On Nov 1, 2008, at 7:57 AM, Iñaki Baz Castillo wrote:
El Viernes, 31 de Octubre de 2008, Dean Willis escribió:
Now, from a security perspective: Who's done the analysis on whether
DERIVE introduces new attack opportunities?
For example, is there a DOS opportunity in using the home proxy as a
message-exploder for source-forged SUBSCRIBE requests? Seems like
thre
might be a problem there . . .
Do you mean something as:
attacker alice bob (victim)
INVITE (From: bob) ----->
SUBSCRIBE ------------->
INVITE (From: bob) ----->
SUBSCRIBE ------------->
INVITE (From: bob) ----->
SUBSCRIBE ------------->
INVITE (From: bob) ----->
SUBSCRIBE ------------->
Yeah.
And factoring in retransmission requests . . .
Alice is the target of the attack.
Evil Dave forges an INVITE with DERIVE-supported from Alice to Bob.
Bob then sends a SUBSCRIBE to Alice. Alice either 404s, or (if she
doesn't support 4235) does something like ignore the request. Bob
then retransmits through the NIT-retransmission cycle, thereby
generating a factor-N attack multiplication with indirection.
Now, if Dave really hates Alice, Dave sends the same sort of forged
INVITE to Carol and Eugene and Frank and everbody else.
Alice is the one being attacked, but she can't trace the source of the
attack back to Dave's I P address without cooperation from Bob and the
other relayers.
Is this any worse than the multiplier already built into SIP? It's
probably not any worse than the "voice hammer" attack, although it's
different in that it floods the signaling channel, not the media
channel. So really, it's Alice's proxy that is the target of such an
attack.
--
Dean
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
