Our staff have been both technical services providers and managers of IT departments, this enables us to help you to understand your options through independent advice. | ISS IAX2 DoS Vulnerability Response |
| Thursday, 20 July 2006 | |
|
Recently, ISS posted a report about a Denial of Service vulnerability in Asterisk's IAX2 implementation. This vulnerability exists in all existing IAX2 implementations that accept incoming calls (not just Asterisk), and relates to the amount of time that a pending (but not yet authenticated) call is allowed to exist in memory on the server.
In response to this report, we recently released Asterisk 1.2.10, which provides a configuration option that the administrator can use to combat this activity. This option is called 'maxauthreq' and is available at the global level and for type=user entries in iax.conf (it is not needed for type=peer entries, since peers cannot place calls into the Asterisk server). Since this is a release branch of Asterisk, we were not comfortable changing the default behavior, so this new option defaults to zero, which means there is no limit in place.
Read more... |