Hi, i've just submitted a -01 based on the feedback i've received.
While we've all known about the issue forever, i've never sat down to work out how bad it really is. The results are pretty scary: "best" case scenario is a 1:10 amplification, and "worst" i can easily get a 1:350 amplification by writing a quick script. Additionally, out of every single vendor's implementation i looked at, i've not yet found 1 that isn't vulnerable to being used in an attack: phones, proxies, and SBCs can all be made to participate. i'm surprised we've not seen this in the wild yet. I've been recently scanning for publicly accessible SIP servers, and out of a /8 (16 million hosts) that i've got through so far, there have been 72,725 SIP servers that are responding on port 5060 UDP. that's a lot of amplifiers that can be used in this attack: and that's only 1/100th of the currently allocated RIR IPv4 address space. ~ Theo _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [email protected] for questions on current sip Use [email protected] for new developments on the application of sip
