> -----Original Message----- > From: Fredrik Thulin [mailto:[EMAIL PROTECTED] > > However, I'm not sure I understand you fully - are you saying you > _still_ think it is a good idea to blacklist source IPs sending you > bogus stuff to your SIP proxy port 5060, because as long as I don't know > your legitimate clients IP addresses this won't hurt anyone you care > about?
Yup. Not for those reasons, but yes I still think it's a good idea, as do many of my customers. It's not like they don't care about all their clients (they do), but they usually err on the side of caution to protect the many over the few. Some of them only degrade the service of the offenders (graylist them), which I like better but is not as popular as blacklisting. > What if someone send you spoofed packets from lots of well known SIP > servers (future SIP hotmails and gmails for example)? Oh, right - you > can whitelist those... perhaps. Yup, they're typically white-listed. And I would hope they'd use an auth mechanism too, such as TLS or IPSEC provide... or at least use TCP. > What if someone sends you spoofed packets from five million different > source IP addresses? Does blacklisting actually provide any value? One > of those five million packets _might_ be the phone of one of your users. Yup. Most of the proxies I know of which do this don't blacklist on one bad packet alone - it would take a scanner spoofing the right ones for a while to get legit endpoints blacklisted. (and it would have to spoof more than just source IP typically, fwiw) There are certain things the proxy can do to mitigate that for of attack. And it's not like it goes unnoticed by the operator either. And some operators also employ passive systems to detect and stop such scanner attacks. > If you were _not_ saying you still think it's a good idea to blacklist > based on source IP, then please just disregard the above =). Well, blacklist the source IP+port and a couple other tuples, but essentially yes that is what I was saying. What you're describing is essentially indistinguishable from malicious or broken endpoints, or a MitM attack for that matter. And such defense tactics aren't just triggered by malformed messages either. Similar tactics with different triggers are ultimately used as a last resort to stop DDoS by bot-nets, and SPIT by war-dialers, for example. But this really shouldn't be a surprise - people have been doing this for several years (back in 2004 at least, maybe earlier). The tactics and triggers have gotten smarter over the years, but operators don't upgrade very often. -hadriel _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
