System information

ManualsBrandsATech Machine ManualsComputer equipmentLIBRA-02 M

601

602

603

604

605

606

607

608

609

610

an extension to the dialplan that runs the System() application, enabling it to run any

command it wants. If it also has access to originate calls, it can originate a call to that

extension, resulting in the execution of that command. Be careful when opening up

AMI access on your system and restrict what permissions are granted to each account

in /etc/asterisk/manager.conf.

Tip #9: Secure Asterisk network APIs. Use firewall rules to restrict access to your FastAGI

server. Use encryption on the AMI. Restrict access provided to AMI accounts as much

as possible.

IAX2 Denial of Service

While SIP is a text-based protocol, IAX2 is a binary encoded protocol. The IAX2 stand-

ard is RFC 5456. Every IAX2 packet contains a call number that is used to associate

the packet with an active call. This is analogous to the Call-ID header in SIP. An IAX2

call number, is a 15-bit field. It is large enough to deal with the number of calls that

will be practical on one system. Unfortunately, it is also small enough that it is pretty

easy for an attacker to send enough small packets to consume all available call numbers

on a system for a short period of time, resulting in a denial of service attack.

The IAX2 support in Asterisk has been modified to automatically protect against this

type of attack. This protection is referred to as call token support and requires a three-

way handshake to occur before a call number is allocated. However, older versions of

Asterisk and some non-Asterisk IAX2 implementations may not support this, so there

are a number of options that let you tweak the behavior.

By default, the security mechanisms are enabled and no configuration changes are re-

quired. If for some reason you would like to disable call token support completely, you

can do so by using the following configuration in /etc/asterisk/iax.conf:

[general]

calltokenoptional = 0.0.0.0/0.0.0.0

maxcallnumbers = 16382

With the default configuration, a host that can pass the call token exchange can still

consume the call number table. The call token exchange ensures that call numbers are

only allocated once we know we have not received a request with a spoofed source IP

address. Once we know a request is legitimate, enforcing resource limits per host is

achievable. Consider the following options in iax.conf:

[general]

; Set the default call number limit per host

maxcallnumbers = 16

[callnumberlimits]

; Set a different call number limit for all hosts in a

; specified range.

IAX2 Denial of Service | 573