[Serusers] Preventing DoS Attack with SER
Jiri Kuthan
jiri at iptel.org
Thu Sep 9 12:50:05 CEST 2004
At 09:03 AM 9/9/2004, Gerhard Zweimueller wrote:
>Hi list,
>
>the RFC 3161 gives a chapter about DoS attacks in section 26.3.2.4:
>
>[...]
> No matter what security solutions are deployed, floods of messages
> directed at proxy servers can lock up proxy server resources and
> prevent desirable traffic from reaching its destination. There is
>a
> computational expense associated with processing a SIP transaction
>at
> a proxy server, and that expense is greater for stateful proxy
> servers than it is for stateless proxy servers. Therefore,
>stateful
> proxies are more susceptible to flooding than stateless proxy
> servers.
>
> UAs and proxy servers SHOULD challenge questionable requests with
> only a single 401 (Unauthorized) or 407 (Proxy Authentication
> Required), forgoing the normal response retransmission algorithm,
>and
> thus behaving statelessly towards unauthenticated requests.
>
> Retransmitting the 401 (Unauthorized) or 407 (Proxy
>Authentication
> Required) status response amplifies the problem of an attacker
> using a falsified header field value (such as Via) to direct
> traffic to a third party.
>[...]
>
>However I tested with a SIP-UA that in case of a wrong password in the
>INVITE continously tries to register at the same SIP-Registrar (SER in
>my case).
>SER in the default stateful configuration of course answers every
>single INVITE message with 401. No matter how often it comes.
No. 401s are generated statelessly.
-jiri
>Is there a way of prohibiting subsequent 401 answers to "false" INVITEs
>from the same contact/endpoint or credentials for a defined period,
>e.g. 30 seconds in SER?
>
>Thanks in advance for your help!
>
>Best regards,
>Gerhard
>
>
>
>__________________________________________________________________________________
>Dieses Mail wurde vom Infotech SecureMail Service ueberprueft und fuer sicher befunden.
>Fuer weitere Informationen zu Infotech SecureMail Service waehlen Sie bitte: www.infotech.at/securemail/
>
>This email has been scanned by Infotech SecureMail Service and it has been classified as secure.
>For more information on Infotech SecureMail direct your web browser to: www.infotech.at/securemail/
>
>_______________________________________________
>Serusers mailing list
>serusers at lists.iptel.org
>http://lists.iptel.org/mailman/listinfo/serusers
--
Jiri Kuthan http://iptel.org/~jiri/
More information about the sr-users
mailing list