| Summary: | ASTERISK-23673: Security: DOS by consuming the number of allowed HTTP connections. | ||
| Reporter: | Richard Mudgett (rmudgett) | Labels: | Security |
| Date Opened: | 2014-04-25 13:56:14 | Date Closed: | 2014-06-12 11:09:36 |
| Priority: | Critical | Regression? | |
| Status: | Closed/Complete | Components: | Core/HTTP |
| Versions: | 1.8.27.0 11.9.0 12.2.0 | Frequency of Occurrence | Constant |
| Related Issues: | |||
| Environment: | Attachments: | ||
| Description: | Simply establishing a TCP connection and never sending anything to the configured HTTP port in http.conf will tie up a HTTP connection. Since there is a maximum number of open HTTP sessions allowed at a time you can block legitimate connections.
A similar problem exists if a HTTP request is started but never finished. A timeout needs to be implemented to mitigate this kind of attack. I'm fairly certain that this has always existed in Asterisk's HTTP implementation. It has just become more serious with the addition of ARI. | ||
| Comments: | |||