Hmmm. It would seem that it would be to Amazon's advantage to jump on this problem,<br>because the accounts that are performing this activity are most likely purchased with<br>stolen identities, and sooner or later the charges are going to get reversed. Either the<br>
credit card companies are going to absorb the cost, or the merchants (like Amazon) at<br>the other end. And, after listening to merchants grumble about it, I'd assume that in the<br>end, Amazon is going to get stiffed for the bill. On someone else's credit card, I'd imaging they<br>
have almost infinite resources; Bandwidth to burn, the best and most powerful hosts.<br>So what if they rack up thousands of dollars? They are probably organized crime units in Romania or<br>whatever.<br><br>murf<br><br><br>
<div class="gmail_quote">On Tue, Apr 13, 2010 at 11:21 AM, Tzafrir Cohen <span dir="ltr"><<a href="mailto:tzafrir.cohen@xorcom.com">tzafrir.cohen@xorcom.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im">On Tue, Apr 13, 2010 at 04:32:58PM +0200, Hans Witvliet wrote:<br>
> On Tue, 2010-04-13 at 15:49 +0200, Philipp von Klitzing wrote:<br>
> > Hi!<br>
> ><br>
> > > Any aditional security within * is fine, but if someone is simply<br>
> > > drowning your bandwith, action must be taken at a lower level.<br>
> > > Otherwise you endup re-inventing the wheel for D.o.s. attackes for voip,<br>
> > > mail, ssh, ldap, http, rsync, (or any other service you might be running)<br>
> ><br>
> > However, I *still* think Asterisk should provide a "delayreject" option<br>
> > in sip.conf to greatly slow down answering request avanlanches. That will<br>
> > help to address the bandwidth issue if the attacker is configured to wait<br>
> > for a response before starting the next request.<br>
> ><br>
> > Apart from that here are the most important messages: Use strong<br>
> > passwords in sip.conf, and use keys in iax.conf, and avoid usernames that<br>
> > can be guessed too easily (numbers from 100 to 9999 and first names).<br>
> ><br>
><br>
> Agreed, best would be to only use ssl-certificates for authentication,<br>
> but not all parts involved support that, (to put it mildly...)<br>
<br>
</div>Secure authentication won't solve the problem of attackers flodding your<br>
pipe. Especially not if you have ADSL or similar connection.<br>
<div class="im"><br>
--<br>
Tzafrir Cohen<br>
icq#16849755 <a href="mailto:jabber%3Atzafrir.cohen@xorcom.com">jabber:tzafrir.cohen@xorcom.com</a><br>
+972-50-7952406 mailto:<a href="mailto:tzafrir.cohen@xorcom.com">tzafrir.cohen@xorcom.com</a><br>
<a href="http://www.xorcom.com" target="_blank">http://www.xorcom.com</a> <a href="http://iax:guest@local.xorcom.com/tzafrir" target="_blank">iax:guest@local.xorcom.com/tzafrir</a><br>
<br>
--<br>
_____________________________________________________________________<br>
</div><div><div></div><div class="h5">-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
New to Asterisk? Join us for a live introductory webinar every Thurs:<br>
<a href="http://www.asterisk.org/hello" target="_blank">http://www.asterisk.org/hello</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Steve Murphy<br>ParseTree Corp<br><br>