[asterisk-users] security on localhost connections

Tim Panton thp at westhawk.co.uk
Sun Aug 31 04:06:33 CDT 2008


On 31 Aug 2008, at 01:15, David Burgess wrote:

> Asterisk Users -
>
> We are presently try to operate a hybrid GSM/Asterisk cellular
> basestation at the Burning Man Festival in the Nevada desert.  (See
> http://openbts.sourceforge.net).  The architecture is basically one
> where cell phones are presented to Asterisk as SIP users, using the
> IMSI as the SIP user ID for convenience.  (It's running off of a wind
> turbine is the middle of a dust storm as my alkali-abused hands type
> this.)
>
> When we first got this system running, we were getting hammered with
> service requests from phones that people left turned on.  We tried
> sending the magic GSM codes for "no roaming here", but some of them
> just kept coming back.  It was like a denial of service attack.  We
> figured out that the best way to shut those phones up was just to
> accept their registrations.  We'd send a corresponding SIP
> registration to Asterisk, that would fail, but we'd report success to
> the GMS handset anyway so that it would think it had service and stop
> retrying the registration.
>
> Now we've discovered a new problem: Asterisk lets these non-existent
> make calls even though they are not listed as users in sip.conf.  We
> suspect that is happening because they are all localhost connections,
> and therefore bypassing some kind of authentication check.  These
> calls also show up in the CDR, but with the SIP ids of real,
> provisioned SIP users instead of the IMSIs of the phones that are
> actually making the calls.  Any ideas how this is happening or how to
> fix it?

I'm not a SIP expert, but registration is about ensuring that the
registering sip endpoint will be able to _receive_ calls
so asterisk knows it is 'available' and how to route to it.

In the case of an incoming call from these phones, the SIP
header tells asterisk enough to help it route the traffic.

Asterisk will look up the user and (as Tilghman mentioned)
match them against the first password-less user.

In IAX (dunno about SIP) the best thing is to add a
catchall user which points to a context which rejects all calls  
immediately.

Tim.



More information about the asterisk-users mailing list