11 Sep
2004
11 Sep
'04
7:22 a.m.
Hello,
On Thursday 09 September 2004 09:03, Gerhard Zweimueller wrote:
Hi list,
the RFC 3161 gives a chapter about DoS attacks in section 26.3.2.4:
[...]
No matter what security solutions are deployed, floods of messages
directed at proxy servers can lock up proxy server resources and
prevent desirable traffic from reaching its destination. There is
a
computational expense associated with processing a SIP transaction
at
a proxy server, and that expense is greater for stateful proxy
servers than it is for stateless proxy servers. Therefore,
stateful
proxies are more susceptible to flooding than stateless proxy
servers.
UAs and proxy servers SHOULD challenge questionable requests with
only a single 401 (Unauthorized) or 407 (Proxy Authentication
Required), forgoing the normal response retransmission algorithm,
and
thus behaving statelessly towards unauthenticated requests.
Retransmitting the 401 (Unauthorized) or 407 (Proxy
Authentication
Required) status response amplifies the problem of an attacker
using a falsified header field value (such as Via) to direct
traffic to a third party.
[...]
However I tested with a SIP-UA that in case of a wrong password in the
INVITE continously tries to register at the same SIP-Registrar (SER in
my case).
SER in the default stateful configuration of course answers every
single INVITE message with 401. No matter how often it comes.
Is there a way of prohibiting subsequent 401 answers to "false" INVITEs
from the same contact/endpoint or credentials for a defined period,
e.g. 30 seconds in SER?
if their would be such an option, I would happily send an un-authorized INVITE
request every 30 seconds with an spoofed IP address of your UA to your proxy
and as the result you would not be able to make a call any more.
IMHO this idea allows the same simple DoS attacks like the packet filter
(firewalls) which block IP (ranges) for some time because a (probably
spoofed) packet hit a "DoS" rule.
Greetings
Nils