[OpenSIPS-Users] RLS services content validation?

Adrian Georgescu ag at ag-projects.com
Thu Jul 9 20:18:51 CEST 2009


Hello,

I have an open question, maybe someone with experience or interest in  
SIP SIMPLE presence in general an RLS in particular can help.

The content of a RLS services document triggers actions performed by  
the Presence servers. Because provisioning of data in a SIP server is  
traditionally a task of the operator and not of the end user, this  
deserves some attention. Imagine how easy is to misuse a RLS server  
today as an end user:

Scenario 1

1. I upload a million entry list of SIP uris into a rls-services  
document on the xcap server
2. I send a Subscribe to the address of the list I uploaded above
3. The server starts sending one million Subscribes amplifying my  
single SIP subscribe into a DOS attack on its own resources or a  
foreign domain

Scenario 2

1. I create a RLS list with pointers to resource lists document (which  
are HTTP URIs) to other domains
2. I send a Subscribe to the list
3. The server starts sending one million HTTP GETS amplifying my  
single SIP Subscribe into a DOS attack on its own resources or a  
foreign HTTP domain

Scenario 3

1. I simply upload bogus data like bogus SIP URIs that might not  
resolve or point back to the server rls-services lists generating  
loops imposible to detect the reasons for
2. The server kills itself Subscribing to itself

If validation of user input should be performed in the XCAP server  
during a PUT for a rls-services document what should be a sensitive  
default to check against?

Regards,
Adrian




More information about the Users mailing list