[asterisk-dev] Re: Rate limiting and firewall failures on DoS
J. Oquendo
sil at infiltrated.net
Tue Sep 26 18:28:03 MST 2006
Jason Parker wrote:
>
> Stuff like this, in my opinion, is best handled at the firewall level,
> or perhaps with a load balancer of sorts.
Let's look at the firewall level.
FW = 192.168.1.2
Asterisk Server = 192.168.1.3
Outside Employee = 10.15.20.1
Attacker using the source address of the outside employee - however the attacker managed to get this information is irrelevant. You're now blocking a legitimate call from going through.
> *PROPERLY* handle higher call volumes, but in this case, what happens
> if they just resort to a good old packet flood?
Rate limiting... What happens if the PBX is set up inside of a telemarketing center, or a business with a high call volume?
What comes to mind is something like snort_inline where if a SIP *ANYTHING* (INVITE/REFER/*ANYTHING*) comes through from the same source more than 6 times in a one minute time span it should time out for say 60 seconds and increment for a period of time. Something to the tune of BGP protocol's flapping (http://tinyurl.com/ogspz).
This may actually work for something on this level. I'm not a developer, but I can test the network theory on this to see if it will surpress an attack and report any findings as time allows.
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil infiltrated . net http://www.infiltrated.net
"How a man plays the game shows something of his
character - how he loses shows all" - Mr. Luckey
More information about the asterisk-dev
mailing list