<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.32.2">
</HEAD>
<BODY LINK="#0000ff">
Hmm that looks remarkably like what I am doing to block some other things with HMR and it seems to work flawlessly. <BR>
<BR>
Some suggestions: <BR>
<BR>
1: On the session agent set all the session cap settings (max-sessions, max-inbound-sessions, max-burst-rate, etc) to 1, also do this for the max-register-burst-rate and register-burst-window.<BR>
<BR>
2: You might try moving the dummy session agent to the same realm as the traffic thats coming in (peer realm?), i notice its in core, but no context is given on the HMR as to what realm it is applied to. Ill presume its the peer realm since that is the sip-interface you have shown. <BR>
<BR>
3: Im not sure what code youre running but if its 6.2 I believe that all this becomes purely academic and you can use the reject action in HMR and the need to do all the sleight of hand with the session agent becomes unnecessary.<BR>
<BR>
I have attached what ive been using for this purpose and it works surprisingly well (I am on 6.1 code so i cannot use the reject action). <BR>
<BR>
<BR>
<BR>
<BR>
On Fri, 2011-06-17 at 12:22 -0400, Chet Curry wrote:
<BLOCKQUOTE TYPE=CITE>
I really wish your suggestion worked. The SBC responds with 404 Registrar Not Found. The intent is to drop the packet. <BR>
<BR>
<BR>
<BR>
Here is an example of my existing HMR. Invites are always responded to and any registration with a user@IP is responded to . If the registration Request-URI has <A HREF="sip:IP">sip:IP</A> then it blocks the packet.<BR>
<BR>
<BR>
<BR>
Here is an example of the existing HMR. <BR>
<BR>
<BR>
<BR>
### sip-manipulation ###<BR>
<BR>
<BR>
<BR>
sip-manipulation<BR>
<BR>
name addRoute<BR>
<BR>
description<BR>
<BR>
header-rule<BR>
<BR>
name isDomain<BR>
<BR>
header-name request-uri<BR>
<BR>
action store<BR>
<BR>
comparison-type case-sensitive<BR>
<BR>
match-value<BR>
<BR>
msg-type any<BR>
<BR>
new-value<BR>
<BR>
methods INVITE,REGISTER<BR>
<BR>
element-rule<BR>
<BR>
name isDom<BR>
<BR>
parameter-name<BR>
<BR>
type uri-host<BR>
<BR>
action store<BR>
<BR>
match-val-type any<BR>
<BR>
comparison-type case-sensitive<BR>
<BR>
match-value generic.voip.net|genericlab.voip.net<BR>
<BR>
new-value<BR>
<BR>
header-rule<BR>
<BR>
name addDisSA<BR>
<BR>
header-name Route<BR>
<BR>
action add<BR>
<BR>
comparison-type boolean<BR>
<BR>
match-value !$isDomain.$isDom.$0<BR>
<BR>
msg-type any<BR>
<BR>
new-value "<<A HREF="sip:1.2.3.4;lr">sip:1.2.3.4;lr</A>>"<BR>
<BR>
methods<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
### session-agent ###<BR>
<BR>
<BR>
<BR>
session-agent<BR>
<BR>
hostname 1.2.3.4<BR>
<BR>
ip-address 1.2.3.4<BR>
<BR>
port 5060<BR>
<BR>
state disabled <<<<<<<<<<<BR>
<BR>
app-protocol SIP<BR>
<BR>
app-type<BR>
<BR>
transport-method UDP<BR>
<BR>
realm-id core<BR>
<BR>
local-response-map 503Rogue <<<<<<<<<<<BR>
<BR>
<BR>
<BR>
### sip-response-map ###<BR>
<BR>
<BR>
<BR>
response-map<BR>
<BR>
name 503Rogue<BR>
<BR>
entries<BR>
<BR>
503 -> 677 (Rogue)<BR>
<BR>
<BR>
<BR>
### sip-interface ###<BR>
<BR>
<BR>
<BR>
sip-interface<BR>
<BR>
state enabled<BR>
<BR>
realm-id peer<BR>
<BR>
description<BR>
<BR>
sip-port<BR>
<BR>
address 192.168.0.3<BR>
