On Tue, Sep 26, 2006 at 05:02:56PM -0500, Jason Parker wrote: > Let's look at other apps (say, apache) for an example of something > similar. What happens if you throw thousands of requests at apache per > second? It's going to die. And why shouldn't it? Stuff like this, in my > opinion, is best handled at the firewall level, or perhaps with a load > balancer of sorts.
I think you may be comparing apples and oranges there. HTTP runs over TCP. There are well-known denial of service attacks against TCP (e.g. half-open connections from spoofed source IP addresses) and well-known defences which can be implemented in the kernel or in firewalls (e.g. syn cookies). Therefore by the time Apache sees an incoming TCP request, these have been filtered out. SIP generally runs over UDP, and so you don't get this protection. In fact there's very little generic protection that the kernel could offer. In both Apache and Asterisk, as you say, if you overload the system with a large number of *valid* requests then they may fall over. I suspect that's not actually the problem under discussion; rather, that there are specific denial-of-service attacks of the spoofed IP variety against SIP. However, without disclosure of what the actual attacks under consideration are, then it's very difficult to be specific about how they could be handled. Equally, it's clear that any sort of attack can be managed by a firewall if it is sophisticated enough. But how many firewalls have full application-layer stateful support for SIP? And if there are any, which ones have been tested with Asterisk and certified by Digium? Regards, Brian. _______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- asterisk-dev mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev
