Hi list,
the RFC 3161 gives a chapter about DoS attacks in section 26.3.2.4:
[...] No matter what security solutions are deployed, floods of messages directed at proxy servers can lock up proxy server resources and prevent desirable traffic from reaching its destination. There is a computational expense associated with processing a SIP transaction at a proxy server, and that expense is greater for stateful proxy servers than it is for stateless proxy servers. Therefore, stateful proxies are more susceptible to flooding than stateless proxy servers.
UAs and proxy servers SHOULD challenge questionable requests with only a single 401 (Unauthorized) or 407 (Proxy Authentication Required), forgoing the normal response retransmission algorithm, and thus behaving statelessly towards unauthenticated requests.
Retransmitting the 401 (Unauthorized) or 407 (Proxy Authentication Required) status response amplifies the problem of an attacker using a falsified header field value (such as Via) to direct traffic to a third party. [...]
However I tested with a SIP-UA that in case of a wrong password in the INVITE continously tries to register at the same SIP-Registrar (SER in my case). SER in the default stateful configuration of course answers every single INVITE message with 401. No matter how often it comes.
Is there a way of prohibiting subsequent 401 answers to "false" INVITEs from the same contact/endpoint or credentials for a defined period, e.g. 30 seconds in SER?
Thanks in advance for your help!
Best regards, Gerhard
__________________________________________________________________________________ Dieses Mail wurde vom Infotech SecureMail Service ueberprueft und fuer sicher befunden. Fuer weitere Informationen zu Infotech SecureMail Service waehlen Sie bitte: www.infotech.at/securemail/
This email has been scanned by Infotech SecureMail Service and it has been classified as secure. For more information on Infotech SecureMail direct your web browser to: www.infotech.at/securemail/
At 09:03 AM 9/9/2004, Gerhard Zweimueller wrote:
Hi list,
the RFC 3161 gives a chapter about DoS attacks in section 26.3.2.4:
[...] No matter what security solutions are deployed, floods of messages directed at proxy servers can lock up proxy server resources and prevent desirable traffic from reaching its destination. There is a computational expense associated with processing a SIP transaction at a proxy server, and that expense is greater for stateful proxy servers than it is for stateless proxy servers. Therefore, stateful proxies are more susceptible to flooding than stateless proxy servers.
UAs and proxy servers SHOULD challenge questionable requests with only a single 401 (Unauthorized) or 407 (Proxy Authentication Required), forgoing the normal response retransmission algorithm, and thus behaving statelessly towards unauthenticated requests.
Retransmitting the 401 (Unauthorized) or 407 (ProxyAuthentication Required) status response amplifies the problem of an attacker using a falsified header field value (such as Via) to direct traffic to a third party. [...]
However I tested with a SIP-UA that in case of a wrong password in the INVITE continously tries to register at the same SIP-Registrar (SER in my case). SER in the default stateful configuration of course answers every single INVITE message with 401. No matter how often it comes.
No. 401s are generated statelessly.
-jiri
Is there a way of prohibiting subsequent 401 answers to "false" INVITEs from the same contact/endpoint or credentials for a defined period, e.g. 30 seconds in SER?
Thanks in advance for your help!
Best regards, Gerhard
Dieses Mail wurde vom Infotech SecureMail Service ueberprueft und fuer sicher befunden. Fuer weitere Informationen zu Infotech SecureMail Service waehlen Sie bitte: www.infotech.at/securemail/
This email has been scanned by Infotech SecureMail Service and it has been classified as secure. For more information on Infotech SecureMail direct your web browser to: www.infotech.at/securemail/
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
-- Jiri Kuthan http://iptel.org/~jiri/
Hello,
On Thursday 09 September 2004 09:03, Gerhard Zweimueller wrote:
Hi list,
the RFC 3161 gives a chapter about DoS attacks in section 26.3.2.4:
[...] No matter what security solutions are deployed, floods of messages directed at proxy servers can lock up proxy server resources and prevent desirable traffic from reaching its destination. There is a computational expense associated with processing a SIP transaction at a proxy server, and that expense is greater for stateful proxy servers than it is for stateless proxy servers. Therefore, stateful proxies are more susceptible to flooding than stateless proxy servers.
UAs and proxy servers SHOULD challenge questionable requests with only a single 401 (Unauthorized) or 407 (Proxy Authentication Required), forgoing the normal response retransmission algorithm, and thus behaving statelessly towards unauthenticated requests.
Retransmitting the 401 (Unauthorized) or 407 (ProxyAuthentication Required) status response amplifies the problem of an attacker using a falsified header field value (such as Via) to direct traffic to a third party. [...]
However I tested with a SIP-UA that in case of a wrong password in the INVITE continously tries to register at the same SIP-Registrar (SER in my case). SER in the default stateful configuration of course answers every single INVITE message with 401. No matter how often it comes.
Is there a way of prohibiting subsequent 401 answers to "false" INVITEs from the same contact/endpoint or credentials for a defined period, e.g. 30 seconds in SER?
if their would be such an option, I would happily send an un-authorized INVITE request every 30 seconds with an spoofed IP address of your UA to your proxy and as the result you would not be able to make a call any more. IMHO this idea allows the same simple DoS attacks like the packet filter (firewalls) which block IP (ranges) for some time because a (probably spoofed) packet hit a "DoS" rule.
Greetings Nils
-
Gerhard Zweimueller -
Jiri Kuthan -
Nils Ohlmeier