[asterisk-users] Securing Asterisk

[Kevin P. Fleming]

On 07/26/2011 02:14 PM, Alex Balashov wrote:
> On 07/26/2011 02:09 PM, CDR wrote:
>
>> Only way to cope with hackers would be that Digium comes to its
>> senses and accepts to disable any response to a REGISTER whose
>> username is unknown. I cannot think of a good reason why Digium
>> finds this proposal unacceptable, given the onslaught of hacking
>> that we are seeing in the industry. It may take a single line of
>> code and it would save millions of $$$. Not only because the
>> hackers will never get in, but because we would save a huge CPU
>> impact responding to hundreds of REGISTER attempts per minute. It
>> is a NO brainer. Can please the Powers that Be reconsider and add
>> this option to sip.conf? Please?
>
> No, because that's absolutely ridiculous. The proper, RFC-compliant
> behaviour is to return an authentication failure in response to invalid
> credentials. This mechanism is relied upon for legitimate functionality,
> such as letting the UAs of intended users know that they are sending
> incorrect credentials.
>
> As was pointed out before, Asterisk is a mostly application-level
> construct. Applications usually have some rudimentary means of
> self-defense such as ACLs, but applications are often conceptually
> distinct from the most appropriate means of securing them. That's what
> firewalls, SBCs, intrusion detection systems, etc. are for.
>
> Your position is equivalent to saying that stock SSH should not return
> authentication errors for invalid passwords. The proper solution to
> dictionary attacks is to firewall the SSH service, use RSA keys, VPNs,
> etc., not to tell the maintainers of the OpenSSH project to come to its
> senses.

Two additional points to the ones Alex already made:

* We *must* behave identically for any REGISTER request, regardless of 
whether the requested URI represents a 'known' or an 'unknown' address 
of record (user). If that is not done, then it's easy for an attacker to 
learn which usernames *are* valid, and focus their dictionary attack 
efforts on those usernames.

* The processing workload in Asterisk for a REGISTER request is to 
parse, validate and process it, *not* sending the failure (or 
'authentication required') response. Making Asterisk not send the 
response would *not* cause hackers to stop sending masses of REGISTER 
requests; once they have *any* reason to suspect that a particular IP 
address/port combination has a SIP registrar listening on it, they'll 
attack it.

-- 
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
Jabber: kfleming at digium.com | SIP: kpfleming at digium.com | Skype: kpfleming
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at www.digium.com & www.asterisk.org