On Fri, 15 Oct 2010, Douglas Hubler wrote:
> security wise, this is true, but who wants to invite every possible
> attacker to consume their bandwidth.
>
> My guess is Matt P. will respond w/mailing list options based on
> Russ's email when he gets online.
I am not speaking in favor, or against SIP URL masking, just
providing an answer to Tony's question.
I was involved with getting the DSBL real time block list up,
testing and running well.
I am not directly familiar with the dshield entity mentioned,
but I would point out that if one starts 'reporting' to a
central aggregation authority that is 'open to all' to use, as
by DNS query [DNS is a distributed information distribution,
and not limited solely to doing name to number and vice versa
directory translations], the black hats are gling to
subscribe, and poke IP's that show up in the zone files, and
find out WHO is feeding that list, and then REALLY open fire
with a DDoS attack on the feeder sites, as well as the
centralized reporting constellation of hosts
In both the URL mungeing, and the 'sipvicious' cases, the call
comes down to local operational habits changes ('do the munge
in a varying form rather than a mechanical rule' -- mechanical
rule translations get /reversing/ reges's written in short
order to decode:
userid (at) domain (dot) example (dot) com
back to:
[email protected]
in short order -- the blackheats are no less talented than
any mechanical rule, and indeed are useually much smarter as
they have 'domain knowledge' in the attack vector targetting
space
I have already indicated the weakness of aggregated reporting
to ddos attack vectors
really -- wrappers, iptables, firewalls of various color and
stripe [that is locally designed hardening] each have their
place - iptables on a CentOS box can do rate limiting just as
well as an external firewall, by the way
-- Russ herrold
_______________________________________________
sipx-users mailing list
[email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-users/
