Simultaneous call limitation on Asterisk

Posted on May 29, 2010

Asterisk will be used for our home usage through VPN, but it will be opened to internet as I like connecting with my mac when abroad to make calls (using SIP over TCP with TLS and SRTP once it will be available in Asterisk). I’ve heard quite a few stories of Asterisk systems behind compromised and resulting with VERY large phone bills (12,000€ to $100,000+). In an effort to avoid this I’m heavily working on the security part, but in case it does get compromised I want to limit the damages.

Those large phone bills come from the fact that users are not limited in terms on simultaneous calls, so the attacker can generate thousand calls (as long as your ITSP supports it) by seconds. On my side I don’t need more than 2 total outgoing calls, so I want to set this limit.

This can be done by creating groups (I found information on this on voip-info.org)

First we need to load our module to support these functions

load => func_groupcount.so ; function GroupCount - Requires N/A

Once the module is loaded, we need to configure the extensions.conf file.

[globals]
MAXCALLS=2

[macro-voipcall]
; Limit the number of outgoing calls
; Set Group
exten => s,1,Set(GROUP()=OUTBOUND_GROUP)
; Are we exceeding the limit?
exten => s,2,GotoIf($[${GROUP_COUNT()} > ${MAXCALLS}]?999)
; No? Then dial
exten => s,3,Dial(${ARG1})
; Yes? Then deny
exten => s,999,Set(DIALSTATUS=CHANUNAVAIL)
[ad#Google Adsense]

How does this work?
Each time a call is made using the voipcall macro, we’re going to assign the OUTBOUND_GROUP name to this channel after we’ll be checking the number of channels assigned to the OUTBOUND_GROUP. If this number is higher than the MAXCALLS variable we set, we’ll send a CHANUNAVAIL which will close the channel.

It’s easy to implement and it can save you lots of $$$… You could also quite easily edit this script to set a call limit per user or per channel instead of globally.


1 Reply to "Simultaneous call limitation on Asterisk"


Got something to say?

Some html is OK