<BR>
port 5060<BR>
<BR>
transport-protocol UDP<BR>
<BR>
tls-profile<BR>
<BR>
allow-anonymous all<BR>
<BR>
ims-aka-profile<BR>
<BR>
carriers<BR>
<BR>
options dropResponse=677 <<<<<<<<<<<BR>
<BR>
<BR>
<BR>
### realm-config ###<BR>
<BR>
<BR>
<BR>
realm-config<BR>
<BR>
identifier peer<BR>
<BR>
in-manipulationid addRoute <<<<<<<<<<<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
<B>From:</B> anorexicpoodle [mailto:anorexicpoodle@gmail.com] <BR>
<B>Sent:</B> Thursday, June 16, 2011 5:43 PM<BR>
<B>To:</B> Chet Curry<BR>
<B>Cc:</B> voiceops@voiceops.org<BR>
<B>Subject:</B> Re: [VoiceOps] SBC's that drop traffic based on domain<BR>
<BR>
<BR>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
<BR>
<BR>
You should be able to facilitate this a few ways in the Acme, the first and easiest would be to not configure a port with the IP in the sip interface, and use only configure the domain name. The second would be to use HMR to inspect the inbound packets and drop them. Im sure there are other options as well.<BR>
<BR>
On Thu, 2011-06-16 at 16:58 -0400, Chet Curry wrote: <BR>
<BR>
<BR>
<BR>
<BR>
<BR>
In an effort to mitigate DDOS attack’s I am trying to deny all traffic based on the request-uri host domain. The reason being from what I see is “most” attacks are sent to the SBC’s IP address and does use the domain name. When the proper domain is supplied I would like to allow that packet. All other I will not respond to period.<BR>
<BR>
<BR>
<BR>
Example of hacker Requet URI<BR>
<BR>
Ex. <B>INVITE</B> sip100:<B>199.44.55.22</B> SIP/2.0<BR>
<BR>
<BR>
<BR>
Legit Request URI<BR>
<BR>
Ex. <B>INVITE</B> <A HREF="sip:7724558787@voip.myvoice.net">sip:7724558787@voip.</A><B><A HREF="sip:7724558787@voip.myvoice.net">myvoice.net</A></B> SIP/2.0<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
I have tried to create an HMR on ACME with little success. I can get the registers to not respond yet only if <A HREF="sip:199.44.55.22">sip:199.44.55.22</A> is use. If the attacker uses <A HREF="sip:100@199.44.55.22">sip:100@199.44.55.22</A> the SBC still will respond with a 403. <BR>
<BR>
Besides that All invites are always responded to regardless even though the HMR(Header Manipulation) should be using Invite and registration meathods.<BR>
<BR>
<BR>
<BR>
I have tried to get ACME to come up with a solution yet have been unsuccessful. They will not even take my request for a feature enhancement. <BR>
<BR>
<BR>
<BR>
Has anyone had any successful experience at implementing this on any other SBC platform? I know there are many ways to protect yourself from DDOS attacks yet to me this is a simple first line of defense.<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<IMG SRC="cid:image001.png@01CC2CE9.2E6B0730" WIDTH="624" HEIGHT="499" ALIGN="bottom" ALT="Description: signature2" BORDER="0"><BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BLOCKQUOTE>
<PRE>
_______________________________________________
VoiceOps mailing list
<A HREF="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</A>
<A HREF="https://puck.nether.net/mailman/listinfo/voiceops">https://puck.nether.net/mailman/listinfo/voiceops</A>
</PRE>
</BLOCKQUOTE>
<BR>
<BR>
<BR>
<BR>
</BLOCKQUOTE>
<BR>
</BODY>
</HTML>