[asterisk-dev] Penalty approach for DoS

Mon, 09 Oct 2006 10:56:06 -0700

Furthering a thought on stopping a DoS, since it is fresh in mind, I see one caveat with the dampening method mentioned before. It is the possible penalization of valid SIPUSERS, this is obvious but, this would only occur if a dampening like protocol were implemented improperly. My version of dampening would be like the following: 

Let SIPUSER101 be a valid user:

SIPUSER101
variable1 = 10.10.10.2
varibale2 = SIPID 102
SIPUSER101 --> SERVER (checks two variables) --> Match? --> Go forward || Penalized
If an attacker was able to gather both the variables (IP and SIPID) it would cause a Denial of Service for SIPUSER101 but it would be slight bit more difficult to make a tool to match both variables.
In order for an attacker to use this approach successfully for a DoS (sending two variables), they(he/she) would have to know enough about the network, extensions, etc. Now, with predefined variables configured from the onset, I can see something similar to dampening working just fine.
E.g. Before the VoIP PBX is configured the administrator would designate two variables, and the check would be done against these two variables. This would ensure that no "default" value would be used which would make it a little more difficult to guess/randomize and send bogus information that would lead to a DoS. Make sense?
The two fields I would use would be the SIP information and the IP address information. It would be difficult to guess both and be on the money, even with a program that did ranDumbly generate bogus information. Something to the tune of snort_inline could address this even if someone did create such garbage. Even a third value can be pre-defined. NAT information if used can be a value so: 

SIPUSER101
variable1 = IP 10.10.10.2(NAT)
variable2 = SIPID 102
variable3 = 44.44.44.44(Routable address)

So now:
SIPUSER101 --> REGISTER --> SERVER --> Are things in order? --> Pass go || Go to jail
It could be cached for a certain amount of time to avoid re-processing over and over I guess. Who knows... Just some more insane thoughts I guess. I won't ramble on about this anymore, but should someone care to discuss it, fire away. 

--
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net 
The happiness of society is the end of government.
John Adams

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev

Reply via email to