Generally opening media ports range is fine. Media ports are usually dynamically allocated and not easy to guess for an attacker.
Secondly using proxy like mediaproxy or mediraproxy-ng which use Kernel based RTP packet forwarding, its not easy to create DOS attack, since kernel will only accept RTP packets from IP addresses advertised by SIP UAs.
Thank you.
On Thu, Jan 2, 2014 at 5:00 PM, Jr Richardson jmr.richardson@gmail.comwrote:
Hi All,
Background: We are a service provider offering VoIP/Data services to business customers. All hosted VoIP systems and Customers are mostly on-net, VoIP systems not exposed to the Internet, but all hosted PBX's do have public IP address. I do have some Customers with off-net phones/users so I basically white list their IP's so the phones can register back to their hosted PBX. This works well and keeps SIP attack vectors to a minimum. I've been working on a single point of registration Kamailio server to backend PBX's so I can further control public Internet access to hosted PBX's. I've got this working in the lab but have some concerns about RTP streams.
I know I can use a RTP/Media Proxy to also have a single point of entry for media streams to the the backend PBX's but don't believe this to be the best method. Researching SBC's and what I know about SIP and RTP Streams, it's best to have media controlled via the B2BUA (Asterisk in this case) and since all my hosted PBX's have public IP's there would be no compelling reason to proxy RTP adding another hop, latency and point of failure other than for security. I'm not transcoding media or doing anything outside of the capability of the B2BUA as far as media goes.
Question: Would it be prudent to open UDP media ports from Internet to PBX's on a case-by-case basis, basically white listing media streams or is there any attack vulnerability with UDP in the media port range or should I open up media port range to all PBX's and not worry about attacks. Are there any UDP Media exploits that I should be concerned with, or UDP flood attacks that could DOS my hosted PBX's?
Thanks for any feedback.
JR
JR Richardson Engineering for the Masses
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users