[VoiceOps] SBC's that drop traffic based on domain
Chet Curry
CCurry at telovations.com
Thu Jun 16 16:58:18 EDT 2011
In an effort to mitigate DDOS attack's I am trying to deny all traffic based on the request-uri host domain. The reason being from what I see is "most" attacks are sent to the SBC's IP address and does use the domain name. When the proper domain is supplied I would like to allow that packet. All other I will not respond to period.
Example of hacker Requet URI
Ex. INVITE sip100:199.44.55.22 SIP/2.0
Legit Request URI
Ex. INVITE sip:7724558787 at voip.myvoice.net SIP/2.0
I have tried to create an HMR on ACME with little success. I can get the registers to not respond yet only if sip:199.44.55.22 is use. If the attacker uses sip:100 at 199.44.55.22 the SBC still will respond with a 403.
Besides that All invites are always responded to regardless even though the HMR(Header Manipulation) should be using Invite and registration meathods.
I have tried to get ACME to come up with a solution yet have been unsuccessful. They will not even take my request for a feature enhancement.
Has anyone had any successful experience at implementing this on any other SBC platform? I know there are many ways to protect yourself from DDOS attacks yet to me this is a simple first line of defense.
[cid:image001.png at 01CC2C46.97470A90]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20110616/8f0e12ec/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 56691 bytes
Desc: image001.png
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20110616/8f0e12ec/attachment-0001.png>
More information about the VoiceOps
mailing list