Summary: | ASTERISK-14209: IAX2 immediately retries after a failed registration, causing a flood of failed registrations | ||
Reporter: | Gregory Massel (gmza) | Labels: | |
Date Opened: | 2009-05-26 17:15:57 | Date Closed: | 2009-05-27 10:52:11 |
Priority: | Major | Regression? | No |
Status: | Closed/Complete | Components: | Channels/chan_iax2 |
Versions: | Frequency of Occurrence | ||
Related Issues: | |||
Environment: | Attachments: | ||
Description: | When one asterisk box (host1) has a line such as: register => 12345:abc@host2 and no such user exists in host2's iax.conf file, host1 will flood host2 with failed registration attempts using as much bandwidth as it can consume. ****** ADDITIONAL INFORMATION ****** Logs on host1 look like: [May 26 19:49:51] NOTICE[26005] chan_iax2.c: No registration for peer '12345' (from 196.41.2.20) [May 26 19:49:51] NOTICE[26002] chan_iax2.c: No registration for peer '12345' (from 196.41.2.20) [May 26 19:49:51] NOTICE[26004] chan_iax2.c: No registration for peer '12345' (from 196.41.2.20) [May 26 19:49:51] NOTICE[26009] chan_iax2.c: No registration for peer '12345' (from 196.41.2.20) [May 26 19:49:51] NOTICE[26008] chan_iax2.c: No registration for peer '12345' (from 196.41.2.20) [May 26 19:49:51] NOTICE[26006] chan_iax2.c: No registration for peer '12345' (from 196.41.2.20) Logs on host2 look like: [May 26 19:49:51] NOTICE[26004] chan_iax2.c: No registration for peer '12345' (from 196.41.2.20) [May 26 19:49:51] NOTICE[26009] chan_iax2.c: No registration for peer '12345' (from 196.41.2.20) [May 26 19:49:51] NOTICE[26008] chan_iax2.c: No registration for peer '12345' (from 196.41.2.20) [May 26 19:49:51] NOTICE[26006] chan_iax2.c: No registration for peer '12345' (from 196.41.2.20) [May 26 19:49:51] NOTICE[26005] chan_iax2.c: No registration for peer '12345' (from 196.41.2.20) Or, if the user exists, but the password is wrong: [May 26 09:49:23] NOTICE[26001] chan_iax2.c: Host 196.209.101.61 failed MD5 authentication for '12345' (8a0ebc66e4099abec07596de99d942dd != a8b07c1c68c4be02efe9b5504eaa7109) [May 26 09:49:23] NOTICE[26006] chan_iax2.c: Host 196.209.101.61 failed MD5 authentication for '12345' (944a9e4634648ac70c7c9a1c69c45cee != 018f8696c6ecaa740ba16d688a651453) [May 26 09:49:23] NOTICE[26001] chan_iax2.c: Host 196.209.101.61 failed MD5 authentication for '12345' (a01fe599678ad32ca3640bdecd3fb748 != 1a5ac9948d63819cc39ace0744f2bee9) [May 26 09:49:23] NOTICE[26008] chan_iax2.c: Host 196.209.101.61 failed MD5 authentication for '12345' (9ee2bf5d0b30f80d8f748abd7e1810be != 3306d97e64746e8bd97a1b43035728a6) [May 26 09:49:23] NOTICE[26003] chan_iax2.c: Host 196.209.101.61 failed MD5 authentication for '12345' (475680ade8ced104e7e4d70c9d13e79d != 734936e6ca7a068a55be296b8c8decb6) This is easy to reproduce and has been a problem for some time. I've reproduced it on the following versions: 1.4.24 1.4.25 1.6.0.9 1.6.0.6 It happens both from 1.4.x <-> 1.4.x and 1.6.x <-> 1.4.x. I'm not sure when exactly this bug was introduced, but it appears to have been around the time of 1.4.20...so quite a while ago. I'm not sure if this is of any help: Rx-Frame Retry[ No] -- OSeqno: 086 ISeqno: 086 Type: IAX Subclass: REGREQ Timestamp: 19647ms SCall: 11548 DCall: 00085 [196.41.2.20:4569] USERNAME : 12345 REFRESH : 60 MD5 RESULT : dfcb24b61820c0cc69d8a1d4b1e37e5d Tx-Frame Retry[-01] -- OSeqno: 086 ISeqno: 