[asterisk-dev] Client Puzzle Protocol in SIP

Fadil Sutomo fsutomo at gmail.com
Sun Feb 17 09:14:07 CST 2008


Hi Tzafrir,

Thanks for your reply..
 I am not planning to prevent DOS attacks completely. And I am not
interested as well in programming each legitimate client connected to
Asterisk.

But again, my plan is only want to test client-puzzle mechanism in Asterisk
nothing else, really. So, I would like to know what happen to the attacker
if Asterisk responds with cryptographic puzzle.
If the attacker sends 100,000 junk INVITE (maybe INVITE message to
non-existent client), then Asterisk will respond with a puzzle that the
attacker has to solve, which "maybe" will mitigate the DOS from this
attacker.

So, if anyone has pointers regarding this, please tell me.

Thank you.
Fadil

On Feb 17, 2008 2:40 AM, Tzafrir Cohen <tzafrir.cohen at xorcom.com> wrote:

> On Sat, Feb 16, 2008 at 11:37:46PM -0500, Fadil Sutomo wrote:
> > Hi All,
> >
> > I am interested in developing a client-puzzle mechanism in SIP protocol
> so
> > that any client wants to send an INVITE message to asterisk should solve
> a
> > cryptographic puzzle first. So, anyone of you can give me pointers
> regarding
> > this?
> >
> > I am thinking about using openSSL api for the crypto in this mechanism,
> and
> > I am not planning to support the clients. I just want to implement this
> > mechanism in Asterisk and test it in mitigating DoS attacks..
>
> But what if the client just sends a host of junk requests? This does not
> take any calculation. How can Asterisk know a request is junk with doing
> very little calculation?
>
> If we can relate several junk requests to the same IP or so: then we can
> can throttle requests by IP or whatever. But Asterisk already supports
> this, I believe.
>
> --
>               Tzafrir Cohen
> icq#16849755              jabber:tzafrir.cohen at xorcom.com
> +972-50-7952406           mailto:tzafrir.cohen at xorcom.com
> http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-dev/attachments/20080217/5b499598/attachment.htm 


More information about the asterisk-dev mailing list