Dan Pascu schrieb:
On Thursday 13 September 2007, Juha Heinanen wrote:
Bogdan-Andrei Iancu writes:
> Are you referring to the pending patch for spoofing the source of
> the ping (to a non local IP).
i didn't remember that there was such a pending patch, but, yes, i was
thinking about spoofing the source address/port to correspond those of
a load balancer in front of the proxies.
One problem with this is that most of the internet service providers will
block IP packets that have a source address not in the originating
network to limit DOS attacks and other security related problems.
As a consequence, this will only work if the spoofed address is in the
same LAN with the proxy, but it will almost certainly fail if your load
balancer is in another location.
Yes - that is true. But I think usually the LB is in the same data
center as the SIP proxies - and if your SIP service is that big that you
have geographical distribution i guess you can arrange with your
provider (or being ISP yourself).
But one more. If there are multiple LBs, e.g. using SRV it would be
great to store the received socket of the LB to userloc table too (e.g.
via a proprietary header sent by the LB/PSCSF to the SIP proxy). Then,
the natping also fetches this column from DB and uses the socket as
spoofed source socket. Of course this only works for UDP.
regards
klaus
_______________________________________________
Devel mailing list
[email protected]
http://openser.org/cgi-bin/mailman/listinfo/devel
