[Asterisk-code-review] res pjsip: Add ability to identify by Authorization username (asterisk[13])
Joshua Colp
asteriskteam at digium.com
Thu Apr 7 10:56:47 CDT 2016
Joshua Colp has posted comments on this change.
Change subject: res_pjsip: Add ability to identify by Authorization username
......................................................................
Patch Set 13: Code-Review-1
(1 comment)
https://gerrit.asterisk.org/#/c/2367/13//COMMIT_MSG
Commit Message:
PS13, Line 49: To address this, a new feature has been added to pjsip_distributor that keeps
: track of unidentified requests and only sends the security alert if a
: configurable number of unidentified requests come from the same IP in a
: configurable amout of time. Those configuration options have been added to
: the global config object.
I'm not sure how comfortable I feel about this for two reasons.
1. This opens an avenue for a bruteforce attacker to slow stuff down and get away with it, with no security event being raised. They actively watch this stuff and adjust accordingly.
2. It opens a DoS area since this will keep more information in memory than before. Previously it wouldn't.
If the above was an optional thing that was only turned on when you expressly wanted the functionality and we very prominently made the pitfalls aware, then I'd be more comfortable.
--
To view, visit https://gerrit.asterisk.org/2367
To unsubscribe, visit https://gerrit.asterisk.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I30ba62d208e6f63439600916fcd1c08a365ed69d
Gerrit-PatchSet: 13
Gerrit-Project: asterisk
Gerrit-Branch: 13
Gerrit-Owner: George Joseph <george.joseph at fairview5.com>
Gerrit-Reviewer: Anonymous Coward #1000019
Gerrit-Reviewer: George Joseph <george.joseph at fairview5.com>
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>
Gerrit-Reviewer: Kevin Harwell <kharwell at digium.com>
Gerrit-Reviewer: Mark Michelson <mmichelson at digium.com>
Gerrit-HasComments: Yes
More information about the asterisk-code-review
mailing list