Hi Juha,
Juha Heinanen wrote:
Bogdan-Andrei Iancu writes:
> I was already considering this feature, from same reasons as you.
> Attacks may hide behind DNS address IPs of critical components of a
> platform (like GW).
GWs (and any SIP UAs) should reject requests where request uri doesn't
designate the SIP UA itself. if they don't, report it as a bug to the
manufacturer.
I agree, but is not the case I was referring to. Imagine the following
scenario: some user upload as contact or redirect/forward address an uri
like "sip:[EMAIL PROTECTED]"; he can later switch the DNS entry of the
domain "somedomain.com" to point to your GW IP.
In [Open]SER, the DNS resolve is done when no more scripting is
possible, so .... :)
> I was thinking having this in core to be able to use it both in
> stateless (core) and statefull (tm) mode. My concern is where/how to
> define the IP black list. If it will be kept in core, will the core
> populated it (via script??) or module should register IPs to the core
> list? All this in the idea of being able to do a nice provisioning of
> the IP blacklist.
in order to be useful, blacklist must be kept in a database table, which
ser can reload into memory by a fifo command.
again, agree; the question is where to keep the list: in core and the
core should export fifo command for reload from file maybe (the core
should not be DB dependent)?
regards,
bogdan
_______________________________________________
Users mailing list
[email protected]
http://openser.org/cgi-bin/mailman/listinfo/users
