On 06/16/2011 04:58 PM, Chet Curry wrote:
In an effort to mitigate DDOS attack?s I am trying to deny all traffic based on the request-uri host domain. The reason being from what I see is ?most? attacks are sent to the SBC?s IP address and does use the domain name. When the proper domain is supplied I would like to allow that packet. All other I will not respond to period.
Example of hacker Requet URI
Ex. *INVITE*sip100:*199.44.55.22*SIP/2.0
Legit Request URI
Ex. *INVITE*sip:7724558787 at voip.*myvoice.net*SIP/2.0
I have tried to create an HMR on ACME with little success. I can get the registers to not respond yet only if sip:199.44.55.22 is use. If the attacker uses sip:100 at 199.44.55.22 the SBC still will respond with a 403.
Besides that All invites are always responded to regardless even though the HMR(Header Manipulation) should be using Invite and registration meathods.
I have tried to get ACME to come up with a solution yet have been unsuccessful. They will not even take my request for a feature enhancement.
Has anyone had any successful experience at implementing this on any other SBC platform? I know there are many ways to protect yourself from DDOS attacks yet to me this is a simple first line of defense.
It's pretty trivial in Kamailio/OpenSER, and if you stuck it in front of an Acme Packet you can make it extremely lightweight through stateless forwarding. -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/