On 6/30/08, randulo <[EMAIL PROTECTED]> wrote: > Someone should write an asterisk-centric document on this topic, it's > likely to become an issue "someday". Sounds like a great subject for > VoIP USers Conference as well. Any volunteers? >
iptables string and limit matching could be a start, although I don't really know how well it does with fragments (or if that would even be an issue - especially with UDP). Anyways, it would be cool to develop something with iptables string, limit, and maybe even the Asterisk DB for SIP registries. For instance: - allow "unknown" addresses to REGISTER/INVITE at a "normal" rate (10 pkts / minute, or something). Figure that would allow 10 INVITEs (calls) per minute (2 INVITEs per authenticated call). - Allow "good" addresses (registered from the Asterisk db or previously known good) to pass SIP traffic at a greater rate (maybe even wide open). One could use something unique from the request if they wished - matching on the user agent from the Asterisk SIP DB, for example. This could get tricky... You'd have to be able to look at 407s and INVITEs/REGISTERs with and without nonces to do the job right. It would be neat to do this without having to jump into userland too much in iptables/netfilter. Does anyone want to write a kernel module? ;) -- Kristian Kielhofner NOT sent from my iPhone or Blackberry _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
