[SIPForum-discussion] SBC's that drop traffic based on domain
Chet Curry
CCurry at telovations.com
Wed Jul 27 14:28:29 UTC 2011
Gentlemen, I have pleasant news on a resolution for my predicament. I heard back from ACME and they released an new option in 6.2m3 that will allow the packet to use the HMR rule before the packet is validated. This enables malformed packets to hit the HMR rule and be dropped thus not responded to. I have not tested this yet. I would have prefered this option could be applied to the realm or sip-interface though.
Under sip-config add inmanip-before-validate=yes as an option.
Config t
Session-router
Sip-config
Select
Option +inmanip-before-validate=yes
Done
Exit
Exitr
Exit
Save
activate
Yes, that is part of the normal config. Remember I do not want the SBC to respond to the Registration or Invites unless the domain is correct. No, 401, 401, 404 etc. Domains have been changed go generic.
Here is an example of the existing HMR.
### sip-manipulation ###
sip-manipulation
name addRoute
description
header-rule
name isDomain
header-name request-uri
action store
comparison-type case-sensitive
match-value
msg-type any
new-value
methods INVITE,REGISTER
element-rule
name isDom
parameter-name
type uri-host
action store
match-val-type any
comparison-type case-sensitive
match-value generic.voip.net|genericlab.voip.net
new-value
header-rule
name addDisSA
header-name Route
action add
comparison-type boolean
match-value !$isDomain.$isDom.$0
msg-type any
new-value "<sip:1.2.3.4;lr>"
methods
### session-agent ###
session-agent
hostname 1.2.3.4
ip-address 1.2.3.4
port 5060
state disabled <<<<<<<<<<
app-protocol SIP
app-type
transport-method UDP
realm-id core
local-response-map 503Rogue <<<<<<<<<<
### sip-response-map ###
response-map
name 503Rogue
entries
503 -> 677 (Rogue)
### sip-interface ###
sip-interface
state enabled
realm-id peer
description
sip-port
address 192.168.0.3
port 5060
transport-protocol UDP
tls-profile
allow-anonymous all
ims-aka-profile
carriers
options dropResponse=677 <<<<<<<<<<
### realm-config ###
realm-config
identifier peer
in-manipulationid addRoute <<<<<<<<<<
From: Zuñiga, Guillermo [mailto:Guillermo.Zuniga at cwpanama.com]
Sent: Thursday, June 16, 2011 5:57 PM
To: Chet Curry; discussion at sipforum.org
Subject: RE: SBC's that drop traffic based on domain
Did you try defining a Local Policy just for the Legit Domain?
Guillermo Zuniga
Especialista de Soporte Técnico
Gerencia de Soporte Técnico
Tel:
+507 263-6671
Cel:
+507 6670-0481
Fax:
+507 265-3295
Email:
Guillermo.Zuniga at cwpanama.com<mailto:Guillermo.Zuniga at cwpanama.com>
Web:
www.cwpanama.com<http://www.cwpanama.com>
[cid:image001.jpg at 01CC3182.87D78620]<http://www.cwpanama.com>
[cid:image002.jpg at 01CC3182.87D78620]
De: discussion-bounces at sipforum.org [mailto:discussion-bounces at sipforum.org] En nombre de Chet Curry
Enviado el: jueves, 16 de junio de 2011 03:55 p.m.
Para: discussion at sipforum.org
Asunto: [SIPForum-discussion] SBC's that drop traffic based on domain
In an effort to mitigate DDOS attack’s I am trying to deny all traffic based on the request-uri host domain. The reason being from what I see is “most” attacks are sent to the SBC’s IP address and does use the domain name. When the proper domain is supplied I would like to allow that packet. All other I will not respond to period.
Example of hacker Requet URI
Ex. INVITE sip100:199.44.55.22 SIP/2.0
Legit Request URI
Ex. INVITE sip:7724558787 at voip.hacker.net SIP/2.0
I have tried to create an HMR on ACME with little success. I can get the registers to not respond yet only if sip:199.44.55.22 is use. If the attacker uses sip:100 at 199.44.55.22 the SBC still will respond with a 403.
Besides that All invites are never dropped.
I have tried to get ACME to come up with a solution yet have been unsuccessful.
Has anyone had any successful experience at implementing this on any other SBC platform? I know there are many ways to protect yourself from DDOS attacks yet to me this is a simple first line of defense.
[cid:image003.png at 01CC3182.87D78620]
Disclaimer:
La información contenida en este correo electrónico es confidencial y puede también ser objeto de acciones legales. Es dirigida únicamente para el o los destinatarios(s) nombrados anteriormente. Si no es mencionado como destinatario, no debe leer, copiar, revelar, reenviar o utilizar la información contenida en este mensaje. Si ha recibido este correo electrónico por error, por favor notifique al remitente y proceda a borrar el mensaje y archivos adjuntos sin conservar copias.
The information contained in this e-mail is confidential and may also be subject to legal privilege. It is intended only for the recipient(s) named above. If you are not named as a recipient, you must not read, copy, disclose, forward or otherwise use the information contained in this email. If you have received this e-mail in error, please notify the sender immediately by reply e-mail and delete the message and any attachments without retaining any copies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sipforum.org/pipermail/discussion/attachments/20110727/587aec7a/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 40636 bytes
Desc: image001.jpg
URL: <http://sipforum.org/pipermail/discussion/attachments/20110727/587aec7a/attachment-0004.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 38488 bytes
Desc: image002.jpg
URL: <http://sipforum.org/pipermail/discussion/attachments/20110727/587aec7a/attachment-0005.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 56691 bytes
Desc: image003.png
URL: <http://sipforum.org/pipermail/discussion/attachments/20110727/587aec7a/attachment-0002.png>
More information about the discussion
mailing list