[Asterisk-Security] ISS IAX2 DoS Vulnerability Response

Enzo Michelangeli enzomich at gmail.com
Wed Jul 19 16:09:43 MST 2006


----- Original Message ----- 
From: "Kevin P. Fleming" <kpfleming at digium.com>
To: <asterisk-security at lists.digium.com>
Sent: Thursday, July 20, 2006 1:08 AM
Subject: [Asterisk-Security] ISS IAX2 DoS Vulnerability Response

[...]
>                                                  If the user
> attempts to place more calls than are allowed with providing
> authentication information for some of them, the additional requests
> will be denied without requesting authentication information and without
> preserving the call information in memory for the normal period of time.
>
> In the Asterisk 1.4 release which will be coming soon, this option will
> default to three for all installations, and the administrator will need
> to override it to allow more simultaneous unauthenticated calls.

Why "unauthenticated"? This appears to contradict what is said in the
previous sentence, where the restriction is said to apply only to calls
placed providing authentication information. If a call specifies a user for
which no authentication is required (such as "guest") it can't be used for
DoS purposes.

Enzo




More information about the Asterisk-Security mailing list