[OpenSER-Devel] SF.net SVN: openser: [2753] trunk/modules/nathelper

Klaus Darilion klaus.mailinglists at pernau.at
Thu Sep 13 16:40:13 CEST 2007



Dan Pascu schrieb:
> On Thursday 13 September 2007, Juha Heinanen wrote:
>> Bogdan-Andrei Iancu writes:
>>  > Are you referring to the pending patch for spoofing the source of
>>  > the ping (to a non local IP).
>>
>> i didn't remember that there was such a pending patch, but, yes, i was
>> thinking about spoofing the source address/port to correspond those of
>> a load balancer in front of the proxies.
> 
> One problem with this is that most of the internet service providers will 
> block IP packets that have a source address not in the originating 
> network to limit DOS attacks and other security related problems.
> As a consequence, this will only work if the spoofed address is in the 
> same LAN with the proxy, but it will almost certainly fail if your load 
> balancer is in another location.

Yes - that is true. But I think usually the LB is in the same data 
center as the SIP proxies - and if your SIP service is that big that you 
have geographical distribution i guess you can arrange with your 
provider (or being ISP yourself).

But one more. If there are multiple LBs, e.g. using SRV it would be 
great to store the received socket of the LB to userloc table too (e.g. 
via a proprietary header sent by the LB/PSCSF to the SIP proxy). Then, 
the natping also fetches this column from DB and uses the socket as 
spoofed source socket. Of course this only works for UDP.

regards
klaus



More information about the Devel mailing list