On Fri, Feb 20, 2009 at 6:03 AM, <[email protected]> wrote: > I was just thinking of a scenario,suppose the attacker creates a spoofed > invite,and inserts his ip in the Via header field and an empty cookie > parameter in the via header field.The Proxie which he wants to use as an > ampilfier in a DoS attack,on receiving such a request will respond with > a 4xx response,and the value of the cookie parameter to be used.On > receiving the cookie,the attacker,resends the invite with the cookie > value and deletes its entry from the Via header field.Thus now the > responses for this invite will be sent back to the UAC which is to be > the victim of the DoS attack only.The UAC which is attacked will receive > a minimum of 22 responses only.
SIP responses will always be sent back to the source of the request (and if rport is included also to the source port), and not the value of sent-by in the first instance. The cookie the server generates would always use the source ip and port in the cookie it creates, so sending the second request with a different source IP would mean the server can detect the cookie is invalid. However, an attacker could indeed make sent-by the address of the victim, perform the cookie dance (legitimately), and then play dead by sending ICMP messages for any responses received. However, following rfc3261 sect 18.2.2 and rfc3263 to the last dot would result in the response being transmitted every time to the source (attacker) first before then being transmitted to the victim (after an ICMP port/host unreachable response), therefore making it a highly unattractive proposition for the attacker. ~ Theo _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [email protected] for questions on current sip Use [email protected] for new developments on the application of sip
