New features from 3.1 include:

• asynchronous TLS
• embedded LUA, HTTP server, Python, XCAP (and more)
• SIP Registration to remote servers
• new DoS preventions

From Kamailio:

Since last major release, version 3.0.0 (which was out in January 10, 2010), the two SIP servers are practically the same application, the name making the difference regarding the database structure and the extensions used for certain features, such as user database based authentication or location service. Therefore another development direction was towards smooth integration of Kamailio and SER extensions, previously duplicated modules such as auth, sl, ratelimit or sms were merged during this development cycle.

For more information, please visit www.kamailio.org.

Last week, Ward Mundy, Tim Panton, Karl Fife, Leif Madsen, Yours Truly, and many other regulars discussed a SIP Caller ID Injection Hack. As in all conversations, opinions differ. My position about where to best filter this injection differed than Ward Mundy’s thoughts… and, courtesy of the VoIP Users Conference, you can listen to the conversation and form your own opinions.

Although, next time… maybe you’d enjoy actively participating in our conversations rather than listening to the replay.

→ SIP Hacks: who should filter what, where? (VoIP Users Conference)

(The VoIP Users Conference provides weekly live discussion about VoIP, SIP, Asterisk and all kinds of telephony-related topics every Friday at 12pm EST. For more information, please visit http://vuc.me.)

Attacks from the cloud.

Just over a month ago, we reported that SIP attacks from the Amazon EC2 cloud were on the rise. While the attacks we received last month were limited to “extension only” registration attempts, one of the attacks we received this morning included what we assume was a standard dictionary attack.

The first attack came from 204.236.245.101. In less than 60 seconds, this IP attempted more than 11,500 registrations against our server. Most of these were 4 digit extensions (download the log (zipped) here). The second attack came from 184.73.4.183. In less than 90 seconds, this IP attempted more than 21,000 registrations against our server; including what we think is a standard dictionary attack complete with root, postmaster, pixadmin, etc. (download the log (zipped) here).

From past experience, Amazon will simply not do anything about these attacks. The only way to contact Amazon to report abuse is through their web form, which results with Amazon either completely ignoring you or sending a delayed response asking for the exact information you have already sent (and then ignoring you).

So, I’m looking for more ideas from the community on how we can get Amazon to help us stop their network from leveraging a very powerful attack against little ol’ SIP servers.

We are currently deploying a custom perl script to block these attackers via iptables (which is why the attacks registration attempts “stopped”).

Thanks for reading and we’ll be updating this as soon as more information comes in!

Update #1

The first response from Amazon:

Thank you for submitting your abuse report.

We have completed an initial investigation of the issue and learned that the IP address you reported did indeed belong an Amazon EC2 instance. These intrusion attempts that you report were not, however, initiated by Amazon.

One of the biggest advantages of Amazon EC2 is that developers are given complete control of their instances. While the IPs may indicate that the network is Amazon’s, our developer customers are the ones controlling the instances. You may learn more about EC2 at http://aws.amazon.com/ec2

That said, we do take reports of unauthorized network activity from our environment very seriously. It is specifically forbidden in our terms of use. We’ve already contacted the Amazon EC2 customer who controlled the instance in question and informed them that they are required to terminate their unauthorized interaction with your network, failing which we will terminate their instance. In cases of egregious abuse or as we otherwise deem appropriate, we will immediately terminate all their instances and suspend their account.

If you have blocked this address range, please be aware that usage on the address range is transient and new users may soon be operating from those addresses and may not be able to reach you; once you have confirmed that the activity has been ceased by our customer, you should open your filters to re-allow traffic.

Thanks again for alerting us to this issue.

Original report:

* Source IPs: 204.236.245.101
* Abuse Time: Sun May 16 08:53:00 UTC 2010
* NTP: Y

How can I send a message to the EC2 customer?
Complete and submit the web form here.

How can I contact a member of the Amazon EC2 abuse team?
Send an e-mail to ec2-abuse@amazon.com to contact a member of the Amazon EC2 abuse team.

Please note: This e-mail message was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message.

Amazon Web Services

If you feel you are receiving this email in error and do not wish to receive further notifications, send an e-mail to ec2-abuse@amazon.com.

Amazon Web Services LLC is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message produced and distributed by Amazon Web Services, LLC, 1200 12th Ave South, Seattle, WA 98144.

I really don’t need a sales pitch in my abuse response.

Additional Information:

• Automatically Block Failed SIP Peer Registrations (Team Forrest)
• Amazon EC2 SIP Brute Force Attacks on Rise (VoIP Tech Chat)
• SIP Brute Force Attack Originating From Amazon EC2 Hosts (Building The Net)
• Properly stopping a SIP flood (joshua stein)

Attacks from the cloud.

Update #1: 12 APR 2010. Amazon NOC’s response.
Update #2: 12 APR 2010. Amazon Statement.
Update #3: 13 APR 2010. Amazon Response.

Complaints of rampant SIP Brute Force Attacks coming from servers with Amazon EC2 IP Addresses cause many admins to simply drop all Amazon EC2 traffic. Generally, SIP brute force attacks attempt to register various peer names to a system and/or attempt to guess passwords of known/guesses peers or endpoints.

The complaints mentioned this weekend show an excessive amount of traffic; with some providers claiming 6GB of traffic dedicated to such attacks. Since we ourselves received an attack from an Amazon hosted server, we also reported and complained to the Amazon NOC/Abuse depts. As of this posting, no response or acknowledgement has been received from Amazon. The response from Amazon is below.

There are various techniques to assist with minimizing DDoS and Brute Force attacks, such as limiting access via the public internet, using strong passwords, not mapping extension name to peer/endpoint name, limiting simultaneous calls, and aggressively monitoring usage. Automatic blocking of abusive IP’s (fail2ban, blockhosts, etc.) can also assist with minimizing damage.

Update #1: 12 APR 2010. “Response” from Amazon’s NOC

So when this happened, I submitted a report to Amazon complaining of the attack. The report was sent to their abuse and noc mails and contained the standard abuse report, including their host, my host, the protocol, ports, and description of activity; as well as a sample log.

About 48 hours later, they sent this as a response:

From: Amazon.com <ec2-abuse@amazon.com>
Subject: Your Amazon EC2 Inquiry
Date: April 12, 2010 7:31:59 AM EDT
To: Fred Posner

Hello.

Thank you for contacting Amazon Web Services. We take reports of unauthorized network activity from our environment very seriously. It is specifically forbidden in our terms of use.

Because Amazon EC2 Public IP addresses may change ownership frequently, without additional information we will be unable to identify the correct owner of the IP address for the period of time in question.

So that we can process your report and identify the actual customer in question, we require the following information. Please note that we will not open attachments under any circumstance

• Source IP
• Destination IP (your IP)
• Destination Port and Protocol
• Accurate Date, Time and *Time Zone* of activity
• Intensity and frequency of activity in short log extracts, no larger than 4KB
• Your contact details (phone and email)

For a faster response, please file your report using the AWS Abuse form at the link below:

https://www.amazon.com/gp/html-forms-controller/AWSAbuse/

We appreciate your help in providing the necessary information requested.

Best regards,

-EC2 Abuse Team

So, their laziness aside (since the report to them included ALL the information requested), I filled out the form– which of course failed with an unknown error. (below)

For people interested in moving to Amazon’s cloud, this is a good example of the quality of people conducting your network administration. I’ve sent another response by email. Others have blocked the entire EC2 IP range and have requested their upstream providers do the same.

So my question to you… What would your next step be?

Update #2: 12 APR 2010. Amazon Statement.

Following a request for interview/statement, VoIP Tech Chat received the following communication from Amazon’s Public Relations Manager:

Hello Fred and thank you for contacting us.  Over the weekend, we received a report of a suspicious account and began an investigation.  Our normal process is to connect the two involved parties to give them an opportunity to talk in case the abuse is not malicious but is simply heavy traffic from a legitimate customer.  If that is not successful, we then move to isolate the traffic from the abusing party.  Normally this process works quite well for situations our customers have encountered, however this incident has highlighted the need for an escalation process to address potentially malicious attacks more quickly.  Additionally, we are working on quickly putting better protections and processes in place to better guard against unwanted SIP traffic.  We take the security of our customers and our quality of service very seriously, and will  continue to work to improve our processes and services for customers.

Thanks

Kay Kinton
Public Relations Manager
Amazon Web Services

I’ve replied to again ask for an interview and will update if a response is received. The statement states this was over a weekend, however doesn’t address that the attacks continued today. It also states a “report” was received, but there were many reports submitted. That being said, at least they responded.

Update #3: 13 APR 2010. Amazon Response. Decline of Interview.

After Kay Kinton’s statement, I asked her for a phone interview.

Sent: Monday, April 12, 2010 2:00 PM
To: Kinton, Kay
Subject: Re: Amazon Web Services

Kay,

Thank you for your statement. I would like to interview you about this for VoIP Tech Chat… it would be an over-the-phone interview and would be for 5 minutes or however much longer you would like.

—fred

Kay’s response was quick, and to the point:

What else can I tell you Fred?

I truly dislike email for interviews for no other reason that not getting the tone of that response. Did Kay mean that as “Sure, great! What else can I help you with?” Or, was it more along the lines of, “I answered you. What now?”

Giving her the benefit of the doubt, I replied:

Date: April 12, 2010 5:24:14 PM EDT
To: “Kinton, Kay”
Subject: Re: Amazon Web Services

We would like to interview on this. I thank you for the statement, however I have additional questions:

I know of 12 complaints since Saturday (from different reporters) that were submitted regarding SIP attacks from EC2 to outside systems. How many complaints did you receive since Saturday?

I know attacks continued today and may even be ongoing. There were attacks as of 1pm EST hitting systems with over 640K of data. Are you still seeing attacks? How many hosts were identified?

Were the attacks submitted from one customer/client of yours or many?

Those are my initial questions, however I do request a phone interview rather than email. I find them much easier to exchange information as well as generally a better expressive forum for an interview.

—fred

Good thing I didn’t hold my breath. The next day, after not receiving a response, I called Kay several times and emailed her for an update. Her response via email:

Hello Fred. We believe that we’ve identified and shut down the illegal activity and are closing the loop with customers. We’d certainly be interested in hearing of the cases you refer to below so we can follow up.

I tried reaching out to her but have not had responses. Which leaves me with this…

Her response did not answer my question and I certainly have no basis to believe that Amazon is currently taking any interest in this matter. They’ve told us prior that they cannot pinpoint IP to timeframe as well as that during an attack, they’d try to mediate between parties rather than actually stopping the attack in progress (to give them an opportunity to talk). Sadly… when I’m being flooded, I want the flood to stop. Afterwards, I’ll be glad to talk. But I digress…

Since Kay did not answer any of the additional questions we asked, but did state that she’d be interested in hearing about the other cases, we will encourage anyone with information or feelings about this issue to contact Kay Kinton directly:

Kay Kinton
kinton@amazon.com
Public Relations Manager
Amazon Web Services
Phone: 206-266-8387

For More Information:

• Asterisk User’s Mailing List Archives
• 7 Steps to Better SIP Security (Digium)
• Blockhosts
• Voice over IP Security Alliance (VOIPSA)
• SIP Brute Force Attack Originating From Amazon EC2 Hosts (Building The Net)
• Properly stopping a SIP flood (joshua stein)
• Automatically Block Failed SIP Peer Registrations (Team Forrest)

Report your error with our form. Fail.

Cisco recommends removing SIP support unless needed. “If the affected Cisco IOS device requires SIP for VoIP services, SIP cannot be disabled, and no workarounds are available. Users are advised to apply mitigation techniques to help limit exposure to the vulnerabilities. Mitigation consists of allowing only legitimate devices to connect to affected devices. To increase effectiveness, the mitigation must be coupled with anti-spoofing measures on the network edge. This action is required because SIP can use UDP as the transport protocol.”

The full advisory is reprinted below:

Cisco Security Advisory: Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities

* Cisco Security Advisory: Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities

Document ID: 111448

Advisory ID: cisco-sa-20100324-sip

http://www.cisco.com/warp/public/707/cisco-sa-20100324-sip.shtml

Revision 1.0
For Public Release 2010 March 24 1600 UTC (GMT)

Summary

Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device when SIP operation is enabled. Remote code execution may also be possible.

