> Rehan,
>
> Asterisk is likely looking at the sip headers for IP authentication
> and not
> the actual IP headers. SIP headers can be spoofed, but I don't
> believe they
> can spoof the IP packets and still have it routed properly to this
> customer
> unless they are on the same network. If the customer does a packet
> capture
> (tcpdump tethereal etc) they should see the ip and sip headers do
> not match
> on those calls. They could use IP tables or some other ACL to block
> the
> hackers.
There is a current bug in 1.6 for TCP connections (with or without
TLS) that may be in action,
where asterisk instead of looking at IP headers actually match on the
Contact:. This is wrong
and will be fixed soon in all 1.6 versions and trunk.
For UDP, we actually DO look at the IP headers when we match incoming
calls with peers.
For user matching, we do match on the From: header.
In addition we have authentication schemes for incoming calls for both
users and peers.
I do recommend ucing the ACL as well as authentication.
/O
---
oej@edvina.net - http://edvina.net
Open Unified Communication - building platforms with SIP and XMPP
From PBX to large scale implementations for carriers. Contact us today!
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
AstriCon 2009 - October 13 - 15 Phoenix, Arizona
Register Now: http://www.astricon.net
asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-biz
Posts
No comments:
Post a Comment