[Serusers] Preventing DoS Attack with SER

Gerhard Zweimueller Gerhard.Zweimueller at infotech.at
Thu Sep 9 09:03:52 CEST 2004 

Hi list,
 
the RFC 3161 gives a chapter about DoS attacks in section 26.3.2.4:

[...]
   No matter what security solutions are deployed, floods of messages
   directed at proxy servers can lock up proxy server resources and
   prevent desirable traffic from reaching its destination.  There is
a
   computational expense associated with processing a SIP transaction
at
   a proxy server, and that expense is greater for stateful proxy
   servers than it is for stateless proxy servers.  Therefore,
stateful
   proxies are more susceptible to flooding than stateless proxy
   servers.

   UAs and proxy servers SHOULD challenge questionable requests with
   only a single 401 (Unauthorized) or 407 (Proxy Authentication
   Required), forgoing the normal response retransmission algorithm,
and
   thus behaving statelessly towards unauthenticated requests.

      Retransmitting the 401 (Unauthorized) or 407 (Proxy
Authentication
      Required) status response amplifies the problem of an attacker
      using a falsified header field value (such as Via) to direct
      traffic to a third party.
[...]

However I tested with a SIP-UA that in case of a wrong password in the
INVITE continously tries to register at the same SIP-Registrar (SER in
my case).
SER in the default stateful configuration of course answers every
single INVITE message with 401. No matter how often it comes.

Is there a way of prohibiting subsequent 401 answers to "false" INVITEs
from the same contact/endpoint or credentials for a defined period, 
e.g. 30 seconds in SER?

Thanks in advance for your help!

Best regards,
Gerhard



__________________________________________________________________________________
Dieses Mail wurde vom Infotech SecureMail Service ueberprueft und fuer sicher befunden.
Fuer weitere Informationen zu Infotech SecureMail Service waehlen Sie bitte: www.infotech.at/securemail/

This email has been scanned by Infotech SecureMail Service and it has been classified as secure.
For more information on Infotech SecureMail direct your web browser to: www.infotech.at/securemail/

More information about the sr-users mailing list