Suspect: Asterisk Resource Exhaustion
During The Last HOPE an IAX Resource Exhaustion 0day DoS was released for the Asterisk PBX. This 0day was in the wild for 4 days before a patch was released.
During these four days, any attacker could have attacked any publicly accessible Asterisk server and forced it to stop processing all phone calls. What hasn’t been talked about is how this exploit code could have been weaponized to attack on a global scale.
Take the minimal components of an Asterisk Resource Exhaustion exploit and re-factor it into the iaxPingPoker, which is an Asterisk IAX2 port scanner that was also released at The Last HOPE. This port scanner can be used to determine lists of valid Asterisk servers on the Internet. With only a few additional mechanisms, any Asterisk RE exploit can allow for autonomous DoS attacks targeting any and every Asterisk server.
Since Asterisk can only handle 2^15 call numbers in either direction, once they are all consumed there are no longer enough resources to process additional traffic. Calls can no longer be allocated. A server could be considered exhausted if a ‘POKE’ like packet doesn’t return an INVAL or some other response. Once a server is hung have the script move onto the next PBX - Loop, update, rinse and repeat.
An eeePC has been theoretically estimated to be capable of successfully attacking over 36 Asterisk servers at the same time with an RE. Depending on the version of Asterisk it could take as long as 30 minutes to exhaust 1 server, as well as short as 30 seconds. From this, rough statistics can be determined that an Asterisk server can be taken off line every minute by an inexpensive 900mhz computer. If there were 10,000 Asterisk servers targeted, a $300 laptop could DoS them all of within about 7 hours.
A botnet of even a small size should be able to RE DoS every discovered Asterisk PBX within about an hour. This capability is only an added system of rudimentary loops, threads and means any attacker can autonomously target any and all Asterisk systems indiscriminately with existing code.
Since there are many additional RE’s currently within Asterisk, what doesn’t make this sort of attack feasible today?