[SIPForum-discussion] Checking/Comparing Sip Server Addr.

Gonzalo Gasca gogasca at cisco.com
Fri Oct 14 17:32:08 UTC 2011

It may depend how you are parsing those SIP messages, I would recommend to
use OS network stack response to grab source IP address for this particular
SIP unsolicited notify message or you may use Contact header (may require
some testing to confirm Contact reflects real source IP).

Snippet from a CUCM trace:

Incoming SIP UDP message size 492 from[5060]:
NOTIFY sip:3035661111 at;transport=udp SIP/2.0
Via: SIP/2.0/UDP;branch=z9hG4bKFVIIvlcqqZgF8GkPlw3Jxg~~186455
Max-Forwards: 70
To: <sip:3035661111 at>
From: <sip:3035661000 at>;tag=e4c81a96-6969-4dfd-9c72-e309961f27fb
Content-Length: 23
Content-Type: application/simple-message-summary
Event: message-summary
Contact: <sip:3035661111 at;transport=udp>
Messages-Waiting: yes
> <DEV::><LVL::State Transition><MASK::20000>

Gonzalo Gasca

From: mehmet <eng.mehmetozi at gmail.com>
Date: Thu, 13 Oct 2011 09:27:05 +0300
To: <discussion at sipforum.org>
Subject: [SIPForum-discussion] Checking/Comparing Sip Server Addr.

Hello everyone,

For a received  unsolicited NOTIFY message, which header gives the certain
info about the server ip addr. or FQDN in order to understand that NOTIFY
comes from an unknown server or might be an attack ?

And is there any example using similar mechanism?

Best Regards.

This is the SIP Forum discussion mailing list
TO UNSUBSCRIBE, or edit your delivery options, please visit
Post to the list at discussion at sipforum.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sipforum.org/pipermail/discussion/attachments/20111014/ba40ada0/attachment-0002.html>

More information about the discussion mailing list