|Summary:||ASTERISK-17683: Console flooding caused by bad remote SIP peer|
|Reporter:||David Brillert (aragon)||Labels:|
|Date Opened:||2011-04-12 15:25:22||Date Closed:||2011-06-07 14:05:32|
|Environment:||Attachments:||( 0) SIP_DoS_SIP-debug.txt|
( 1) SIP_DoS.txt
|Description:||Console is flooded by remote SIP peer.|
This appears to be a Denial of Service attack using a mis-configured remote SIP peer with no valid peer defined in Asterisk.
****** ADDITIONAL INFORMATION ******
Asterisk CLI attached. All IP's are scrubbed to protect privacy.
|Comments:||By: David Brillert (aragon) 2011-04-12 15:49:44|
I know someone will say this can be fixed using iptables or fail2ban etc...
But why must Asterisk reply to each SIP registration during this DoS attack when there is no matching SIP peer configured in Asterisk?
By: Jason Parker (jparker) 2011-04-12 16:16:25
Because the lack of a response would indicate something about the configuration. That would be a very easy way to guess at valid users.