Latest LQ Deal: Latest LQ Deals
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 11-07-2010, 02:07 AM   #1
Registered: Sep 2005
Posts: 861

Rep: Reputation: 30
Need advice from Asterisk expert


I am seeking advice from Asterisk expert. I do have a VOIP Asterisk server configured in my house. It is not a full blown Trixbox server but a low power consumption IP04 box that runs asterisk and VOIPGUI with 1 FXO port. During the first installation, all seems okay but nowadays, I see from my log that numerous denial of service attacks coming from different IP Addresses on SIP protocol.

It seems that the attacker/s will try to do a SIP registration and authentication using different SIP extensions. It started as extension 1 to whatever extension it sees valid. It try to use different passwords and it looks like a brute force to me.

This caused my network to be congested and other services are obviously affected to the point that my asterisk server will hang and needed to be restarted. I am planning to disable the SIP protocol and close port 5060 and I just use IAX.

Now, my question is is IAX2 a better solution than SIP? How secure is IAX2 compared to SIP and will I be assured that this kind of denial of service attacks in SIP?
Old 11-13-2010, 08:22 PM   #2
Registered: Mar 2010
Location: Switzerland
Distribution: Slackware
Posts: 98

Rep: Reputation: 23

found the following part of an email from Mark Spencer, developer of IAX, about a IAX vs. SIP discussion in a german Asterisk book. Translated some comments and the footnotes from german to english:

[...] let me summarize some differences between SIP and IAX, and it might help you make a decision about what is best for you.

1) IAX is more efficient on the wire than RTP for *any* number of calls, *any* codec. The benefit is anywhere from 2.4k[235] for a single call to approximately trippling the number of calls per megabit for G.729 when measured to the MAC[236] level when running trunk mode.

2) IAX is information-element encoded rather than ASCII encoded. This makes implementations substantially simpler and more robust to buffer overrun attacks since absolutely no text parsing or interpretation is required. The IAXy runs its entire IP stack, IAX stack, TDM interface, echo canceller, and callerid generation in 4k of heap and stack and 64k of flash. Clearly this demonstrates the implementation efficiency of its design. The size of IAX signalling packets is phenomenally smaller than those of SIP, but that is generally not a concern except with large numbers of clients frequently registering. Generally speaking, IAX2 is more efficient in its encoding, decoding and verifying information, and it would be extremely difficult for an author of an IAX implementation to somehow be incompatible with another implementation since so little is left to interpretation.[237]

3) IAX has a very clear layer2 and layer3 separation, meaning that both signalling and audio have defined states, are robustly transmitted in a consistant fashion, and that when one end of the call abruptly disappears, the call WILL terminate in a timely fashion, even if no more signalling and/or audio is received. SIP does not have such a mechanism, and its reliability from a signalling perspective is obviously very poor and clumsy requiring additional standards beyond the core RF3261[238].

4) IAX's unified signalling and audio paths permit it to transparently navigate NAT's and provide a firewal administrator only a *single* port to have to open to permit its use. It requires an IAX client to know absolutely nothing about the network that it is on to operate. More clearly stated, there is *never* a situation that can be created with a firewall in which IAX can complete a call and not be able to pass audio (except of course if there was insufficient bandwidth).

5) IAX's authenticated transfer system allows you to transfer audio and call control off a server-in-the-middle in a robust fashion such that if the two endpoints cannot see one another for any reason, the call continues through the central server.

6) IAX clearly separates Caller*ID from the authentication mechanism of the user. SIP does not have a clear method to do this unless Remote-Party-ID is used.

7) SIP is an IETF standard. While there is some fledgling documentation courtesy Frank Miller, IAX is not a published standard at this time.[239]

8) IAX allows an endpoint to check the validity of a phone number to know whether the number is complete, may be complete, or is complete but could be longer. There is no way to completely support this in SIP.[240]

9) IAX always sends DTMF out of band so there is never any confusion about what method is used.

10) IAX support transmission of language and context, which are useful in an Asterisk environment. That's pretty much all that comes to mind at the moment.


But he also defends SIP in a way:

I Guess there must be some advantages to SIP (or we should call the writers of it stupid).

So here a few questions to elaborate how IAX handles:

1) Bandwidth indications

2) New codecs

3) extensibility

4) Call Hold and other complex scenarios

5) Video telephone

I have got the impression this has all been better aranged in SIP

The notes I translated:


[235] Note: kbit/s.

[236] Note: Ethernet.

[237] Note: Ironically there were (small) incompatibilities of the IAX implementations between Asterisk versions 1.2, 1.4 and 1.6

[238] Note: RFC 3261 (

[239] Note: Since february 2009, IAX standard described in RFC 5456 (

[240] Note: This is no more true.
Hope that helps



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Expert advice needed. Ajit Gunge Linux - Newbie 5 10-05-2010 11:23 AM
Website login authentication - expert advice needed Cracker-Barrel Linux - Newbie 9 12-11-2009 11:03 PM
moving linux and expert advice needed mrgreaper Linux - Newbie 4 02-06-2007 08:48 AM
Expert advice on future gaming/3d Modeling computer. JesterDev General 4 01-19-2007 09:57 AM
newbie seeks expert advice on special Slackware 10 project kthiessen Slackware - Installation 2 08-30-2004 11:51 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:02 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration