On Wed, 2009-02-11 at 15:25 -0500, M. Ranganathan wrote: > 1. SipXbridge will accept calls from any IP address just like your phone > will accept a call from anywhere. SipX will not authenticate calls > originating from a foreign domain. Hence anybody can call into your > network (just like anybody can call your phone number). This is fine if > that is the way you want it but unlike a PSTN network which is > regulated, there is no control over inbound calls. So you can have DOS > attacks from sources that simply flood sipx with INVITEs, or even worse, > INVITEs with various errors and unresolvable host names etc. and > SipXbridge currently will not be able to do anything about it.
I don't know if this works with existing ITSPs, but you can avoid flooding by random INVITEs using tricks like the ones now used with TCP and SCTP: Respond to the initial INVITE with a response that forces the sender to send a modified INVITE. The trick is to arrange for that second INVITE to carry a signed cookie which demonstrates that the second INVITE derives from a first INVITE. Then accept the second INVITE. This scheme works because many flooding tools only send the initial requests and will not maintain the state needed to create the second requests. In the case of SIP, you can respond to an INVITE with a 302 response whose Contact is the request-URI with an added parameter that encodes, e.g., the current time and the call-id. The sending element should then re-send the INVITE with the augmented request-URI, which sipXbridge can pass. Dale _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev
