Description of problem: Asterisk syn-floods 192.168.0.24 Version-Release number of selected component (if applicable): asterisk-1.8.0-3.fc15.x86_64 How reproducible: Every time Steps to Reproduce: 1. Install Asterisk 2. tcpdump to see the syn flood Additional info: The problem is the sample /etc/asterisk/res_pktccops.conf. It contains entries which by default contact 192.168.0.24. The extra neat thing is that this affects even upgrades, because the file does not exist in older versions of Asterisk... We caught this in our testing environment, it would have been no fun at all in production. Proposed resolution: When building, sed -i -e 's/^/;/' /etc/asterisk/res_pktccops.conf Also, even example configuration files should not refer to networks which are likely to be used in production.
Is there an upstream report for this?
No, there are AFAIK no upstream reports for this.
*** Bug 732957 has been marked as a duplicate of this bug. ***
As reported by David Woodhouse these packets are coming from res_pktccopts. If you add the following to /etc/asterisk/modules.conf do the packets go away? noload => chan_mgcp.so noload => res_pktccops.so I plan on adding these lines to the Asterisk package in the next release.
Yes, the res_pktccopts module causes the problem, which is why editing res_pktccops.conf fixes the it. Yes, the problem goes away if you noload the module. Why not fix the example configuration instead though? Otherwise you leave a ticking time bomb for someone editing /etc/asterisk/modules.conf. Or do both, for extra brownie points. It is a really obscure feature with very bad consequences, so it should be somewhat difficult to enable.
*** Bug 716747 has been marked as a duplicate of this bug. ***
Yes, that would make sense to comment out everything in res_pktccops.conf, I'll add that to the packages.
asterisk-1.8.6.0-4.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/asterisk-1.8.6.0-4.fc16
asterisk-1.8.6.0-4.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/asterisk-1.8.6.0-4.fc15
asterisk-1.8.6.0-4.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/asterisk-1.8.6.0-4.el6
There should definitely be two separate upstream bugs. One for the fact that it's enabled by default, and a second for the fact that it syn-floods. Even if it's *supposed* to be enabled, there's no excuse for that.
Package asterisk-1.8.6.0-4.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing asterisk-1.8.6.0-4.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/asterisk-1.8.6.0-4.fc16 then log in and leave karma (feedback).
Did the upstream bugs get created for this? I'd like to follow up on them.
I at least commented out all of the entries in the sample configuration file so that Asterisk won't eat the CPU/network by default of this module gets loaded ... http://svnview.digium.com/svn/asterisk?view=revision&revision=337774 That commit should land in the 1.8.8.0 release.
(In reply to comment #13) > Did the upstream bugs get created for this? I'd like to follow up on them. I haven't created any.
*** Bug 731963 has been marked as a duplicate of this bug. ***
asterisk-1.8.6.0-4.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
asterisk-1.8.6.0-4.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
asterisk-1.8.6.0-4.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.