087 Type: IAX Subclass: ACK Timestamp: 19647ms SCall: 00085 DCall: 11548 [196.41.2.20:4569] [May 26 23:00:42] NOTICE[18168]: chan_iax2.c:5733 register_verify: No registration for peer '12345' (from 196.41.2.20) Tx-Frame Retry[000] -- OSeqno: 086 ISeqno: 087 Type: IAX Subclass: REGAUTH Timestamp: 21437ms SCall: 00085 DCall: 11548 [196.41.2.20:4569] AUTHMETHODS : 2 CHALLENGE : 184375780 USERNAME : 12345 Rx-Frame Retry[ No] -- OSeqno: 087 ISeqno: 087 Type: IAX Subclass: REGREQ Timestamp: 19650ms SCall: 11548 DCall: 00085 [196.41.2.20:4569] USERNAME : 12345 REFRESH : 60 MD5 RESULT : d2f92a3bbf6ab85d8eee8bce77df49c9 Tx-Frame Retry[-01] -- OSeqno: 087 ISeqno: 088 Type: IAX Subclass: ACK Timestamp: 19650ms SCall: 00085 DCall: 11548 [196.41.2.20:4569] [May 26 23:00:42] NOTICE[18165]: chan_iax2.c:5733 register_verify: No registration for peer '12345' (from 196.41.2.20) Tx-Frame Retry[000] -- OSeqno: 087 ISeqno: 088 Type: IAX Subclass: REGAUTH Timestamp: 21440ms SCall: 00085 DCall: 11548 [196.41.2.20:4569] AUTHMETHODS : 2 CHALLENGE : 186082162 USERNAME : 12345 To give an idea of the extent of the flood, we've had two boxes saturate a 10Mb/s ATM link for ~12 hours and I have little doubt that this could saturate a 100MB/s ethernet. As bandwidth is quite expensive here (ZA), we've been hit with just over $1,000 worth of wasted bandwidth fees already as a result of this. :-( | ||
Comments: | By: Indreias Ioan (indreias) 2009-05-27 02:13:28 The issue is probably related with issue 14867 (why is access denied?) - details here: http://markmail.org/message/3jh7rvdsc5h3xita We confirm the flood - for asterisk log file: ~ 170 error lines per secconds = 30 kB/s [May 27 10:00:30] NOTICE[27653] chan_iax2.c: Host x.x.x.x failed MD5 authentication for '999' (eb3762207ba72cbccb58e4b45b7110ea != 23ee4295e439 07417b9975c514037dd9) - for the network interface: ~ 220 kb/s (observed with iptraf on a "quiet" PBX = no calls, only one ssh session with iptraf = ~ 28 kb/s) we hoped to have these problems resolved in 1.4.25 but it looks that IAX2 bugs are not a priority. we are still thinking why should we upgrade our production PBXs (1.2.x).... By: David Brillert (aragon) 2009-05-27 08:49:12 Fixed in SVN Repository: asterisk Revision: 194873 U branches/1.4/channels/chan_iax2.c ------------------------------------------------------------------------ r194873 | dvossel | 2009-05-15 17:43:22 -0500 (Fri, 15 May 2009) | 17 lines IAX2 REGAUTH loop IAX was not sending REGREJ to terminate invalid registrations. Instead it sent another REGAUTH if the authentication challenge failed. This caused a loop of REGREQ and REGAUTH frames. (Related to Security fix AST-2009-001) (closes issue 0014867) Reported by: aragon Tested by: dvossel (closes issue 0014717) Reported by: mobeck Patches: regauth_loop_update_patch.diff uploaded by dvossel (license 671) Tested by: dvossel ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=194873 [^] By: Gregory Massel (gmza) 2009-05-27 09:04:58 Thanks. Just to confirm: This problem affects the 1.6.x branch as well (tested against 1.6.0.9). By: David Brillert (aragon) 2009-05-27 09:15:52 Check the revisions here https://issues.asterisk.org/view.php?id=14867 By: Russell Bryant (russell) 2009-05-27 10:52:11 This has been fixed. I'm working with our development team to try to get 1.4.26 out soon to include this fix (among other things). |