Cisco has released free software updates that address these vulnerabilities. For devices that must run SIP there are no workarounds; however, mitigations are available to limit exposure of the vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100324-sip.shtml.

Note: The March 24, 2010, Cisco IOS Software Security Advisory bundled publication includes seven Security Advisories. All the advisories address vulnerabilities in Cisco IOS Software. Each advisory lists the releases that correct the vulnerability or vulnerabilities detailed in the advisory. The table at the following URL lists releases that correct all Cisco IOS Software vulnerabilities that have been published on March 24, 2010, or earlier:

http://www.cisco.com/warp/public/707/cisco-sa-20100324-bundle.shtml

Individual publication links are in “Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication” at the following link:

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar10.html

Affected Products

These vulnerabilities only affect devices running Cisco IOS Software with SIP voice services enabled.

Impact

Successful exploitation of the vulnerabilities in this advisory may result in a reload of the device. Repeated exploitation could result in a sustained denial of service condition. There is a potential to execute arbitrary code. In the event of successful remote code execution, device integrity could be completely compromised.

Related Links / Suggested Readings

• Cisco Security Advisory: Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities
• Vulnerability Scans and Assessments

The press release follows:

Small and Medium-Sized Business Options Are Focus of Verizon Global Wholesale Offers

Voice Over IP and Powerful Internet Access Packages Bolster Business Success In Rough Economic Times

March 15, 2010

NEW YORK – At a time when small and medium-sized businesses look for every technological advantage to help them continue as the fundamental economic growth engine in the U.S., Verizon is providing support with three new voice-over-IP and Internet packages available through the Verizon Global Wholesale division.

The offers are designed to respond to the rapid growth of voice over IP (VoIP) in the small and medium business realm and the resulting demand for powerful high-speed Internet connections. In addition, the offers support Verizon Global Wholesale customers’ marketing efforts to small and medium sized businesses.

“By creating new VoIP and Internet packages that include both services and hardware, we’re giving our wholesale customers new ways to support their small- and medium-sized business customers in a time when every nickel and every efficiency counts toward success,” said Quintin Lew, senior vice president of marketing for Verizon Global Wholesale. “Our goal continues to be to arm our wholesale customers with the tools that help them to help small and medium-sized businesses succeed.”

(For more information about the benefits Verizon Global Wholesale offers its wholesale customers who support the small and medium business market, click here.)

NEC IP PBX and SIP Gateway Solution

The first new package combines Verizon’s SIP (session initiation protocol) Gateway Service with associated router hardware. SIP Gateway Service transports VoIP traffic between packet-based IP networks and the traditional telephone network, allowing Verizon Global Wholesale’s customers to give small and medium-sized businesses a quick and easy way to get into the VoIP world.

In addition to providing access to Verizon’s expansive IP local network and its telephone number inventory, wholesale customers can offer small and medium-sized businesses a new NEC UNIVERGE SV8100 IP PBX and its associated installation and maintenance bundle at a discount, simplifying the setup and lowering the cost of entry into the IP market. This enables small and medium-sized businesses to work with a single vendor, receive one bill, and gain access to a feature-rich VoIP solution that delivers cost reductions and the promise of increased productivity.

Both the SIP connection and the NEC UNIVERGE SV8100 PBX are priced at a discount with this new simple, feature-rich package. The service and hardware discounts expire on June 30.

Internet Dedicated T1 Package

The second new package, Internet Dedicated T1, also combines discounted service and hardware. It provides a high-capacity connection for 30 or more users and is designed for transmitting high-volume e-mail traffic, transferring large files, or hosting Web sites from virtually anywhere.

The package, based on T1 technology, combines 24 channels of broadband signal into a 1.544 megabit per second (Mbps) service, with customer equipment available to enable the service. Quality of service (QoS) assurance is offered as an option, at an additional cost. QoS is important for businesses that consolidate voice, video and key business applications onto a converged IP network.

The equipment offered in this package is either a Samsung Ubigate iBG 1000 for data-only applications or a model 1003 for data and voice services combined. The discounts on service and equipment expire on March 31, 2011.

For small and medium-sized businesses with a larger appetite for Internet access, a third new promotional offer features Internet access with an Ethernet connection at either 5 Mbps or 10 Mbps. This Internet Dedicated Ethernet service is discounted and bundled with a Samsung iBG1000 router, the cost of which is credited back over the initial year of service.

