[VoiceOps] VoIP Abuse Project
James Hess
mysidia at gmail.com
Mon Sep 20 21:18:57 EDT 2010
On Mon, Sep 20, 2010 at 8:09 PM, Alex Balashov
<abalashov at evaristesys.com> wrote:
> On 09/20/2010 08:47 PM, James Hess wrote:
>> It might be useful to think about possible deprecation of the use of
>> UDP for registration, or at least the requiring of a firm
>> bidirectional acknowledgement with nonce (as in an authenticated
>> request/acknowledgement), before a registration "attempt" can be
>> regarded to fail or succeed.
> "Firm bidirectional acknowledgment" is already required in an authenticated
> REGISTER sequence:
Yes, I think the problem is with authentication failures, not successes.
Implementations might flag a failure at step 1, before any round
trip has occured.
The 'spoofer' may simply reply with a bogus digest.
Either way, afaict, the spoofer never needs to see the challenge
to submit a register
what will produce an authentication failure (may even be intended to
produce an auth failure as part of the distraction).
The implementation that received the spoof message sees REGISTER +
(incorrect digest)
which doesn't reveal that the attacker never saw the challenge.
--
-J
More information about the VoiceOps
mailing list