[Serusers] Preventing DoS Attack with SER

Jiri Kuthan jiri at iptel.org
Thu Sep 9 12:50:05 CEST 2004 

At 09:03 AM 9/9/2004, Gerhard Zweimueller wrote:
>Hi list,
> 
>the RFC 3161 gives a chapter about DoS attacks in section 26.3.2.4:
>
>[...]
>   No matter what security solutions are deployed, floods of messages
>   directed at proxy servers can lock up proxy server resources and
>   prevent desirable traffic from reaching its destination.  There is
>a
>   computational expense associated with processing a SIP transaction
>at
>   a proxy server, and that expense is greater for stateful proxy
>   servers than it is for stateless proxy servers.  Therefore,
>stateful
>   proxies are more susceptible to flooding than stateless proxy
>   servers.
>
>   UAs and proxy servers SHOULD challenge questionable requests with
>   only a single 401 (Unauthorized) or 407 (Proxy Authentication
>   Required), forgoing the normal response retransmission algorithm,
>and
>   thus behaving statelessly towards unauthenticated requests.
>
>      Retransmitting the 401 (Unauthorized) or 407 (Proxy
>Authentication
>      Required) status response amplifies the problem of an attacker
>      using a falsified header field value (such as Via) to direct
>      traffic to a third party.
>[...]
>
>However I tested with a SIP-UA that in case of a wrong password in the
>INVITE continously tries to register at the same SIP-Registrar (SER in
>my case).
>SER in the default stateful configuration of course answers every
>single INVITE message with 401. No matter how often it comes.

No. 401s are generated statelessly.

-jiri


>Is there a way of prohibiting subsequent 401 answers to "false" INVITEs
>from the same contact/endpoint or credentials for a defined period, 
>e.g. 30 seconds in SER?
>
>Thanks in advance for your help!
>
>Best regards,
>Gerhard
>
>
>
>__________________________________________________________________________________
>Dieses Mail wurde vom Infotech SecureMail Service ueberprueft und fuer sicher befunden.
>Fuer weitere Informationen zu Infotech SecureMail Service waehlen Sie bitte: www.infotech.at/securemail/
>
>This email has been scanned by Infotech SecureMail Service and it has been classified as secure.
>For more information on Infotech SecureMail direct your web browser to: www.infotech.at/securemail/
>
>_______________________________________________
>Serusers mailing list
>serusers at lists.iptel.org
>http://lists.iptel.org/mailman/listinfo/serusers

--
Jiri Kuthan            http://iptel.org/~jiri/

More information about the sr-users mailing list