[VoiceOps] SBC's that drop traffic based on domain

Chet Curry CCurry at telovations.com
Fri Jun 17 12:22:10 EDT 2011

I really wish your suggestion worked.  The SBC responds with 404 Registrar Not Found.  The intent is to drop the packet.

Here is an example of my existing HMR.  Invites are always responded to and any registration with a user at IP is responded to .  If the registration Request-URI has sip:IP then it blocks the packet.

Here is an example of the existing HMR.

### sip-manipulation ###

        name                           addRoute
                name                           isDomain
                header-name                    request-uri
                action                         store
                comparison-type                case-sensitive
                msg-type                       any
                methods                        INVITE,REGISTER
                        name                           isDom
                        type                           uri-host
                        action                         store
                        match-val-type                 any
                        comparison-type                case-sensitive
                        match-value                   generic.voip.net|genericlab.voip.net
                name                           addDisSA
                header-name                    Route
                action                         add
                comparison-type                boolean
                match-value                    !$isDomain.$isDom.$0
                msg-type                       any
                new-value                      "<sip:;lr>"

### session-agent ###

        port                           5060
        state                          disabled   <<<<<<<<<<
        app-protocol                   SIP
        transport-method               UDP
        realm-id                       core
        local-response-map             503Rogue  <<<<<<<<<<

### sip-response-map ###

        name                           503Rogue
                                       503 -> 677 (Rogue)

### sip-interface ###

        state                          enabled
        realm-id                       peer
                port                           5060
                transport-protocol             UDP
                allow-anonymous                all
        options                        dropResponse=677  <<<<<<<<<<

### realm-config ###

        identifier                     peer
        in-manipulationid              addRoute   <<<<<<<<<<

From: anorexicpoodle [mailto:anorexicpoodle at gmail.com]
Sent: Thursday, June 16, 2011 5:43 PM
To: Chet Curry
Cc: voiceops at voiceops.org
Subject: Re: [VoiceOps] SBC's that drop traffic based on domain

You should be able to facilitate this a few ways in the Acme, the first and easiest would be to not configure a port with the IP in the sip interface, and use only configure the domain name. The second would be to use HMR to inspect the inbound packets and drop them. Im sure there are other options as well.

On Thu, 2011-06-16 at 16:58 -0400, Chet Curry wrote:

In an effort to mitigate DDOS attack’s I am trying to deny all traffic based on the request-uri host domain.  The reason being from what I see is “most” attacks are sent to the SBC’s IP address and does use the domain name.  When the proper domain is supplied I would like to allow that packet.  All other I will not respond to period.

Example of hacker Requet URI

Ex. INVITE sip100: SIP/2.0

Legit Request URI

Ex. INVITE sip:7724558787 at voip.myvoice.net SIP/2.0

I have tried to create an HMR on ACME with little success.  I can get the registers to not respond yet only if sip: is use.  If the attacker uses sip:100 at the SBC still will respond with a 403.

Besides that All invites are always responded to regardless even though the HMR(Header Manipulation) should be using Invite and registration meathods.

I have tried to get ACME to come up with a solution yet have been unsuccessful.  They will not even take my request for a feature enhancement.

Has anyone had any successful experience at implementing this on any other SBC platform?  I know there are many ways to protect yourself from DDOS attacks yet  to me this is a simple first line of defense.

[cid:image001.png at 01CC2CE9.2E6B0730]


VoiceOps mailing list

VoiceOps at voiceops.org<mailto:VoiceOps at voiceops.org>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20110617/3886fee4/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 56691 bytes
Desc: image001.png
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20110617/3886fee4/attachment-0001.png>

More information about the VoiceOps mailing list