[ISN] Asterisk VoIP platform open to DDoS attacks, security firm says

From: InfoSec News (alerts@private)
Date: Mon Jul 17 2006 - 22:45:25 PDT


http://www.networkworld.com/news/2006/071706-asterisk.html

By Phil Hochmuth
NetworkWorld.com
07/17/06 

A flaw in the Asterisk IP PBX platform reported last week could result in 
a denial-of-service attack that would disrupt a business' VoIP or 
VoIP-to-PSTN gateway service.

Asterisk is an open-source IP telephony and messaging platform that runs 
on Linux, BSD and MacOSX servers, and can be used as a complete office 
phone system, or to add IP-enabled services such as messaging or gateways 
to a mixed TDM/IP phone network. A vulnerability in the Inter-Asterisk 
eXchange protocol version 2 (IAX2)  used by Asterisk servers to set up and 
manage calls could be used to flood an Asterisk IP PBX with bogus calls 
and make the phone system unavailable, according to the Internet Security 
Systems (ISS) X-Force Threat Analysis Service, which discovered the bug.

Using a method which ISS calls "somewhat analogous to a SYN flood," an 
attacker, with knowledge of a valid user name on an Asterisk system, could 
generate enough unauthenticated call requests to overwhelm the Asterisk IP 
PBX, ISS says. A remote attacker could do this from a single PC or server, 
the security company says. Networks that use Asterisk boxes as gateways 
between a TDM and VoIP network could also be attacked via this method.

ISS says there is a setting in the Asterisk software which can limit the 
number of simultaneous unauthenticated call requests the Asterisk server 
will try to handle and resolve. Changing this setting to the lowest number 
of unauthenticated calls will fix the vulnerability, ISS says.

A fixed version of the software is also available from asterisk.org, which 
maintains the open-source platform, as well as from Digium, a company 
which sells service and support for Asterisk-based phone systems.

All contents copyright 1995-2006 Network World, Inc.


_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Mon Jul 17 2006 - 22:50:31 PDT