[VoiceOps] SBC's that drop traffic based on domain
Alex Balashov
abalashov at evaristesys.com
Thu Jun 16 17:31:59 EDT 2011
On 06/16/2011 04:58 PM, Chet Curry wrote:
> In an effort to mitigate DDOS attack’s I am trying to deny all traffic
> based on the request-uri host domain. The reason being from what I see
> is “most” attacks are sent to the SBC’s IP address and does use the
> domain name. When the proper domain is supplied I would like to allow
> that packet. All other I will not respond to period.
>
> Example of hacker Requet URI
>
> Ex. *INVITE*sip100:*199.44.55.22*SIP/2.0
>
> Legit Request URI
>
> Ex. *INVITE*sip:7724558787 at voip.*myvoice.net*SIP/2.0
>
> I have tried to create an HMR on ACME with little success. I can get the
> registers to not respond yet only if sip:199.44.55.22 is use. If the
> attacker uses sip:100 at 199.44.55.22 the SBC still will respond with a 403.
>
> Besides that All invites are always responded to regardless even though
> the HMR(Header Manipulation) should be using Invite and registration
> meathods.
>
> I have tried to get ACME to come up with a solution yet have been
> unsuccessful. They will not even take my request for a feature enhancement.
>
> Has anyone had any successful experience at implementing this on any
> other SBC platform? I know there are many ways to protect yourself from
> DDOS attacks yet to me this is a simple first line of defense.
It's pretty trivial in Kamailio/OpenSER, and if you stuck it in front of
an Acme Packet you can make it extremely lightweight through stateless
forwarding.
--
Alex Balashov - Principal
Evariste Systems LLC
260 Peachtree Street NW
Suite 2200
Atlanta, GA 30303
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/
More information about the VoiceOps
mailing list