How about using local-policy instead of HMR? From-address * To-address *@voip.myvoice.net<mailto:*@voip.myvoice.net> Policy-attributes Next-hop Softswitch Realms, etc, would be pursuant to your needs, of course. --- Brandon Buckner Switching Technician / VoIP Admin Iowa Network Services brandonb at netins.com<mailto:brandonb at netins.com> From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Chet Curry Sent: Thursday, June 16, 2011 3:58 PM To: voiceops at voiceops.org Subject: [VoiceOps] SBC's that drop traffic based on domain In an effort to mitigate DDOS attack's I am trying to deny all traffic based on the request-uri host domain. The reason being from what I see is "most" attacks are sent to the SBC's IP address and does use the domain name. When the proper domain is supplied I would like to allow that packet. All other I will not respond to period. Example of hacker Requet URI Ex. INVITE sip100:199.44.55.22 SIP/2.0 Legit Request URI Ex. INVITE sip:7724558787 at voip.myvoice.net SIP/2.0 I have tried to create an HMR on ACME with little success. I can get the registers to not respond yet only if sip:199.44.55.22 is use. If the attacker uses sip:100 at 199.44.55.22 the SBC still will respond with a 403. Besides that All invites are always responded to regardless even though the HMR(Header Manipulation) should be using Invite and registration meathods. I have tried to get ACME to come up with a solution yet have been unsuccessful. They will not even take my request for a feature enhancement. Has anyone had any successful experience at implementing this on any other SBC platform? I know there are many ways to protect yourself from DDOS attacks yet to me this is a simple first line of defense. [cid:image003.png at 01CC2C44.F5FE8C40]