[asterisk-dev] Rate limiting traffic to address potential DoS issues?

[Brian Candler]

John Lange wrote:
> A while back I posted a suggestion for limiting the impact of 1/2 open
> SIP authentication attacks based on the principal of syncookies:
> 
> http://lists.digium.com/pipermail/asterisk-dev/2006-July/021709.html
> 
> It didn't seem to generate any interest but I still think its a good
> idea so it might be worth some people having a second look at and its
> on-topic for this conversation.

I think that it's definitely worth exploring.

However in the form proposed, it seems only to apply to connections which
must be authenticated. It would not help with an INVITE flood to a SIP proxy
which accepts incoming calls from the public Internet. I'm finding it
difficult to think of a way around that.

Rate limiting incoming connections by source IP address would not help if
the INVITEs had spoofed source addresses.

You could consider something like E-mail "greylisting" - e.g. the first time
you see an INVITE from a particular IP address you ignore it, and wait for a
retransmission. But the attacker just has to send the INVITE twice from the
same spoofed IP address.

You could try to do some sort of SIP callback to the supposed originator -
an OPTIONS request perhaps? But that might end up as a DoS amplifier if
you're not careful.

Maybe another option is that incoming INVITEs generate (statelessly) a 3xx
redirect containing some cookie, which in turn causes the originator to
connect again. But I don't know enough about the details of the SIP protocol
to suggest what attribute might carry the cookie.

Regards,

Brian.