Thanks again for the depth of knowledge you are offering. <div><br></div><div>So, I am taking a pass on the firewall since it won't do what I need but I understand that it can do country block etc...thought not a full proof still.</div>
<div><br></div><div>I am really not worried about DoS or more importantly DDoS as I have no hope those can be prevented anyhow....been hit by one on a pfSense router and it was just absorb as much as you can.</div><div><br>
</div><div>I like the different port idea though with the current scattered ATAs and SIP phones it's unpractical for me to ask them all to change to a random port.</div><div><br></div><div>Quote,<i> "How do the users register to begin with, if their REGISTER requests won't be processed unless their IP is already known to be a registrant? :-)"</i></div>
<div><br></div><div>Well, unfortunately I don't have the luxury of knowing their IP and the closest I know is their IP range. </div>
<div><br></div><div>But I guess this is what is as I have seen big providers also return back DECLINED from their gateways if one is not on their authorized list.</div><div><br></div><div>So, my final questions:</div><div>
<br></div><div><div>1- So, you are saying that either of OpenSER/Kamailio/OpenSIPS actually give me the full capability to the SIP stack to do the sort of thing I was asking for? And this can run on the same server as Asterisk is running?</div>
<div><br></div><div>Thanks a bunch</div><div><br></div><br><div class="gmail_quote">On Fri, Jul 22, 2011 at 10:18 PM, Alex Balashov <span dir="ltr"><<a href="mailto:abalashov@evaristesys.com" target="_blank">abalashov@evaristesys.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>On 07/22/2011 10:11 PM, Bruce B wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Vast number of scattered users all over the globe. I hate to think<br>
there is no way to not announce ourselves as a SIP server to<br>
un-trusted users.<br>
</blockquote>
<br></div>
Not easily. This is a problem all service providers have to deal with, and so do you. You have to have your SIP services open to the world, but they don't necessarily need to be easy to DoS or dictionary scan.<br>
<br>
Intra-industrially, the solution is usually some form of SBC or other administrative border/edge security element. In the open-source world, a lot of the steeling, rate-limiting, etc. can be done with OpenSER/Kamailio/OpenSIPS.<br>
<br>
(Shameless plug: That's what we do all day commercially.)<br>
<br>
A common strategy is to use a non-standard SIP port ('bindport' in sip.conf). No, it doesn't stop all scans, but in our experience, it will stop a good 95%+ of them. When almost everyone does use the standard SIP port, and thus there are so many low-hanging targets, it's not worth bothering with a full ~65k UDP port scan. Certainly, the average SIPvicious scanner won't bother with anything but 5060.<div>
<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Or is there something else that can be done with the firewall to all<br>
"dynamic" trust IPs and drop packets from unregistered sources?<br>
</blockquote>
<br></div>
That raises an interesting question:<br>
<br>
How do the users register to begin with, if their REGISTER requests won't be processed unless their IP is already known to be a registrant? :-)<br><font color="#888888">
<br>
-- <br></font><div>
Alex Balashov - Principal<br>
Evariste Systems LLC<br>
260 Peachtree Street NW<br>
Suite 2200<br>
Atlanta, GA 30303<br>
Tel: <a href="tel:%2B1-678-954-0670" value="+16789540670" target="_blank">+1-678-954-0670</a><br>
Fax: <a href="tel:%2B1-404-961-1892" value="+14049611892" target="_blank">+1-404-961-1892</a><br>
Web: <a href="http://www.evaristesys.com/" target="_blank">http://www.evaristesys.com/</a><br>
<br></div><div><div></div><div>
--<br>
______________________________<u></u>______________________________<u></u>_________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
New to Asterisk? Join us for a live introductory webinar every Thurs:<br>
<a href="http://www.asterisk.org/hello" target="_blank">http://www.asterisk.org/hello</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/<u></u>mailman/listinfo/asterisk-<u></u>users</a><br>
</div></div></blockquote></div><br></div>