> -----Original Message----- > From: Fredrik Thulin [mailto:[EMAIL PROTECTED] > > Hadriel Kaplan wrote: > > Actually, it will cause problems for the device sending STUN, because > that next-hop proxy will (rightly) consider it a malformed attack and > blacklist the sender. > > It's not reasonable for a proxy to blacklist source IPs sending it stuff > it doesn't like.
Au contraire. > If you receive a UDP packet, it's a really rare case that you can know > that the source IP wasn't spoofed. I absolutely agree. It is unknowable, sans some transport or IP level auth. > If you blacklist based on source IP addresses, it will be very easy to > denial of service your proxy by getting it to blacklist real clients or > other SIP proxies for example. If someone knows your IP+port and can successfully spoof it, they can DoS your service *anyway*. That's the whole problem. It's game over for your phone, period. The goal of the proxy then is to stop that from impacting anyone _else_. > That will be a much bigger problem for > you than actually writing code that don't die when it receives unknown > data (which you should do anyway, of course). This has nothing to do with writing code that won't die. -hadriel _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
