> > I tried te route of using iptables and at top production time, it eats 5% of my server, brining it to 95+ CPU usage. Clearly, not an option. I need a patch for chan_sip that whenalwaysauthreject=yes does not respond to any REGISTER packet if the username does not exists. I hope that Digium would include this otr similar option in the source code. Alternatively, a new option can be created in sip.conf. I am offering no money for this patch. I think all the community needs this to survive the attack of the evil men from shadowlands. Another nice patch that I already wrote partially, is for cdr_addons_mysql, but it should be included in all cdr-collecting technologies. I just do not save to the database any call that is not connected. This is NOT the same as setting the option at the cdr.conf level. Each cdr technology needs this option as well. I need to save all calls to my cdr_odbc, for ASR calculations, but it is useless to store un-connected calls to mysql, because I use it only as a backup cdr, in case my external SQL Server blows up or has a problem, which happens often. What I did was to hard code this option in the source code, but not including any checkin for a cdr_sql.conf, since I am not a C programmer. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20110803/c0fdc2ab/attachment.htm>
On 08/03/11 09:49, Venefax wrote:>> >> I tried te route of using iptables and at top production time, it eats >> 5% of my server, brining it to 95+ CPU usage. Clearly, not an option. >> I need a patch for chan_sip that when > alwaysauthreject=yes > does not respond to any REGISTER packet if the username does not exists. > I hope that Digium would include this otr similar option in the source > code. Alternatively, a new option can be created in sip.conf. I am > offering no money for this patch. I think all the community needs this > to survive the attack of the evil men from shadowlands. > > Another nice patch that I already wrote partially, is for > cdr_addons_mysql, but it should be included in all cdr-collecting > technologies. I just do not save to the database any call that is not > connected. This is NOT the same as setting the option at the cdr.conf > level. Each cdr technology needs this option as well. I need to save all > calls to my cdr_odbc, for ASR calculations, but it is useless to store > un-connected calls to mysql, because I use it only as a backup cdr, in > case my external SQL Server blows up or has a problem, which happens often. > What I did was to hard code this option in the source code, but not > including any checkin for a cdr_sql.conf, since I am not a C programmer. >With your option turned on, evil ones will again be able to enumerate valid usernames. To keep them guessing, you give them the same answer if the user name does not exist or if they gave you a bad password. But with your option turned on, they will know if they have a valid user name or not. Lyle Giese LCR Computer Services, Inc.
> -----Original Message----- > From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users- > bounces at lists.digium.com] On Behalf Of Lyle Giese > Sent: Wednesday, August 03, 2011 8:16 PM > To: asterisk-users at lists.digium.com > Subject: Re: [asterisk-users] Need a volunteer for a Patch > > On 08/03/11 09:49, Venefax wrote: > >> > >> I tried te route of using iptables and at top production time, it > >> eats 5% of my server, brining it to 95+ CPU usage. Clearly, not an option. > >> I need a patch for chan_sip that when > > alwaysauthreject=yes > > does not respond to any REGISTER packet if the username does not exists. > > I hope that Digium would include this otr similar option in the source > > code. Alternatively, a new option can be created in sip.conf. I am > > offering no money for this patch. I think all the community needs this > > to survive the attack of the evil men from shadowlands. > > > > Another nice patch that I already wrote partially, is for > > cdr_addons_mysql, but it should be included in all cdr-collecting > > technologies. I just do not save to the database any call that is not > > connected. This is NOT the same as setting the option at the cdr.conf > > level. Each cdr technology needs this option as well. I need to save > > all calls to my cdr_odbc, for ASR calculations, but it is useless to > > store un-connected calls to mysql, because I use it only as a backup > > cdr, in case my external SQL Server blows up or has a problem, which > happens often. > > What I did was to hard code this option in the source code, but not > > including any checkin for a cdr_sql.conf, since I am not a C programmer. > > > > With your option turned on, evil ones will again be able to enumerate valid > usernames. > > To keep them guessing, you give them the same answer if the user name > does not exist or if they gave you a bad password. But with your option > turned on, they will know if they have a valid user name or not.In SIP the password is not sent until the 2nd packet when authenticating. So even with that patch, you will still respond to the first packet of all register requests for all valid usernames. Not responding in any way to register (and other authentication) requests will help only until the people hacking servers realize what is happening and adapt.