asterisk users - Oct 2004 - Can bad person with SIPp attack Asterisk ?

Hi,

sorry maybe dumb question. But could person with bad intent attack Asterisk
PBX with SIPp tool ?

Can Asterisk be overloaded this way and not working OK for the rest of
conversations ?

Regards,

Robert.

They could send lots of traffic and DoS you sure... nothing specific to
Asterisk. 

Otherwise, they'd have to rely on a security hole in the software itself. I
don't know of any, and I'm sure they'd get fixed really fast if they
were
found...
-Michael

-----Original Message-----
From: asterisk-users-bounces@lists.digium.com
[mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Robert Rozman
Sent: Wednesday, October 27, 2004 2:33 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: [Asterisk-Users] Can bad person with SIPp attack Asterisk ?

Hi,

sorry maybe dumb question. But could person with bad intent attack Asterisk
PBX with SIPp tool ?

Can Asterisk be overloaded this way and not working OK for the rest of
conversations ?

Regards,

Robert.

_______________________________________________
Asterisk-Users mailing list
Asterisk-Users@lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Robert Rozman [rozman@fri.uni-lj.si] wrote:
> sorry maybe dumb question. But could person with bad intent attack
> Asterisk PBX with SIPp tool ? 
> 
I don't know what the SIPp tool is, but there are bound to be hidden
security bugs in the Asterisk code, just waiting for someone to exploit.
To mitigate this, you must not run Asterisk as root;  Create a specific
Asterisk user and group ID, and run Asterisk using that.

Basic security precautions should be taken with all public-facing
services - not just Asterisk.

-- 
   _/   _/  _/_/_/_/  _/    _/  _/_/_/  _/    _/
  _/_/_/   _/_/      _/    _/    _/    _/_/  _/   K e v i n   W a l s h
 _/ _/    _/          _/ _/     _/    _/  _/_/    kevin@cursor.biz
_/   _/  _/_/_/_/      _/    _/_/_/  _/    _/

Hello

I would say, 

First of all, for users who are authenticated, so really can make calls,
just configure asterisk to limit the number of calls users can make
concurrently

Next, put a firewall in front of your asterisk box which rate limits the
number of connection attempts per second per host.. If you limit this to
lets say about 25 to 50 connection attempts per second per host I would
say you're pretty safe and your asterisk box can't really get overloaded
with malicious packets. this burst limit depends on your config as you
might get much traffic from certain IP's ofcourse

Niels

 

-----Original Message-----
From: asterisk-users-bounces@lists.digium.com
[mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Flynn
Sent: donderdag 28 oktober 2004 23:54
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: RE: [Asterisk-Users] Can bad person with SIPp attack Asterisk ?

On 10/28/2004, "Patrick" <asterisk@puzzled.xs4all.nl> wrote:
>Absolutely. Some things that come to mind: configure your firewall to
>only accept SIP, IAX2 etc connections from/to IP addresses of the
remote
>servers you interact with. 
Wouldn't this, though, not be possible when you're running a
public-type service like FWD etc? Unless they know in advance where
their customers are calling from, which I don't think they do.
>I am sure there are more ways to enhance security and would welcome
>further input from the community. Perhaps the info from this threat
>could then be the start of the Asterisk Security Howto document.
>
What would be good is if someone from FWD with a proven track record
would be so kind as to give pointers on how they handle security on
their platforms.
>About running * non-root. Any information how to go about this? How
>would you exactly configure this? What about zaptel & libpri? Apache
>setup for e.g. * & vmail or astcc interaction, CDR registration (file
or
>DB) etc.
>
You could start out by looking at
http://voip-info.org/tiki-index.php?page=Asterisk+non-root

Cheers
Flynn
_______________________________________________
Asterisk-Users mailing list
Asterisk-Users@lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Check these url's

http://www.voip-info.org/wiki-Asterisk+cmd+CheckGroup
http://www.voip-info.org/wiki-Asterisk+cmd+SetGroup
http://www.voip-info.org/wiki-Asterisk+cmd+GetGroupCount

Niels


-----Original Message-----
From: asterisk-users-bounces@lists.digium.com
[mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Robert
Rozman
Sent: Friday, October 29, 2004 11:20 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [Asterisk-Users] Can bad person with SIPp attack Asterisk ?

Any more info how to configure Asterisk to limit the number of calls
concurrently ?

Thanks in advance,

Robert.

----- Original Message -----
From: <niels@wxn.nl>
To: <asterisk-users@lists.digium.com>
Sent: Friday, October 29, 2004 12:50 AM
Subject: RE: [Asterisk-Users] Can bad person with SIPp attack Asterisk ?


Hello

I would say,

First of all, for users who are authenticated, so really can make calls,
just configure asterisk to limit the number of calls users can make
concurrently

Next, put a firewall in front of your asterisk box which rate limits the
number of connection attempts per second per host.. If you limit this to
lets say about 25 to 50 connection attempts per second per host I would
say you're pretty safe and your asterisk box can't really get overloaded
with malicious packets. this burst limit depends on your config as you
might get much traffic from certain IP's ofcourse

Niels



-----Original Message-----
From: asterisk-users-bounces@lists.digium.com
[mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Flynn
Sent: donderdag 28 oktober 2004 23:54
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: RE: [Asterisk-Users] Can bad person with SIPp attack Asterisk ?

On 10/28/2004, "Patrick" <asterisk@puzzled.xs4all.nl> wrote:
>Absolutely. Some things that come to mind: configure your firewall to
>only accept SIP, IAX2 etc connections from/to IP addresses of the
remote
>servers you interact with.
Wouldn't this, though, not be possible when you're running a
public-type service like FWD etc? Unless they know in advance where
their customers are calling from, which I don't think they do.
>I am sure there are more ways to enhance security and would welcome
>further input from the community. Perhaps the info from this threat
>could then be the start of the Asterisk Security Howto document.
>
What would be good is if someone from FWD with a proven track record
would be so kind as to give pointers on how they handle security on
their platforms.
>About running * non-root. Any information how to go about this? How
>would you exactly configure this? What about zaptel & libpri? Apache
>setup for e.g. * & vmail or astcc interaction, CDR registration (file
or
>DB) etc.
>
You could start out by looking at
http://voip-info.org/tiki-index.php?page=Asterisk+non-root

Cheers
Flynn
_______________________________________________
Asterisk-Users mailing list
Asterisk-Users@lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users
_______________________________________________
Asterisk-Users mailing list
Asterisk-Users@lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

_______________________________________________
Asterisk-Users mailing list
Asterisk-Users@lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users