[Asterisk-Dev] Security issue mumblings

Rich Adamson radamson at routers.com
Sun Nov 6 16:10:03 MST 2005


> [sent to -dev first to avoid total devolution into wild speculation 
> and nonsense on -users]
> 
> http://www.accessintel.com/cgi-bin/press/show.cgi?1130972376
> 
> Can anyone here speak more clearly on this otherwise un-useful list 
> of assertions as to "security flaws with VoIP" specifically 
> referencing Asterisk?  The lack of a protocol discussion is 
> suspicious - VoIP is not homogenous.  The other term of "billing 
> code" is also suspicious - I can't recall a "billing code" field in 
> my SIP packets.  CCM is mentioned - is this an SCCP issue?
> 
> Perhaps most importantly (and relevant to -dev) is this an issue that 
> can be resolved or patched within Asterisk, or is it that Asterisk is 
> being used as the toolset to wedge into other platforms?
> 
> Please respond to this post with real data if you have it; guesses 
> and speculation are just noise.

I can't answer your questions directly, but I do follow the snort
Intrusion Detection System list rather closely. They've added some rather
recent IDS rules intended to alert on Invite message flooding, Register
message flooding, and DNS "no such name" packets. I do not know if those
IDS rules resulted from * usage, some other system, or just precautionary
general purpose rules.

Also, in the banking industry, the regulatory folks have cautioned all banks
on the use of VoIP, but I'd have to guess there is a sensitivity to possibly
interception of customer confidential data/info.

Rich





More information about the asterisk-dev mailing list