Summary:ASTERISK-26089: Invalid security events during boot using PJSIP Realtime
Reporter:Scott Griepentrog (sgriepentrog)Labels:
Date Opened:2016-06-06 16:32:27Date Closed:2016-06-07 10:20:06
Versions:Frequency of
is related toASTERISK-26088 Investigate heavy memory utilization by res_pjsip_pubsub
Environment:CentOS, Asterisk 13, PJSIP, Realtime, ODBCAttachments:
Description:When Asterisk is configured to use PJSIP with Realtime, the receipt of a SIP REGISTER during bootup (prior to odbc database connections being completed) results in a security event such as InvalidAccountID due to being unable to obtain the account from the database.

Where the specific customer implementation includes banning IP's based on security events, this causes a window of opportunity for valid endpoints to be banned if they are unlucky enough to attempt REGISTER at the wrong time.

A workaround for this issue exists in the form of rejecting security events prior to the FullyBooted event being received.  However, this issue would probably be better addressed by adding an option to cause PJSIP inbound traffic to be dropped prior to FullyBooted state, so as to avoid transmitting an incorrect  401 Unauthorized response to the endpoint.
Comments:By: Richard Mudgett (rmudgett) 2016-06-06 17:21:32.443-0500

This is exactly the first patch in the series addressing ASTERISK-26088.  The patch ignores all incoming SIP messages to PJSIP until fully booted and is not optional.

By: Joshua C. Colp (jcolp) 2016-06-07 10:20:06.752-0500

Patch is already up and tagged against other issue. Closing this out.