Summary:ASTERISK-14561: Frequent SIP registrations cause firewall packet drop cycle
Reporter:David Strauss (davidstrauss)Labels:
Date Opened:2009-07-29 18:39:11Date Closed:2011-06-07 14:00:47
Versions:Frequency of
Description:There is often a firewall between an Asterisk box and a SIP peer. When registrations occur through a firewall, an Asterisk box can fall into a cycle of contacting the SIP peer very regularly and very quickly. This can cause registration packets from the Asterisk box to be dropped by the firewall. (The firewall may see it as a low-grade DOS attack.) Because the Asterisk box responds by continuing to spam the firewall with packets, it continues to be blacklisted.

The current solution is to increase the re-registration delay, but finding this number requires guesswork. When the guess is too low, administrators have to give the box a manual registration "cool down" period. When the guess is too high, the system may not stay registered or may not register quickly after an IP change.

I suggest an ethernet/SMS-style solution to this problem. In short, when there is an ethernet packet collision, the two NICs involved each randomly wait an increasingly long time with each contiguous collision. SMS delivery works a similar way when message delivery fails by increasing delays between delivery attempts.

Asterisk ought to increase the delay between each re-registration attempt so it doesn't end up in a retry/blacklist loop. Like ethernet and SMS, the delay time should go up exponentially, possibly with an upper threshold. This could all be configurable, but even a hard-coded solution is preferable to the current behavior.
Comments:By: Leif Madsen (lmadsen) 2009-08-31 08:59:41

While this seems like a good idea, it is a feature request without a patch provided. In order to keep this issue open we would need a patch to be provided that creates this functionality. If you are able to do that, then please reopen the issue and add the patch for review. Thanks!