[VoiceOps] SBC's that drop traffic based on domain
abalashov at evaristesys.com
Thu Jun 16 17:31:59 EDT 2011
On 06/16/2011 04:58 PM, Chet Curry wrote:
> In an effort to mitigate DDOS attack’s I am trying to deny all traffic
> based on the request-uri host domain. The reason being from what I see
> is “most” attacks are sent to the SBC’s IP address and does use the
> domain name. When the proper domain is supplied I would like to allow
> that packet. All other I will not respond to period.
> Example of hacker Requet URI
> Ex. *INVITE*sip100:*184.108.40.206*SIP/2.0
> Legit Request URI
> Ex. *INVITE*sip:7724558787 at voip.*myvoice.net*SIP/2.0
> I have tried to create an HMR on ACME with little success. I can get the
> registers to not respond yet only if sip:220.127.116.11 is use. If the
> attacker uses sip:100 at 18.104.22.168 the SBC still will respond with a 403.
> Besides that All invites are always responded to regardless even though
> the HMR(Header Manipulation) should be using Invite and registration
> I have tried to get ACME to come up with a solution yet have been
> unsuccessful. They will not even take my request for a feature enhancement.
> Has anyone had any successful experience at implementing this on any
> other SBC platform? I know there are many ways to protect yourself from
> DDOS attacks yet to me this is a simple first line of defense.
It's pretty trivial in Kamailio/OpenSER, and if you stuck it in front of
an Acme Packet you can make it extremely lightweight through stateless
Alex Balashov - Principal
Evariste Systems LLC
260 Peachtree Street NW
Atlanta, GA 30303
More information about the VoiceOps