On 07/26/2011 02:09 PM, CDR wrote:
Only way to cope with hackers would be that Digium comes to its senses and accepts to disable any response to a REGISTER whose username is unknown. I cannot think of a good reason why Digium finds this proposal unacceptable, given the onslaught of hacking that we are seeing in the industry. It may take a single line of code and it would save millions of $$$. Not only because the hackers will never get in, but because we would save a huge CPU impact responding to hundreds of REGISTER attempts per minute. It is a NO brainer. Can please the Powers that Be reconsider and add this option to sip.conf? Please?
No, because that's absolutely ridiculous. The proper, RFC-compliant behaviour is to return an authentication failure in response to invalid credentials. This mechanism is relied upon for legitimate functionality, such as letting the UAs of intended users know that they are sending incorrect credentials.
As was pointed out before, Asterisk is a mostly application-level construct. Applications usually have some rudimentary means of self-defense such as ACLs, but applications are often conceptually distinct from the most appropriate means of securing them. That's what firewalls, SBCs, intrusion detection systems, etc. are for.
Your position is equivalent to saying that stock SSH should not return authentication errors for invalid passwords. The proper solution to dictionary attacks is to firewall the SSH service, use RSA keys, VPNs, etc., not to tell the maintainers of the OpenSSH project to come to its senses.
-- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
