<br><br><div class="gmail_quote">On Jan 16, 2008 6:47 PM, Trixter aka Bret McDanel <<a href="mailto:trixter@0xdecafbad.com">trixter@0xdecafbad.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d"><br>On Thu, 2008-01-17 at 10:33 +1100, Craig Lawrence wrote:<br>> I was simply asking whether any other service provider had found a<br>> workaround for the issue. To ask a tech question on a biz list is simply
<br>> not kosha / Halal / Vegan or whatever.<br>><br></div>Yeah, although this did have a tie into the business case for iax, or<br>lack there of, and why it just doesnt make business sense to me to do<br>it.<br><br>
So as it stands now only one person said they did but they think it may<br>have been before some of the more recent changes, so its a 'maybe' with<br>current code as originally asked.<br><br>To bring this back to a biz sitaution, do you enable any type of DDoS
<br>mitigation techniques with iax? If so what products do you use?<br><br>Given that media and signalling are on the same port, and generally<br>sender port/ip will be the same for multiple calls, simple rate limiting<br>
isnt really a good option. This means that you can run the risk of<br>either having that port open to the world for flooding or have some<br>controls that degrade customer call quality. Either is bad.<br><br>If there is a reasonable solution for that, even if commercial, I would
<br>like to know since there isnt a good business case for that much<br>exposure in my mind.<br><div class="Ih2E3d"><br><br>> BTW - to use the term "Telco Grade Asterisk" is possibly premature.<br>><br></div>
never have :)<br></blockquote><div><br>A server behind a firewall with OpenVPN and a single port open, customers setup to connect over VPN.<br>An appliance before the asterisk box with ACLs or a PIX that is updated to let specific inbound traffic by IP.
<br></div></div>At what level do accept and deny either in IPtables or iax.conf work? I suppose they wouldn't really stop a true DDoS attack.<br>There are certainly appliances that can detect DoS attacks and block them.
<a href="http://www.radware.com/Products/ApplicationNetworkSecurity/default.aspx?source=google&gclid=CKyq0s7--5ACFQNzHgod7GcIrA">http://www.radware.com/Products/ApplicationNetworkSecurity/default.aspx?source=google&gclid=CKyq0s7--5ACFQNzHgod7GcIrA
</a><br><br>I am a huge fan of OpenVPN.<br><br>Thanks,<br>Steve Totaro<br>