Summary:ASTERISK-17683: Console flooding caused by bad remote SIP peer
Reporter:David Brillert (aragon)Labels:
Date Opened:2011-04-12 15:25:22Date Closed:2011-06-07 14:05:32
Versions:1.4.40 Frequency of
Environment:Attachments:( 0) SIP_DoS_SIP-debug.txt
( 1) SIP_DoS.txt
Description:Console is flooded by remote SIP peer.
This appears to be a Denial of Service attack using a mis-configured remote SIP peer with no valid peer defined in Asterisk.


Asterisk CLI attached. All IP's are scrubbed to protect privacy.
Comments:By: David Brillert (aragon) 2011-04-12 15:49:44

I know someone will say this can be fixed using iptables or fail2ban etc...
But why must Asterisk reply to each SIP registration during this DoS attack when there is no matching SIP peer configured in Asterisk?

By: Jason Parker (jparker) 2011-04-12 16:16:25

Because the lack of a response would indicate something about the configuration.  That would be a very easy way to guess at valid users.