- Market surges, Gates predicts 9% unemployment
- Obama the first presidential hopeful to advertise in games
- Microsoft reveals critical holes in Active Directory
- BlackBerry Storm vs. the iPhone
- How will economy affect network equipment vendors?
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:Application Performance Solutions | App Performance | Networking Solution | SafeGuard Enterprise Solution Center | SOA | Test your Web Filter | Value of WDS
A flaw in the Asterisk IP PBX platform reported last week could result in a denial-of-service attack that would disrupt a business' VoIP or VoIP-to-PSTN gateway service.
Asterisk is an open-source IP telephony and messaging platform that runs on Linux, BSD and Mac OSX servers, and can be used as a complete office phone system, or to add IP-enabled services - such as messaging or gateways - to a mixed TDM/IP phone network. A vulnerability in the Inter-Asterisk eXchange protocol version 2 (IAX2) - used by Asterisk servers to set up and manage calls - could be used to flood an Asterisk IP PBX with bogus calls and make the phone system unavailable, according to the Internet Security Systems (ISS) X-Force Threat Analysis Service, which discovered the bug.
Using a method which ISS calls "somewhat analogous to a SYN flood," an attacker, with knowledge of a valid user name on an Asterisk system, could generate enough unauthenticated call requests to overwhelm the Asterisk IP PBX, ISS says. A remote attacker could do this from a single PC or server, the security company says. Networks that use Asterisk boxes as gateways between a TDM and VoIP network could also be attacked via this method.
ISS says there is a setting in the Asterisk software which can limit the number of simultaneous unauthenticated call requests the Asterisk server will try to handle and resolve. Changing this setting to the lowest number of unauthenticated calls will fix the vulnerability, ISS says.
A fixed version of the software is also available from asterisk.org, which maintains the open-source platform, as well as from Digium, a company which sells service and support for Asterisk-based phone systems.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment