Greetings, Recently the DNS protocol came under attack again, when people started to abuse open recursive DNS servers for DDoS attacks. My personal DNS server was involved too, see http://weblog.barnet.com.au/edwin/000122.html for more details.
A discussion on several DNS related mailinglists came up, and despite that there has flown a lot of water to the sea, there is still no solution for this problem. Well, if ISPs got their act together and blocked traffic from their userlans with wrong IP addresses, but euhms... this might take a while. If ever. The DNS attack has an amplification of 100 times: for every fourty bytes send, 4000 bytes were sent out. Now back to Asterisk, or SIP in general. Also UDP based, and thus prone for the same kind of attack. The shortest packet I could create to which Asterisk replied was 15 bytes, giving me 223 bytes in answer: 22:20:41.429219 IP 10.10.12.2.62487 > 10.10.99.1.5060: SIP, length: 15 22:20:41.462792 IP 10.10.99.1.5060 > 10.10.12.2.62487: SIP, length: 223 U 10.10.12.2:62487 -> 10.10.99.1.5060 OPTIONS CSeq: 1 U 10.10.99.1.5060 -> 10.10.12.2:62487 SIP/2.0 404 Not Found. To: ;tag=as72710291. CSeq: 1. User-Agent: Asterisk PBX. Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY. Contact: <sip:10.10.99.1>. Accept: application/sdp. Content-Length: 0. . That's nearly a 15 times amplification. But what is worse... Would I be able to disable it on the DNS server, there is no way I can disable this on Asterisk. I'm not going to predict the downfall of SIP and Asterisk and VoIP with this: DNS servers are still much easier to abuse. But there should be a configurable limitation to who should be able to send OPTIONS: - SIP peers - Answers only on valid requests (chan_sip.c:6535 get_destination: Huh? Not a SIP header ()?) (chan_sip.c:3773 copy_header: No field 'From' present to copy) (chan_sip.c:3773 copy_header: No field 'Call-ID' present to copy) (chan_sip.c:3853 copy_via_headers: No header field 'Via' present to copy) Doing this, my smallest packet was 85 bytes, giving me an answer of 289 bytes and thus an amplification of less than 4. Edwin -- Edwin Groothuis | Personal website: http://www.mavetju.org [EMAIL PROTECTED] | Weblog: http://weblog.barnet.com.au/edwin/ _______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- asterisk-dev mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev
