Hadriel Kaplan wrote: > >> -----Original Message----- >> From: Fredrik Thulin [mailto:[EMAIL PROTECTED] >> >> Hadriel Kaplan wrote: >>> Actually, it will cause problems for the device sending STUN, because >> that next-hop proxy will (rightly) consider it a malformed attack and >> blacklist the sender. >> >> It's not reasonable for a proxy to blacklist source IPs sending it stuff >> it doesn't like. > > Au contraire. > >> If you receive a UDP packet, it's a really rare case that you can know >> that the source IP wasn't spoofed. > > I absolutely agree. It is unknowable, sans some transport or IP level auth. > >> If you blacklist based on source IP addresses, it will be very easy to >> denial of service your proxy by getting it to blacklist real clients or >> other SIP proxies for example. > > If someone knows your IP+port and can successfully spoof it, they can DoS > your service *anyway*. That's the whole problem. It's game over for your > phone, period. The goal of the proxy then is to stop that from impacting > anyone _else_. > > >> That will be a much bigger problem for >> you than actually writing code that don't die when it receives unknown >> data (which you should do anyway, of course). > > This has nothing to do with writing code that won't die.
Ok, good. We agree that network servers should not die when receiving stuff it doesn't recognize. However, I'm not sure I understand you fully - are you saying you _still_ think it is a good idea to blacklist source IPs sending you bogus stuff to your SIP proxy port 5060, because as long as I don't know your legitimate clients IP addresses this won't hurt anyone you care about? What if someone send you spoofed packets from lots of well known SIP servers (future SIP hotmails and gmails for example)? Oh, right - you can whitelist those... perhaps. What if someone sends you spoofed packets from five million different source IP addresses? Does blacklisting actually provide any value? One of those five million packets _might_ be the phone of one of your users. If you were _not_ saying you still think it's a good idea to blacklist based on source IP, then please just disregard the above =). /Fredrik _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
