Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am seeking advice from Asterisk expert. I do have a VOIP Asterisk server configured in my house. It is not a full blown Trixbox server but a low power consumption IP04 box that runs asterisk and VOIPGUI with 1 FXO port. During the first installation, all seems okay but nowadays, I see from my log that numerous denial of service attacks coming from different IP Addresses on SIP protocol.
It seems that the attacker/s will try to do a SIP registration and authentication using different SIP extensions. It started as extension 1 to whatever extension it sees valid. It try to use different passwords and it looks like a brute force to me.
This caused my network to be congested and other services are obviously affected to the point that my asterisk server will hang and needed to be restarted. I am planning to disable the SIP protocol and close port 5060 and I just use IAX.
Now, my question is is IAX2 a better solution than SIP? How secure is IAX2 compared to SIP and will I be assured that this kind of denial of service attacks in SIP?
found the following part of an email from Mark Spencer, developer of IAX, about a IAX vs. SIP discussion in a german Asterisk book. Translated some comments and the footnotes from german to english:
Quote:
[...] let me summarize some differences between SIP and IAX, and it might help you make a decision about what is best for you.
1) IAX is more efficient on the wire than RTP for *any* number of calls, *any* codec. The benefit is anywhere from 2.4k[235] for a single call to approximately trippling the number of calls per megabit for G.729 when measured to the MAC[236] level when running trunk mode.
2) IAX is information-element encoded rather than ASCII encoded. This makes implementations substantially simpler and more robust to buffer overrun attacks since absolutely no text parsing or interpretation is required. The IAXy runs its entire IP stack, IAX stack, TDM interface, echo canceller, and callerid generation in 4k of heap and stack and 64k of flash. Clearly this demonstrates the implementation efficiency of its design. The size of IAX signalling packets is phenomenally smaller than those of SIP, but that is generally not a concern except with large numbers of clients frequently registering. Generally speaking, IAX2 is more efficient in its encoding, decoding and verifying information, and it would be extremely difficult for an author of an IAX implementation to somehow be incompatible with another implementation since so little is left to interpretation.[237]
3) IAX has a very clear layer2 and layer3 separation, meaning that both signalling and audio have defined states, are robustly transmitted in a consistant fashion, and that when one end of the call abruptly disappears, the call WILL terminate in a timely fashion, even if no more signalling and/or audio is received. SIP does not have such a mechanism, and its reliability from a signalling perspective is obviously very poor and clumsy requiring additional standards beyond the core RF3261[238].
4) IAX's unified signalling and audio paths permit it to transparently navigate NAT's and provide a firewal administrator only a *single* port to have to open to permit its use. It requires an IAX client to know absolutely nothing about the network that it is on to operate. More clearly stated, there is *never* a situation that can be created with a firewall in which IAX can complete a call and not be able to pass audio (except of course if there was insufficient bandwidth).
5) IAX's authenticated transfer system allows you to transfer audio and call control off a server-in-the-middle in a robust fashion such that if the two endpoints cannot see one another for any reason, the call continues through the central server.
6) IAX clearly separates Caller*ID from the authentication mechanism of the user. SIP does not have a clear method to do this unless Remote-Party-ID is used.
7) SIP is an IETF standard. While there is some fledgling documentation courtesy Frank Miller, IAX is not a published standard at this time.[239]
8) IAX allows an endpoint to check the validity of a phone number to know whether the number is complete, may be complete, or is complete but could be longer. There is no way to completely support this in SIP.[240]
9) IAX always sends DTMF out of band so there is never any confusion about what method is used.
10) IAX support transmission of language and context, which are useful in an Asterisk environment. That's pretty much all that comes to mind at the moment.
Mark
But he also defends SIP in a way:
Quote:
But
I Guess there must be some advantages to SIP (or we should call the writers of it stupid).
So here a few questions to elaborate how IAX handles:
1) Bandwidth indications
2) New codecs
3) extensibility
4) Call Hold and other complex scenarios
5) Video telephone
I have got the impression this has all been better aranged in SIP
The notes I translated:
Quote:
[235] Note: kbit/s.
[236] Note: Ethernet.
[237] Note: Ironically there were (small) incompatibilities of the IAX implementations between Asterisk versions 1.2, 1.4 and 1.6
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
