[sr-dev] LCR: defunct_gw() is dangerous
Juha Heinanen
jh at tutpro.com
Wed Dec 28 17:27:15 CET 2011
IƱaki Baz Castillo writes:
> Kamailio parser does not detect such header as "P-Asserted-Identity".
>
> Also, it's unfeasible that a proxy checks the syntax of all the
> headers. Typically a proxy just cares about some few headers.
then use the script function that drops all headers except the ones your
gw cares about.
> > also, you can count
> > the number of failures yourself by using htable, for example, and not
> > defunct your gw based on the first failure.
>
> So the attacker should just send 5 malformed requests rather than one.
see above. also, there is response '400 bad request'. fix your gw to
use it.
> IMHO that's due to the design of the tables in LCR module. IMHO there
> should be a table just with gws definition (without containing the
> lcr_id field). It would make easier the management for cases like the
> present (just my opinion).
you may be right about that one. when i have time, i'll take a look at
it.
-- juha
More information about the sr-dev
mailing list