[VoiceOps] SBC's that drop traffic based on domain

Alex Balashov abalashov at evaristesys.com
Thu Jun 16 17:31:59 EDT 2011

On 06/16/2011 04:58 PM, Chet Curry wrote:
> In an effort to mitigate DDOS attack’s I am trying to deny all traffic
> based on the request-uri host domain. The reason being from what I see
> is “most” attacks are sent to the SBC’s IP address and does use the
> domain name. When the proper domain is supplied I would like to allow
> that packet. All other I will not respond to period.
> Example of hacker Requet URI
> Ex. *INVITE*sip100:**SIP/2.0
> Legit Request URI
> Ex. *INVITE*sip:7724558787 at voip.*myvoice.net*SIP/2.0
> I have tried to create an HMR on ACME with little success. I can get the
> registers to not respond yet only if sip: is use. If the
> attacker uses sip:100 at the SBC still will respond with a 403.
> Besides that All invites are always responded to regardless even though
> the HMR(Header Manipulation) should be using Invite and registration
> meathods.
> I have tried to get ACME to come up with a solution yet have been
> unsuccessful. They will not even take my request for a feature enhancement.
> Has anyone had any successful experience at implementing this on any
> other SBC platform? I know there are many ways to protect yourself from
> DDOS attacks yet to me this is a simple first line of defense.

It's pretty trivial in Kamailio/OpenSER, and if you stuck it in front of 
an Acme Packet you can make it extremely lightweight through stateless 

Alex Balashov - Principal
Evariste Systems LLC
260 Peachtree Street NW
Suite 2200
Atlanta, GA 30303
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/

More information about the VoiceOps mailing list