[SIPForum-discussion] Checking/Comparing Sip Server Addr.

Fri Oct 14 17:32:08 UTC 2011

It may depend how you are parsing those SIP messages, I would recommend to
use OS network stack response to grab source IP address for this particular
SIP unsolicited notify message or you may use Contact header (may require
some testing to confirm Contact reflects real source IP).

Snippet from a CUCM trace:

Incoming SIP UDP message size 492 from 172.18.4.4:[5060]:
NOTIFY sip:3035661111 at 10.1.61.10:5060;transport=udp SIP/2.0
Via: SIP/2.0/UDP 
172.18.4.4:5060;branch=z9hG4bKFVIIvlcqqZgF8GkPlw3Jxg~~186455
Max-Forwards: 70
To: <sip:3035661111 at 10.1.61.10>
From: <sip:3035661000 at 172.18.4.4>;tag=e4c81a96-6969-4dfd-9c72-e309961f27fb
Call-ID: 172.18.4.6-1311114130
CSeq: 18 NOTIFY
Content-Length: 23
Content-Type: application/simple-message-summary
Event: message-summary
Contact: <sip:3035661111 at 172.18.4.4:5060;transport=udp>
Messages-Waiting: yes
|<CLID::TWT-US><NID::SRVUCCMPUB1><CT::1,100,185,1.14><IP::172.18.4.4
> <DEV::><LVL::State Transition><MASK::20000>

--
Gonzalo Gasca

From: mehmet <eng.mehmetozi at gmail.com>
Date: Thu, 13 Oct 2011 09:27:05 +0300
To: <discussion at sipforum.org>
Subject: [SIPForum-discussion] Checking/Comparing Sip Server Addr.

Hello everyone,

For a received  unsolicited NOTIFY message, which header gives the certain
info about the server ip addr. or FQDN in order to understand that NOTIFY
comes from an unknown server or might be an attack ?

And is there any example using similar mechanism?

Best Regards.

_______________________________________________
This is the SIP Forum discussion mailing list
TO UNSUBSCRIBE, or edit your delivery options, please visit
http://sipforum.org/mailman/listinfo/discussion
Post to the list at discussion at sipforum.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sipforum.org/pipermail/discussion/attachments/20111014/ba40ada0/attachment-0002.html>