On Jan 16, 2008 6:47 PM, Trixter aka Bret McDanel <[EMAIL PROTECTED]> wrote:
> > On Thu, 2008-01-17 at 10:33 +1100, Craig Lawrence wrote: > > I was simply asking whether any other service provider had found a > > workaround for the issue. To ask a tech question on a biz list is simply > > not kosha / Halal / Vegan or whatever. > > > Yeah, although this did have a tie into the business case for iax, or > lack there of, and why it just doesnt make business sense to me to do > it. > > So as it stands now only one person said they did but they think it may > have been before some of the more recent changes, so its a 'maybe' with > current code as originally asked. > > To bring this back to a biz sitaution, do you enable any type of DDoS > mitigation techniques with iax? If so what products do you use? > > Given that media and signalling are on the same port, and generally > sender port/ip will be the same for multiple calls, simple rate limiting > isnt really a good option. This means that you can run the risk of > either having that port open to the world for flooding or have some > controls that degrade customer call quality. Either is bad. > > If there is a reasonable solution for that, even if commercial, I would > like to know since there isnt a good business case for that much > exposure in my mind. > > > > BTW - to use the term "Telco Grade Asterisk" is possibly premature. > > > never have :) > A server behind a firewall with OpenVPN and a single port open, customers setup to connect over VPN. An appliance before the asterisk box with ACLs or a PIX that is updated to let specific inbound traffic by IP. At what level do accept and deny either in IPtables or iax.conf work? I suppose they wouldn't really stop a true DDoS attack. There are certainly appliances that can detect DoS attacks and block them. http://www.radware.com/Products/ApplicationNetworkSecurity/default.aspx?source=google&gclid=CKyq0s7--5ACFQNzHgod7GcIrA I am a huge fan of OpenVPN. Thanks, Steve Totaro
_______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz
