asterisk users - May 2003 - Max number of connection in IAX ?

Hi.

I was wondering if there's a parameter to limit
the number of concurrent sessions in IAX, globally or
on a per-user basis.

That could be needed for security purposes 
(to prevent dos attacks), to limit bandwidth / cpu usage, or
to not allow more than N guest connections, for example.

Any other VoIP channel support that?
(like SIP, MGCP) 

Matteo.

-- 
Brancaleoni Matteo <mbrancaleoni@espia.it>
Espia - Emmgi Srl

IAX supports up to 2^16/2 connections. Now you could internally use some
global variable to keep track of it ....

Martin

On 1 May 2003, Brancaleoni Matteo wrote:
> Hi.
>
> I was wondering if there's a parameter to limit
> the number of concurrent sessions in IAX, globally or
> on a per-user basis.
>
> That could be needed for security purposes
> (to prevent dos attacks), to limit bandwidth / cpu usage, or
> to not allow more than N guest connections, for example.
>
> Any other VoIP channel support that?
> (like SIP, MGCP)
>
> Matteo.
>
> --
> Brancaleoni Matteo <mbrancaleoni@espia.it>
> Espia - Emmgi Srl
>
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users@lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
>

On Thursday 01 May 2003 14:45, Brancaleoni Matteo wrote:
> Hi.
>
> I was wondering if there's a parameter to limit
> the number of concurrent sessions in IAX, globally or
> on a per-user basis.
>
> That could be needed for security purposes
> (to prevent dos attacks), to limit bandwidth / cpu usage, or
> to not allow more than N guest connections, for example.
Limiting the number of connections will not prevent DOS
attacks.  Consider that an IAX session may have an unlimited
length.  Now consider an attacker creating N connections,
where N is your maximum limit of connections.  The attacker
has effectively cut off your ability to place IAX calls.  In
other words, resource starvation is just as effective a DOS
attack as resource overloading.

That said, the usecnt variable in channels/chan_iax.c should
contain the current number of IAX channels.

A patch as simple as this should work:

-Tilghman

Index: channels/chan_iax.c
==================================================================RCS file:
/usr/cvsroot/asterisk/channels/chan_iax.c,v
retrieving revision 1.8
diff -u -r1.8 chan_iax.c
--- channels/chan_iax.c 27 Apr 2003 21:36:19 -0000      1.8
+++ channels/chan_iax.c 1 May 2003 20:58:03 -0000
@@ -65,6 +65,8 @@

 #define DEBUG_SUPPORT

+#define MAX_IAX_CONNECTIONS    30
+
 /* Sample over last 100 units to determine historic jitter */
 #define GAMMA (0.01)

@@ -1952,6 +1954,10 @@
                ast_setstate(tmp, state);
                ast_pthread_mutex_lock(&usecnt_lock);
                usecnt++;
+               if (usecnt > MAX_IAX_CONNECTIONS) {
+                       usecnt--;
+                       tmp = NULL;
+               }
                ast_pthread_mutex_unlock(&usecnt_lock);
                ast_update_use_count();
                if (state != AST_STATE_DOWN) {