back to article Asterisk users need to patch DoS bug

Asterisk users need to get busy with a patch. In September, the popular open-source IP PBX project advised users to switch off its “overlap dialling” feature to dodge a possible denial-of-service (DoS) vulnerability. Overlap dialling is designed to reduce call setup time, by letting the system start looking for destinations …

  1. Anonymous Coward
    Childcatcher

    Doesn't affect IAX2

    SIP n RTP are only one way to "do" VoIP. There are other protocols available.

    Also, if you consider VoIP traffic as having a potentially serious value - eg if someone breaks in and gets your PBX to dial their premium rate number - then you treat it as such. VPNs, encryption and firewall allow rules from/to suppliers/partners etc should be the norm.

  2. Sgt_Oddball
    Devil

    this gives me an idea.. .

    Does anyone know if asterisk is used for auto dialers as well?

    In which case does this mean ppi claims lines can be DDoS'd? In which case does this have to be fixed? Just playing devils advocate here.

    1. Chewi

      Re: this gives me an idea.. .

      It is used in VICIdial, which in turn is used by GOautodial. I think they may still be on 1.8 though.

  3. TrevorH

    1.8 is also affected but out of support so there is no upstream fix.

  4. Christian Berger

    Asterisk has lots of those bugs

    For example if you don't ACK the "200 OK", the call will be left open in a half open stage, and there are ways to leave a call open in the "ringing" state without it closing on a timeout.

    Essentially if you have an Asterisk server and you run lots of calls from lots of different (usually broken) devices through it, it _will_ crash eventually. While it is certainly among the best VoIP software packages, it's certainly not good.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like