zolia(a)z1sys.com wrote:
hello,
is it possible to do source ip authentication besides normal
www_authorize() for every user account?. This, as i understand, should
prevent from intercepting credentials and later faking sip message to
bypass www_authorization ?
this doesn't work. for each authentication challenge, ser generates an
noun that is kept into memory for a short period of time. So, this kind
of exploit is very limited - only if somebody trys in real time to do it
and in very narrow time window.
IP checking doesn't help you - they can be also spoof. Plus, against
what address you check when the user register for the first time? or if
the user use multiple client in the same time?
bogdan
Or maybe there are some other counter measures
against such fraud?
Does src_ip comes directly from ip layer? If so, i could probably use this
to check with some external database (ie. ser subscriber)?
Antanas
NTT
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers