On Sun, Feb 22, 2009 at 11:55 PM, Hadriel Kaplan <[email protected]> wrote:
> Yup, these are essentially the same as IP-PBX trunks. I don't know of many > that allow requests in from truly unknown sources, though - they usually know > the remote devices in advance, even when ENUM is used - so if they wanted to > they could use IPSec or TLS if this became a problem. (some do today, but > many don't - it seems many peer over private connections anyway) I believe (hope!) that these are going to get more common! ... the driving reason behind me doing this was running through security issues for deployment of public gateways for the 4.4.e164.arpa go-live date on March 11th (at *last*). While i'd love the world to change to TCP/TLS overnight, i just don't see it happening ... just "cause UDP can be used for attacking 3rd parties" Even if SBCs may not be commonly deployed in that way, there are certainly millions of SIP devices that are. Think all the asterisk machines hosted on public IPs, for example. > Essentially what you're proposing seems to me similar in concept to > syncookies, but at the next layer up. yeah, it is - in fact probably why i subconsciously called them via cookies :-) > Your point is that botnets can take advantage of the SBC's to amplify their > attacks on other UA's, right? No! Attacking UAs isn't really that much of a worry (as 401/407 can "fix" that, especially as UDP scales so well). It's that you can use SBCs to amplify attacks on anything you like. Botnets can take advantages of SIP elements to attack anything not just UAs. "anything" could be a DNS server, mail server, web server, or anything with routable IP just due to sheer number of PPS and throughput saturating links. > I mean it's a botnet, so you have enough resources to cause a resource > exhaustion attack on any UA's, and who cares if they can trace it? Because it's another layer of indirection as well as amplification. Indirection makes traceability harder, which means longer before machines initiating attacks get discovered. Amplification means networks hosting the zombies are less likely to notice initially. so it's a double fail for us :-) > Yup, either cookie or auth would solve it, but my guess is we'd still want to > blacklist if it's more than a short-lived event. That's what happens now: > you get some leeway for a short while, but eventually you get kicked out for > a longer period of time, because as far as we know you've got a broken UA or > someone's learned your info, and we can't let you affect the overall network. Lets say i have a 2mbit link at home. Given the 1:350 example, I could theoretically generate a 700mbit attack against anything i wanted. In the case of a botnet, they can use 4000 machines sending out a single 500 byte INVITE every second, which would result in the same thing. ~ Theo _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [email protected] for questions on current sip Use [email protected] for new developments on the application of sip
