[Serusers] account + IP binding

Antanas Masevicius antanas.masevicius at z1sys.com
Wed Jul 28 14:57:35 CEST 2004



On Wed, 28 Jul 2004, Bogdan-Andrei IANCU wrote:

> zolia at z1sys.com wrote:
>
> >hello,
> >
> >is it possible to do source ip authentication besides normal
> >www_authorize() for every user account?. This, as i understand, should
> >prevent from intercepting credentials and later faking sip message to
> >bypass www_authorization ?
> >
> this doesn't work. for each authentication challenge, ser generates an
> noun that is kept into memory for a short period of time. So, this kind
> of exploit is very limited - only if somebody trys in real time to do it
> and in very narrow time window.
yes probably, is would work only in real time, ie. to write some small
proxy, which rewrites authorization header putting in in parallel sniffed
encrypted password. Its a bit harder..

> IP checking doesn't help you - they can be also spoof. Plus, against
> what address you check when the user register for the first time? or if
What do you mean by "first time"? If there are only one IP from which UA
requests MUST originate, then it should be possible to check it.

> the user use multiple client in the same time?
This would not be possible in our scenario.

Antanas

> bogdan
>
> > Or maybe there are some other counter measures
> >against such fraud?
> >
> >Does src_ip comes directly from ip layer? If so, i could probably use this
> >to check with some external database (ie. ser subscriber)?
> >
> >Antanas
> >NTT
> >
> >_______________________________________________
> >Serusers mailing list
> >serusers at lists.iptel.org
> >http://lists.iptel.org/mailman/listinfo/serusers
> >
> >
> >
>




More information about the sr-users mailing list