On 07/22/2011 10:11 PM, Bruce B wrote:
Vast number of scattered users all over the globe. I hate to think
there is no way to not announce ourselves as a SIP server to
un-trusted users.
Not easily. This is a problem all service providers have to deal with,
and so do you. You have to have your SIP services open to the world,
but they don't necessarily need to be easy to DoS or dictionary scan.
Intra-industrially, the solution is usually some form of SBC or other
administrative border/edge security element. In the open-source world,
a lot of the steeling, rate-limiting, etc. can be done with
OpenSER/Kamailio/OpenSIPS.
(Shameless plug: That's what we do all day commercially.)
A common strategy is to use a non-standard SIP port ('bindport' in
sip.conf). No, it doesn't stop all scans, but in our experience, it
will stop a good 95%+ of them. When almost everyone does use the
standard SIP port, and thus there are so many low-hanging targets, it's
not worth bothering with a full ~65k UDP port scan. Certainly, the
average SIPvicious scanner won't bother with anything but 5060.
Or is there something else that can be done with the firewall to all
"dynamic" trust IPs and drop packets from unregistered sources?
That raises an interesting question:
How do the users register to begin with, if their REGISTER requests
won't be processed unless their IP is already known to be a registrant?
:-)
--
Alex Balashov - Principal
Evariste Systems LLC
260 Peachtree Street NW
Suite 2200
Atlanta, GA 30303
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
