[SIPForum-discussion] SBC's that drop traffic based on domain
HM Kias
hmkias at gmail.com
Thu Jul 28 06:17:28 UTC 2011
Hi,
I m not familiar with ACME, but I have a implemented a scenario in our
system where it tracks number of received SIP requests by source IP and
throws an alert to disable the IP or domain when this number exceeds a
threshold in a given period of time. Then the IP is blocked permanently or
temporarilily. Also this would block any dictionary attacks too.
Regards,
On Wed, Jul 27, 2011 at 7:58 PM, Chet Curry <CCurry at telovations.com> wrote:
> Gentlemen, I have pleasant news on a resolution for my predicament. I
> heard back from ACME and they released an new option in 6.2m3 that will
> allow the packet to use the HMR rule before the packet is validated. This
> enables malformed packets to hit the HMR rule and be dropped thus not
> responded to. I have not tested this yet. I would have prefered this
> option could be applied to the realm or sip-interface though.
>
> Under sip-config add inmanip-before-validate=yes as an option.
>
>
>
> Config t
>
> Session-router
>
> Sip-config
>
> Select
>
> Option +inmanip-before-validate=yes
>
> Done
>
> Exit
>
> Exitr
>
> Exit
>
> Save
>
> activate
>
>
>
> Yes, that is part of the normal config. Remember I do not want the SBC to
> respond to the Registration or Invites unless the domain is correct. No,
> 401, 401, 404 etc. Domains have been changed go generic.
>
>
>
>
>
> Here is an example of the existing HMR.
>
>
>
> ### sip-manipulation ###
>
>
>
> sip-manipulation
>
> name addRoute
>
> description
>
> header-rule
>
> name isDomain
>
> header-name request-uri
>
> action store
>
> comparison-type case-sensitive
>
> match-value
>
> msg-type any
>
> new-value
>
> methods INVITE,REGISTER
>
> element-rule
>
> name isDom
>
> parameter-name
>
> type uri-host
>
> action store
>
> match-val-type any
>
> comparison-type case-sensitive
>
> match-value generic.voip.net|
> genericlab.voip.net
>
> new-value
>
> header-rule
>
> name addDisSA
>
> header-name Route
>
> action add
>
> comparison-type boolean
>
> match-value !$isDomain.$isDom.$0
>
> msg-type any
>
> new-value "<sip:1.2.3.4;lr>"
>
> methods
>
>
>
>
>
> ### session-agent ###
>
>
>
> session-agent
>
> hostname 1.2.3.4
>
> ip-address 1.2.3.4
>
> port 5060
>
> state disabled <<<<<<<<<<
>
> app-protocol SIP
>
> app-type
>
> transport-method UDP
>
> realm-id core
>
> local-response-map 503Rogue <<<<<<<<<<
>
>
>
> ### sip-response-map ###
>
>
>
> response-map
>
> name 503Rogue
>
> entries
>
> 503 -> 677 (Rogue)
>
>
>
> ### sip-interface ###
>
>
>
> sip-interface
>
> state enabled
>
> realm-id peer
>
> description
>
> sip-port
>
> address 192.168.0.3
>
> port 5060
>
> transport-protocol UDP
>
> tls-profile
>
> allow-anonymous all
>
> ims-aka-profile
>
> carriers
>
> options dropResponse=677 <<<<<<<<<<
>
>
>
> ### realm-config ###
>
>
>
> realm-config
>
> identifier peer
>
> in-manipulationid addRoute <<<<<<<<<<
>
>
>
> *From:* Zuñiga, Guillermo [mailto:Guillermo.Zuniga at cwpanama.com]
> *Sent:* Thursday, June 16, 2011 5:57 PM
> *To:* Chet Curry; discussion at sipforum.org
> *Subject:* RE: SBC's that drop traffic based on domain
>
>
>
> Did you try defining a Local Policy just for the Legit Domain?
>
>
>
>
>
> *Guillermo Zuniga*
>
> Especialista de Soporte Técnico
>
> Gerencia de Soporte Técnico
>
>
>
> *Tel:*
>
> +507 263-6671
>
> *Cel:*
>
> +507 6670-0481
>
> *Fax:*
>
> +507 265-3295
>
> *Email: *
>
> Guillermo.Zuniga at cwpanama.com
>
> *Web:*
>
> www.cwpanama.com
>
> <http://www.cwpanama.com/>
>
>
>
> *De:* discussion-bounces at sipforum.org [mailto:
> discussion-bounces at sipforum.org] *En nombre de *Chet Curry
> *Enviado el:* jueves, 16 de junio de 2011 03:55 p.m.
> *Para:* discussion at sipforum.org
> *Asunto:* [SIPForum-discussion] SBC's that drop traffic based on domain
>
>
>
> In an effort to mitigate DDOS attack’s I am trying to deny all traffic
> based on the request-uri host domain. The reason being from what I see is
> “most” attacks are sent to the SBC’s IP address and does use the domain
> name. When the proper domain is supplied I would like to allow that
> packet. All other I will not respond to period.
>
>
>
> Example of hacker Requet URI
>
> Ex. *INVITE* sip100:*199.44.55.22* SIP/2.0
>
>
>
> Legit Request URI
>
> Ex. *INVITE* sip:7724558787 at voip.*hacker.net* SIP/2.0
>
>
>
>
>
>
>
> I have tried to create an HMR on ACME with little success. I can get the
> registers to not respond yet only if sip:199.44.55.22 is use. If the
> attacker uses sip:100 at 199.44.55.22 the SBC still will respond with a 403.
>
> Besides that All invites are never dropped.
>
>
>
> I have tried to get ACME to come up with a solution yet have been
> unsuccessful.
>
>
>
> Has anyone had any successful experience at implementing this on any other
> SBC platform? I know there are many ways to protect yourself from DDOS
> attacks yet to me this is a simple first line of defense.
>
>
>
>
>
>
>
> [image: Description: signature2]
>
>
>
>
>
> Disclaimer:
> La información contenida en este correo electrónico es confidencial y puede
> también ser objeto de acciones legales. Es dirigida únicamente para el o los
> destinatarios(s) nombrados anteriormente. Si no es mencionado como
> destinatario, no debe leer, copiar, revelar, reenviar o utilizar la
> información contenida en este mensaje. Si ha recibido este correo
> electrónico por error, por favor notifique al remitente y proceda a borrar
> el mensaje y archivos adjuntos sin conservar copias.
> The information contained in this e-mail is confidential and may also be
> subject to legal privilege. It is intended only for the recipient(s) named
> above. If you are not named as a recipient, you must not read, copy,
> disclose, forward or otherwise use the information contained in this email.
> If you have received this e-mail in error, please notify the sender
> immediately by reply e-mail and delete the message and any attachments
> without retaining any copies.
>
>
>
>
>
> _______________________________________________
> This is the SIP Forum discussion mailing list
> TO UNSUBSCRIBE, or edit your delivery options, please visit
> http://sipforum.org/mailman/listinfo/discussion
> Post to the list at discussion at sipforum.org
>
>
--
HM Kias
91-9443467600
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sipforum.org/pipermail/discussion/attachments/20110728/27b1291c/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 56691 bytes
Desc: not available
URL: <http://sipforum.org/pipermail/discussion/attachments/20110728/27b1291c/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 40636 bytes
Desc: not available
URL: <http://sipforum.org/pipermail/discussion/attachments/20110728/27b1291c/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 38488 bytes
Desc: not available
URL: <http://sipforum.org/pipermail/discussion/attachments/20110728/27b1291c/attachment-0001.jpg>
More information about the discussion
mailing list