IAX2 Denial of Service

While SIP is a text-based protocol, IAX2 is a binary encoded protocol. The IAX2 standard is RFC 5456. Every IAX2 packet contains a call number that is used to associate the packet with an active call. This is analogous to the Call-ID header in SIP. An IAX2 call number, is a 15-bit field. It is large enough to deal with the number of calls that will be practical on one system. Unfortunately, it is also small enough that it is pretty easy for an attacker to send enough small packets to consume all available call numbers on a system for a short period of time, resulting in a denial of service attack.

The IAX2 support in Asterisk has been modified to automatically protect against this type of attack. This protection is referred to as call token support and requires a three-way handshake to occur before a call number is allocated. However, older versions of Asterisk and some non-Asterisk IAX2 implementations may not support this, so there are a number of options that let you tweak the behavior.

By default, the security mechanisms are enabled and no configuration changes are required. If for some reason you would like to disable call token support completely, you can do so by using the following configuration in /etc/asterisk/iax.conf:


calltokenoptional = 
maxcallnumbers = 16382

With the default configuration, a host that can pass the call token exchange can still consume the call number table. The call token exchange ensures that call numbers are only allocated once we know we have not received a request with a spoofed source IP address. Once we know a request is legitimate, enforcing resource limits per host is achievable. Consider the following options in iax.conf:


; Set the default call number limit per host
maxcallnumbers = 16


; Set a different call number limit for all hosts in a
; specified range. = 1024


; A dynamic peer's address is not known until that peer
; registers. A call number limit can be specified in the
; peer's section instead of the callnumberlimits section.

type = peer
host = dynamic
maxcallnumbers = 512

If a peer does not yet support call token validation, but you would like to turn it on as soon as you detect that the peer has been upgraded to support it, there is an option that allows for this behavior:


requirecalltoken = auto

If you would like to allow guest access over IAX2, you will most likely want to disable call token validation for unauthenticated calls. This will ensure that the largest number of people can call your system over IAX2. However, if you do so, you should also set the option that provides a global limit to how many call numbers can be consumed by hosts that did not pass call token validation:


maxcallnumbers_nonvalidated = 2048


type = user
requirecalltoken = no

If at any time you would like to see some statistics on call number usage on your system, execute the iax2 show callnumber usage command at the Asterisk CLI.

Tip #10: Be happy knowing that IAX2 has been updated to secure itself from denial of service attacks due to call number exhaustion. If you must turn off these security features in some cases, use the options provided to limit your exposure to an attack.