[Serusers] account + IP binding
Bogdan-Andrei IANCU
iancu at fokus.fraunhofer.de
Wed Jul 28 14:12:48 CEST 2004
zolia at z1sys.com wrote:
>hello,
>
>is it possible to do source ip authentication besides normal
>www_authorize() for every user account?. This, as i understand, should
>prevent from intercepting credentials and later faking sip message to
>bypass www_authorization ?
>
this doesn't work. for each authentication challenge, ser generates an
noun that is kept into memory for a short period of time. So, this kind
of exploit is very limited - only if somebody trys in real time to do it
and in very narrow time window.
IP checking doesn't help you - they can be also spoof. Plus, against
what address you check when the user register for the first time? or if
the user use multiple client in the same time?
bogdan
> Or maybe there are some other counter measures
>against such fraud?
>
>Does src_ip comes directly from ip layer? If so, i could probably use this
>to check with some external database (ie. ser subscriber)?
>
>Antanas
>NTT
>
>_______________________________________________
>Serusers mailing list
>serusers at lists.iptel.org
>http://lists.iptel.org/mailman/listinfo/serusers
>
>
>
More information about the sr-users
mailing list