-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Trixter aka Bret McDanel wrote: > On Thu, 2008-01-17 at 15:47 +1300, Matt Riddell wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> You can't really block a DDoS attack - if you have 10Mbit of bandwidth >> it takes 10Mbit of traffic to DDos you. If you have 100Mbit then it >> will take 100Mbit. The only way to avoid it is to get someone upstream >> with more bandwidth to block it. > > no but iax makes it harder to do mitigation techniques. This is becasue > media and signalling are on the same port. Why I was asking about that > specifically. > > You cant rate limit packets very well since 10 calls from a given > endpoint will look the same on an IP level as 1 call, just a larger > volume, so if you do rate limit the audio quality, and potentially > signalling information will be impaired.
I agree if you're talking about DDoS via amplification attack or resource exhaustion, but anyone who seriously wants to take you out will just increase the rate. I guess if you're not doing any VoIP and yet have remote logins permitted on the machine that rate limiting packets might solve it, but most people who have SIP/IAX2 accessible from the Internet will be doing so for a reason. I suppose if you're trying to protect against someone who has a megabit or two at their disposal then rate limiting them at ingress may help. But surely you could do this on packets from an address for an IAX2 destination. Unless it's someone doing something "bad" from inside a company you normally consider "good". Also, if your only place you can drop packets is closer in to the PBX/Switch then maybe you don't know the source address and again in this case it may be easier to limit SIP than IAX2. - -- Kind Regards, Matt Riddell Director _______________________________________________ http://www.venturevoip.com (Great new VoIP end to end solution) http://www.venturevoip.com/news.php (Daily Asterisk News - html) http://www.venturevoip.com/newrssfeed.php (Daily Asterisk News - rss) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHjvRNDQNt8rg0Kp4RAhLRAJwPmb4gnduKS/kYQijKf9LiB5or5QCeKBQ2 xHARUdrQ/DXlB3l70UvMhu8= =rUFi -----END PGP SIGNATURE----- _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz
