Take a look at IKE, the Internet Key Exchange protocol used in IPSEC. It issues a challenge-response to weed out spoofed addresses. So, it has DDoS protection built in. Sadly, most legacy protocols don't. TCP has had RST and SYN cookies "hacked" into it, as well as MD5 preshared keys.
The basic security flaw of the internet is the DDoS, a flood of packets with spoofed source addresses. I don't know of any backbone networks which do ingress filtering, so most of the time you need to take the approach of IPSEC. If your connection is filled up by the resulting traffic, well then you're out of luck. It is possible to mitigate a DDoS flood from "the internet", if your network (Autonomous System) has some non-transit peers, such as private peering, or public peering at an internet exchange. Your network (or preferably your peer's) can do address filtering, such that spoofed addresses are minimized. You can then prioritize those peers/networks such that a flood from "the internet" will only cut off traffic from "the internet", and your peer networks with the hightened security (ingress filtering) can enjoy un-interrupted VOIP (and other services). To be clear, I believe the DDoS issues can only be addressed at the Autonomous System level, which is typically an ISP or large hosting company. Regards, Jeremy On Thu, 2008-01-31 at 01:52 +1100, Duane wrote: > Abu 'Ubayd Fadil wrote: > > > If someone is flooding 100,000 INVITE packets to Asterisk, then what > > should we do? Because we know, filtering the packets would only increase > > the workload.. > > Maybe have a look how other software has dealt with the issue... > -- Jeremy Jackson W: (419)489-4903 Coplanar Networks http://www.coplanar.net _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-security mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-security
