the IMSIs of the phones that are  
actually making the calls.  Any ideas how this is happening or how to  
fix it?

-- David

David A. Burgess
Kestrel Signal Processing, Inc.