Thursday, September 03, 2009

Changes On IAX2 Protocol To Prevent VoIP DDOS (AST-2009-006)

Asterisk Security
Asterisk Security list has posted has  published Security Advisory - AST-2009-006 outlining the needs for changes.
There is an accompanying IAX2-security.pdf that has information on the advisory. The following is an excerpt from the posted information.
The IAX2 protocol uses a call number to associate messages with the call that they belong to. However, the protocol defines the call number field in messages as a fixed size 15 bit field. So, if all call numbers are in use, no additional sessions can be handled.             
A call number gets created at the start of an IAX2 message exchange. So, an attacker can send a large number of messages and consume the call number space. The attack is also possible using spoofed source IP addresses as no handshake is required before a call number is assigned.                                  
Purposed and advised resolution  is to upgrade to a version of Asterisk listed in this document as containing the IAX2 protocol security enhancements. In addition to upgrading, administrators should consult the users guide section of the IAX2 Security document (IAX2-security.pdf), as well as the sample configuration file for chan_iax2 that have been distributed with those releases for assistance with new options that have been provided.

+-----------------------------------------------------------------------+
   |                       Affected Versions                            |
   |--------------------------------------------------------------------|
   |             Product          | Release Series |                    |
   |------------------------------+----------------+--------------------|
   |       Asterisk Open Source   |     1.2.x      | All versions       |
   |------------------------------+----------------+--------------------|
   |       Asterisk Open Source   |     1.4.x      | All versions       |
   |------------------------------+----------------+--------------------|
   |       Asterisk Open Source   |     1.6.x      | All versions       |
   |------------------------------+----------------+--------------------|
   |    Asterisk Business Edition |     B.x.x      | All versions       |
   |------------------------------+----------------+--------------------|
   |    Asterisk Business Edition |     C.x.x      | All versions       |
   |------------------------------+----------------+--------------------|
   |    s800i (Asterisk Appliance)|     1.3.x      | All versions       |
   +--------------------------------------------------------------------+

   +-------------------------------------------------------------------+
   |                              Corrected In                         |
   |-------------------------------------------------------------------|
   |                   Product              |         Release          |
   |----------------------------------------+--------------------------|
   |            Asterisk Open Source        |          1.2.35          |
   |----------------------------------------+--------------------------|
   |            Asterisk Open Source        |         1.4.26.2         |
   |----------------------------------------+--------------------------|
   |            Asterisk Open Source        |         1.6.0.15         |
   |----------------------------------------+--------------------------|
   |            Asterisk Open Source        |         1.6.1.6          |
   |----------------------------------------+--------------------------|
   |          Asterisk Business Edition     |         B.2.5.10         |
   |----------------------------------------+--------------------------|
   |          Asterisk Business Edition     |         C.2.4.3          |
   |----------------------------------------+--------------------------|
   |          Asterisk Business Edition     |         C.3.1.1          |
   |----------------------------------------+--------------------------|
   |         S800i (Asterisk Appliance)     |         1.3.0.3          |
   +-------------------------------------------------------------------+

0 comments:

Blog Widget by LinkWithin