Hello, I have an open question, maybe someone with experience or interest in SIP SIMPLE presence in general an RLS in particular can help.
The content of a RLS services document triggers actions performed by the Presence servers. Because provisioning of data in a SIP server is traditionally a task of the operator and not of the end user, this deserves some attention. Imagine how easy is to misuse a RLS server today as an end user: Scenario 1 1. I upload a million entry list of SIP uris into a rls-services document on the xcap server 2. I send a Subscribe to the address of the list I uploaded above 3. The server starts sending one million Subscribes amplifying my single SIP subscribe into a DOS attack on its own resources or a foreign domain Scenario 2 1. I create a RLS list with pointers to resource lists document (which are HTTP URIs) to other domains 2. I send a Subscribe to the list 3. The server starts sending one million HTTP GETS amplifying my single SIP Subscribe into a DOS attack on its own resources or a foreign HTTP domain Scenario 3 1. I simply upload bogus data like bogus SIP URIs that might not resolve or point back to the server rls-services lists generating loops imposible to detect the reasons for 2. The server kills itself Subscribing to itself If validation of user input should be performed in the XCAP server during a PUT for a rls-services document what should be a sensitive default to check against? Regards, Adrian _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
