[Serusers] Preventing DoS Attack with SER

Nils Ohlmeier nils at iptel.org
Sat Sep 11 13:22:52 CEST 2004 

Hello,

On Thursday 09 September 2004 09:03, Gerhard Zweimueller wrote:
> Hi list,
>
> the RFC 3161 gives a chapter about DoS attacks in section 26.3.2.4:
>
> [...]
>    No matter what security solutions are deployed, floods of messages
>    directed at proxy servers can lock up proxy server resources and
>    prevent desirable traffic from reaching its destination.  There is
> a
>    computational expense associated with processing a SIP transaction
> at
>    a proxy server, and that expense is greater for stateful proxy
>    servers than it is for stateless proxy servers.  Therefore,
> stateful
>    proxies are more susceptible to flooding than stateless proxy
>    servers.
>
>    UAs and proxy servers SHOULD challenge questionable requests with
>    only a single 401 (Unauthorized) or 407 (Proxy Authentication
>    Required), forgoing the normal response retransmission algorithm,
> and
>    thus behaving statelessly towards unauthenticated requests.
>
>       Retransmitting the 401 (Unauthorized) or 407 (Proxy
> Authentication
>       Required) status response amplifies the problem of an attacker
>       using a falsified header field value (such as Via) to direct
>       traffic to a third party.
> [...]
>
> However I tested with a SIP-UA that in case of a wrong password in the
> INVITE continously tries to register at the same SIP-Registrar (SER in
> my case).
> SER in the default stateful configuration of course answers every
> single INVITE message with 401. No matter how often it comes.
>
> Is there a way of prohibiting subsequent 401 answers to "false" INVITEs
> from the same contact/endpoint or credentials for a defined period,
> e.g. 30 seconds in SER?

if their would be such an option, I would happily send an un-authorized INVITE 
request every 30 seconds with an spoofed IP address of your UA to your proxy 
and as the result you would not be able to make a call any more.
IMHO this idea allows the same simple DoS attacks like the packet filter 
(firewalls) which block IP (ranges) for some time because a (probably 
spoofed) packet hit a "DoS" rule.

Greetings
  Nils

More information about the sr-users mailing list