[OpenSIPS-Users] RLS services content validation?

Iñaki Baz Castillo ibc at aliax.net
Thu Jul 9 20:29:04 CEST 2009


El Jueves, 9 de Julio de 2009, Adrian Georgescu escribió:
> Scenario 2
>
> 1. I create a RLS list with pointers to resource lists document (which
> are HTTP URIs) to other domains
> 2. I send a Subscribe to the list
> 3. The server starts sending one million HTTP GETS amplifying my
> single SIP Subscribe into a DOS attack on its own resources or a
> foreign HTTP domain
>
> Scenario 3
>
> 1. I simply upload bogus data like bogus SIP URIs that might not
> resolve or point back to the server rls-services lists generating
> loops imposible to detect the reasons for
> 2. The server kills itself Subscribing to itself

Imagine the URI's in the list look like:
  sip:xxx at no-responding-host.com;transport=tcp

Good bye OpenSIPS SIP-TCP stack XDD



Scenario 4

1. I upload a list with just one entry "sip:mylist at domain.org" on the xcap 
server.
2. I generate a RLS pointing to this list and name the RLS 
"sip:mylist at domain.org".
3. I send a Subscribe to the address of the list ("sip:mylist at domain.org").
4. It would loop forever, creating a new subscription for each loop XDD






-- 
Iñaki Baz Castillo <ibc at aliax.net>



More information about the Users mailing list