[SIPForum-discussion] SBC's that drop traffic based on domain

Chet Curry CCurry at telovations.com
Fri Jun 17 11:59:14 UTC 2011

Yes, that is part of the normal config.  Remember I do not want the SBC to respond to the Registration or Invites unless the domain is correct.  No, 401, 401, 404 etc.  Domains have been changed go generic.

Here is an example of the existing HMR.

### sip-manipulation ###

        name                           addRoute
                name                           isDomain
                header-name                    request-uri
                action                         store
                comparison-type                case-sensitive
                msg-type                       any
                methods                        INVITE,REGISTER
                        name                           isDom
                        type                           uri-host
                        action                         store
                        match-val-type                 any
                        comparison-type                case-sensitive
                        match-value                   generic.voip.net|genericlab.voip.net
                name                           addDisSA
                header-name                    Route
                action                         add
                comparison-type                boolean
                match-value                    !$isDomain.$isDom.$0
                msg-type                       any
                new-value                      "<sip:;lr>"

### session-agent ###

        port                           5060
        state                          disabled   <<<<<<<<<<
        app-protocol                   SIP
        transport-method               UDP
        realm-id                       core
        local-response-map             503Rogue  <<<<<<<<<<

### sip-response-map ###

        name                           503Rogue
                                       503 -> 677 (Rogue)

### sip-interface ###

        state                          enabled
        realm-id                       peer
                port                           5060
                transport-protocol             UDP
                allow-anonymous                all
        options                        dropResponse=677  <<<<<<<<<<
### realm-config ###

        identifier                     peer
        in-manipulationid              addRoute   <<<<<<<<<<

From: Zuñiga, Guillermo [mailto:Guillermo.Zuniga at cwpanama.com]
Sent: Thursday, June 16, 2011 5:57 PM
To: Chet Curry; discussion at sipforum.org
Subject: RE: SBC's that drop traffic based on domain

Did you try defining a Local Policy just for the Legit Domain?

Guillermo Zuniga

Especialista de Soporte Técnico

Gerencia de Soporte Técnico


+507 263-6671


+507 6670-0481


+507 265-3295


Guillermo.Zuniga at cwpanama.com<mailto:Guillermo.Zuniga at cwpanama.com>



[cid:image002.jpg at 01CC2CC4.22319A30]<http://www.cwpanama.com>

[cid:image003.jpg at 01CC2CC4.22319A30]

De: discussion-bounces at sipforum.org [mailto:discussion-bounces at sipforum.org] En nombre de Chet Curry
Enviado el: jueves, 16 de junio de 2011 03:55 p.m.
Para: discussion at sipforum.org
Asunto: [SIPForum-discussion] SBC's that drop traffic based on domain

In an effort to mitigate DDOS attack’s I am trying to deny all traffic based on the request-uri host domain.  The reason being from what I see is “most” attacks are sent to the SBC’s IP address and does use the domain name.  When the proper domain is supplied I would like to allow that packet.  All other I will not respond to period.

Example of hacker Requet URI
Ex. INVITE sip100: SIP/2.0

Legit Request URI
Ex. INVITE sip:7724558787 at voip.hacker.net SIP/2.0

I have tried to create an HMR on ACME with little success.  I can get the registers to not respond yet only if sip: is use.  If the attacker uses sip:100 at the SBC still will respond with a 403.
Besides that All invites are never dropped.

I have tried to get ACME to come up with a solution yet have been unsuccessful.

Has anyone had any successful experience at implementing this on any other SBC platform?  I know there are many ways to protect yourself from DDOS attacks yet  to me this is a simple first line of defense.

[cid:image004.png at 01CC2CC4.22319A30]

La información contenida en este correo electrónico es confidencial y puede también ser objeto de acciones legales. Es dirigida únicamente para el o los destinatarios(s) nombrados anteriormente. Si no es mencionado como destinatario, no debe leer, copiar, revelar, reenviar o utilizar la información contenida en este mensaje. Si ha recibido este correo electrónico por error, por favor notifique al remitente y proceda a borrar el mensaje y archivos adjuntos sin conservar copias.
The information contained in this e-mail is confidential and may also be subject to legal privilege. It is intended only for the recipient(s) named above. If you are not named as a recipient, you must not read, copy, disclose, forward or otherwise use the information contained in this email. If you have received this e-mail in error, please notify the sender immediately by reply e-mail and delete the message and any attachments without retaining any copies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sipforum.org/pipermail/discussion/attachments/20110617/243dced6/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 40636 bytes
Desc: image002.jpg
URL: <http://sipforum.org/pipermail/discussion/attachments/20110617/243dced6/attachment-0004.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 38488 bytes
Desc: image003.jpg
URL: <http://sipforum.org/pipermail/discussion/attachments/20110617/243dced6/attachment-0005.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 56691 bytes
Desc: image004.png
URL: <http://sipforum.org/pipermail/discussion/attachments/20110617/243dced6/attachment-0002.png>

More information about the discussion mailing list