[asterisk-dev] Rate limiting traffic to address potential DoS issues?

John Lange j.lange at epic.ca
Fri Oct 6 10:46:22 MST 2006


On Fri, 2006-10-06 at 11:56 -0500, Kevin P. Fleming wrote:
> It seems that maybe the best proposal at this time is to just provide
> a method for counting the number of improper/bogus signaling packets
> received in a given time frame (per second, per minute, etc.) and then
> dropping (without response) any signaling that is not known to be
> valid beyond that limit.

Sorry, I read this post after I sent my previous email but just want to
make one further comment.

As mentioned, this makes it trivial to DOS accounts and I would urge you
to rule out the syn-cookie approach first before implementing rate
limiting on accounts.

This exact problem has already been encountered and solved in the TCP
world (cira 2000) and the syn-cookie approach has proved itself while
connection rate limiting is known to be a poor approach.

-- 
John Lange




More information about the asterisk-dev mailing list