[asterisk-dev] SIP, NAT, security concerns, oh my!

Kevin P. Fleming kpfleming at digium.com
Tue Oct 25 09:20:24 CDT 2011


On 10/25/2011 07:12 AM, Olle E. Johansson wrote:

>> As I've thought about Tilghman's proposal to reply to *both* ports in cases where we cannot be sure which one we should reply to, I'm starting to think that might be a good option (but optional... we'd need a configuration item to disable it). Yes, it is a small traffic amplification attack vector, but a very small one (and SIP over UDP is already a traffic amplification attack vector by its very nature anyway).
> I don't really see the point, but I must be missing something here. I'll check around and see if we can get help cracking this nut.
>
> The problem is still 2d - not doing IP matching but username matching. And actually 2e - registrations from peers. At that point we can't match on IP, because we still don't have it, so we match on the To: uri.

Yes, REGISTER is really the big concern here, not INVITE/SUBSCRIBE/etc.

-- 
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
Jabber: kfleming at digium.com | SIP: kpfleming at digium.com | Skype: kpfleming
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at www.digium.com & www.asterisk.org



More information about the asterisk-dev mailing list