[asterisk-dev] Penalty approach for DoS

J. Oquendo sil at infiltrated.net
Mon Oct 9 10:29:30 MST 2006 

Furthering a thought on stopping a DoS, since it is fresh in mind, I see 
one caveat with the dampening method mentioned before. It is the 
possible penalization of valid SIPUSERS, this is obvious but, this would 
only occur if a dampening like protocol were implemented improperly. My 
version of dampening would be like the following:

Let SIPUSER101 be a valid user:

SIPUSER101
variable1 = 10.10.10.2
varibale2 = SIPID 102

SIPUSER101 --> SERVER (checks two variables) --> Match? --> Go forward 
|| Penalized

If an attacker was able to gather both the variables (IP and SIPID) it 
would cause a Denial of Service for SIPUSER101 but it would be slight 
bit more difficult to make a tool to match both variables.

In order for an attacker to use this approach successfully for a DoS 
(sending two variables), they(he/she) would have to know enough about 
the network, extensions, etc. Now, with predefined variables configured 
from the onset, I can see something similar to dampening working just fine.

E.g. Before the VoIP PBX is configured the administrator would designate 
two variables, and the check would be done against these two variables. 
This would ensure that no "default" value would be used which would make 
it a little more difficult to guess/randomize and send bogus information 
that would lead to a DoS. Make sense?

The two fields I would use would be the SIP information and the IP 
address information. It would be difficult to guess both and be on the 
money, even with a program that did ranDumbly generate bogus 
information. Something to the tune of snort_inline could address this 
even if someone did create such garbage. Even a third value can be 
pre-defined. NAT information if used can be a value so:

SIPUSER101
variable1 = IP 10.10.10.2(NAT)
variable2 = SIPID 102
variable3 = 44.44.44.44(Routable address)

So now:

SIPUSER101 --> REGISTER --> SERVER --> Are things in order? --> Pass go 
|| Go to jail

It could be cached for a certain amount of time to avoid re-processing 
over and over I guess. Who knows... Just some more insane thoughts I 
guess. I won't ramble on about this anymore, but should someone care to 
discuss it, fire away.

-- 
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net 

The happiness of society is the end of government.
John Adams

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5157 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.digium.com/pipermail/asterisk-dev/attachments/20061009/4c938c7f/smime.bin

More information about the asterisk-dev mailing list