----- Original Message -----
From: "Kevin P. Fleming" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Thursday, July 20, 2006 1:08 AM
Subject: [Asterisk-Security] ISS IAX2 DoS Vulnerability Response
[...]
If the user
attempts to place more calls than are allowed with providing
authentication information for some of them, the additional requests
will be denied without requesting authentication information and without
preserving the call information in memory for the normal period of time.
In the Asterisk 1.4 release which will be coming soon, this option will
default to three for all installations, and the administrator will need
to override it to allow more simultaneous unauthenticated calls.
Why "unauthenticated"? This appears to contradict what is said in the
previous sentence, where the restriction is said to apply only to calls
placed providing authentication information. If a call specifies a user for
which no authentication is required (such as "guest") it can't be used for
DoS purposes.
Enzo
_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --
Asterisk-Security mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-security