Targeted at businesses that intend to consolidate voice, video and key business applications onto a converged IP network, this offer delivers a single-vendor solution that end-user customers can leverage to fit their business model. The Ethernet service discount and the monthly credit offer for the cost of the router are scheduled to expire on March 31, 2011.

“Small businesses need their carriers to go beyond a one-size-fits-all solution,” Lew said. “These Internet offers cover the key speeds and features that growing small and medium-sized enterprises require to solve modern connection issues and engage the world in new and aggressive ways.”

Verizon Communications Inc. (NYSE, NASDAQ:VZ), headquartered in New York, is a global leader in delivering broadband and other wireless and wireline communications services to mass market, business, government and wholesale customers. Verizon Wireless operates America’s most reliable wireless network, serving more than 91 million customers nationwide. Verizon also provides converged communications, information and entertainment services over America’s most advanced fiber-optic network, and delivers innovative, seamless business solutions to customers around the world. A Dow 30 company, Verizon employs a diverse workforce of approximately 222,900 and last year generated consolidated revenues of more than $107 billion. For more information, visit www.verizon.com.

VERIZON’S ONLINE NEWS CENTER: Verizon news releases, executive speeches and biographies, media contacts, high-quality video and images, and other information are available at Verizon’s News Center on the World Wide Web at www.verizon.com/news. To receive news releases by e-mail, visit the News Center and register for customized automatic delivery of Verizon news releases.

Media Contacts:

Lynn Staggs
+1-918-590-2403
lynn.staggs@verizonbusiness.com

Jim Smith
Verizon
201-618-3346
james.albert.smith@verizon.com

Suggested Reading:

• Graves On SOHO VoIP — SIP Trunks don’t exist.
• Verizon Wireless

The email follows:

Beginning on your next monthly bill cycle (3/27/2010 12:00:00 AM), your VoicePulse for Business and Wholesale account will be required to meet a minimum usage of $10 per month. The minimum usage requirement can be met by any combination of phone numbers, channels, features, outbound minutes, inbound toll-free minutes, etc.  Our Terms of Service has been updated to reflect above mentioned changes and we advise all customers to review the updated Terms of Service available within your account center.

Make VoicePulse Your Primary Provider

If you are using VoicePulse service as a backup provider and do not meet this minimum usage each month, our customer service representatives are ready to work with you on pricing so that we can become your primary provider.

Inactive Accounts

If you are not using your VoicePulse service and have no intention of doing so in the future, our customer service representatives will be responsive, courteous and expeditious in canceling your account, at your request.  However, if you are using another provider for your VoIP services and have had a good experience with VoicePulse in the past, we are ready to take whatever steps necessary to win back your business and offer you savings that exceed or eliminate this fee altogether

We appreciate your continued support and we look forward to serving you in the years to come. As always, our representatives are available by phone at +1-732-339-5100 M-F 9am-5pm ET and email at contact@voicepulse.com.

The Asterisk Development Team has announced security releases for the following
versions of Asterisk:

* 1.2.40
* 1.4.29.1
* 1.6.0.24
* 1.6.1.16
* 1.6.2.4

These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/

The releases of Asterisk 1.2.40, 1.4.29.1, 1.6.0.24, 1.6.1.16, and 1.6.2.4
include documention describing a possible dialplan string injection with common
usage of the ${EXTEN} (and other expansion variables). The issue and resolution
are described in the AST-2010-002 security advisory.

If you have a channel technology which can accept characters other than numbers
and letters (such as SIP) it may be possible to craft an INVITE which sends data
such as 300&Zap/g1/4165551212 which would create an additional outgoing channel
leg that was not originally intended by the dialplan programmer.

Please note that this is not limited to an specific protocol or the Dial()
application.

The expansion of variables into programmatically-interpreted strings is a common
behavior in many script or script-like languages, Asterisk included. The ability
for a variable to directly replace components of a command is a feature, not a
bug – that is the entire point of string expansion.

However, it is often the case due to expediency or design misunderstanding that
a developer will not examine and filter string data from external sources before
passing it into potentially harmful areas of their dialplan.

