On Fri, Nov 20, 2015 at 12:21 PM, Alex Balashov <abalas...@evaristesys.com> wrote: > That said, it is baffling to me that phones accept INVITEs unchallenged from > anywhere but $REGISTRAR_IP/$OUTBOUND_PROXY_IP.
^This. Challenge to INVITE should mitigate scanners, and challenge to BYE should mitigate that particular targeted attack. The problem remains that your endpoints receive and process those packets, leaving them vulnerable still to other attacks. Sharing my experience: with our own managed hardware we can use ACLs both in the firewall and/or the SIP proxy/ALG/B2BUA/whatever; when all messaging is relayed through your known proxy then there is no reason to accept SIP globally. With customer provided routers your mileage will vary. Consumer grade devices can be helped sometimes by toggling the SIP ALG from its current setting, whether that's On or Off. For some devices our only recourse has been to suggest the customer change the NAT policy to something more restrictive, knowing it might break other services, or consider a firmware upgrade or downgrade to a version that provides the needed security, or replace the device with something more cooperative. Higher classes of hardware may have sufficient SIP features (ALG, transparent proxy, etc.) to lock down the REGISTER dialog NAT mappings while leaving the non-SIP mappings full-cone/unrestricted. How this can be done on Brand C routers falls outside of my own experience. It's also worth checking if the affected devices have their own options for only accepting requests from the registration domain or other configured proxy, in cases when the router cannot help and you don't want to use nonce challenges. Regards, Calvin Ellison Voice Services Engineer calvin.elli...@voxox.com +1 (213) 285-0555 ----------------------------------------------- voxox.com 9276 Scranton Rd, Suite 200 San Diego, CA 92121 On Fri, Nov 20, 2015 at 12:21 PM, Alex Balashov <abalas...@evaristesys.com> wrote: > That said, it is baffling to me that phones accept INVITEs unchallenged from > anywhere but $REGISTRAR_IP/$OUTBOUND_PROXY_IP. > > > -- > Alex Balashov | Principal | Evariste Systems LLC > 303 Perimeter Center North, Suite 300 > Atlanta, GA 30346 > United States > > Tel: +1-800-250-5920 (toll-free) / +1-678-954-0671 (direct) > Web: http://www.evaristesys.com/, http://www.csrpswitch.com/ > _______________________________________________ > VoiceOps mailing list > VoiceOps@voiceops.org > https://puck.nether.net/mailman/listinfo/voiceops _______________________________________________ VoiceOps mailing list VoiceOps@voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
