[asterisk-dev] Rate limiting traffic to address potential DoS
issues?
John Lange
j.lange at epic.ca
Fri Oct 6 10:46:22 MST 2006
On Fri, 2006-10-06 at 11:56 -0500, Kevin P. Fleming wrote:
> It seems that maybe the best proposal at this time is to just provide
> a method for counting the number of improper/bogus signaling packets
> received in a given time frame (per second, per minute, etc.) and then
> dropping (without response) any signaling that is not known to be
> valid beyond that limit.
Sorry, I read this post after I sent my previous email but just want to
make one further comment.
As mentioned, this makes it trivial to DOS accounts and I would urge you
to rule out the syn-cookie approach first before implementing rate
limiting on accounts.
This exact problem has already been encountered and solved in the TCP
world (cira 2000) and the syn-cookie approach has proved itself while
connection rate limiting is known to be a poor approach.
--
John Lange
More information about the asterisk-dev
mailing list