With the flexibility of the design of Asterisk come these risks if the dialplan
designer is not suitably cautious as to how foreign data is allowed to enter the
system unchecked.

This security release is intended to raise awareness of how it is possible to
insert malicious strings into dialplans, and to advise developers to read the
best practices documents so that they may easily avoid these dangers.

For more information about the details of this vulnerability, please read the
security advisory AST-2010-002, which was released at the same time as this
announcement.

Asterisk 1.2.40 also contains a backported dialplan function called FILTER() in
order to allow the filtering of strings as described in the best practices
document.

It should also be noted that the 1.6.x series of Asterisk had release candidates
available as versions 1.6.0.23-rc2, 1.6.1.15-rc2, and 1.6.2.3-rc2. These will
either be released as 1.6.0.25, 1.6.1.17, and 1.6.2.5, or if another round of
RC changes is necessary, those versions numbers will be used with -rc1 appended.

For a full list of changes in the current releases, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.2.40
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.4.29.1
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.0.24
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.16
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.2.4

Security advisory AST-2010-002 is available at:

http://downloads.asterisk.org/pub/security/AST-2010-002.pdf

The README-SERIOUSLY.bestpractices.txt document is available in the top-level
directory of your Asterisk sources, or available in all Asterisk branches from
1.2 and up.

http://svn.asterisk.org/svn/asterisk/trunk/README-SERIOUSLY.bestpractices.txt

Thank you for your continued support of Asterisk!

Skype for Asterisk Beta is a download that lets you integrate your Asterisk system with the Skype network.

With Skype for Asterisk, you can:

• Make Skype to Skype calls
• Call landlines, cellphones, even grandma!
• Receive SkypeIn calls
• Make multiple Skype calls simultaneously using the same Skype account
• Read Skype profile fields
• Support DTMF
• Set and retrieve online status
• Handle incoming Skype calls using your dialplan
• Use the Asterisk PBX for voice and the Desktop for IM
• And much more!

And you can do this all from your Asterisk PBX!

Ordinary Skype is a mess. You need your desktop and some sort of sound equipment just to make a call. Crazy. Skype for Asterisk Beta has the muscle to use your phone system directly with the Skype network. Use Skype for Asterisk Beta to provide an IVR or Sales portal for your company. You can use Skype for Asterisk Beta at home while watching TV. You can even use Skype for Asterisk Beta to send your Skype calls to one central voicemail.

Whether your Skype needs are large or small, Skype for Asterisk Beta can handle it all. Skype for Asterisk Beta is free, so it pays for itself.

Through Digium’s exclusive Beta offer you can download Skype for Asterisk Beta at the very low price of Free.

But wait, there’s more!

Skype for Asterisk Beta is a limited time offer. You have to act now to download and register the software. Skype for Asterisk Beta can only be downloaded until August 7th and used until August 31st. And of course, being beta, there’s some betaness to contend with.

So act now and download the Skype for Asterisk Beta software today directly from Digium.

(In case you hadn’t guessed, this is also our homage to Billy Mays.)

Here’s what Digium’s John Todd posted:

I know many of you have been waiting for this for a while, so I’ll  keep this short:  The Skype for Asterisk Public Beta is now available on the Digium store.

We are pleased to announce the open beta of Skype For Asterisk is ready to begin and we look forward to you participation. To obtain your copy of the software, please visit Digium’s web store and purchase (for zero dollars) the Skype For Asterisk product. The web store does require a Digium.com account, which can be set up during the purchase process if you don’t already have one. Once the web store process is complete, you will be e-mailed your license key and directions on where to download Skype For Asterisk beta software.

This is a “time-expiring” beta – the software will stop working on August 31.  The download is also currently time-limited – it will be available until August 7 on our website.  After the 31st, you would need to have purchased a license for the SfA software (sorry, no pricing that I can give you right now – that will be a separate announcement.  I’m just the community guy – I have no idea about pricing or commercial contracts or the like, so please wait until that’s been announced as I will find out about the same time as you do.

Trial “purchase” page:
http://store.digium.com/productview.php?product_code=804-00019

JT

While you’re downloading Skype for Asterisk, read Michael Grave’s post over at Graves On SOHO VoIP.