[OpenSIPS-Users] RLS services content validation?

Iñaki Baz Castillo ibc at aliax.net
Fri Jul 10 21:08:29 CEST 2009


El Jueves, 9 de Julio de 2009, Adrian Georgescu escribió:

> Scenario 1
>
> 1. I upload a million entry list of SIP uris into a rls-services
> document on the xcap server
> 2. I send a Subscribe to the address of the list I uploaded above
> 3. The server starts sending one million Subscribes amplifying my
> single SIP subscribe into a DOS attack on its own resources or a
> foreign domain

Solution 1: Validate document on the XCAP server (already possible in 
OpenXCAP) and reject it if it has more than XXX entries (configurable).

Solution 2: Set the limit in the PU, so it will never generate more than XXX 
subscriptions per RLS.



> Scenario 2
>
> 1. I create a RLS list with pointers to resource lists document (which
> are HTTP URIs) to other domains
> 2. I send a Subscribe to the list
> 3. The server starts sending one million HTTP GETS amplifying my
> single SIP Subscribe into a DOS attack on its own resources or a
> foreign HTTP domain

I can't understand the purpose of HTTP URI's here. Even if IETF documents 
define URI's in a very happy manner (by allowing *any* kind of URI) the fact 
is that a SIP SUBSCRIBE is just allowed for a presentity with scheme sip, tel? 
or press.
Being realistic I would ignore other URI's.

Solution 1: PU ignores "exotic" URI's (however it coudln't send the 
subscription there).

Solution 2: The XCAP server rejects a RLS with "happy" URI's.


> Scenario 3
>
> 1. I simply upload bogus data like bogus SIP URIs that might not
> resolve or point back to the server rls-services lists generating
> loops imposible to detect the reasons for
> 2. The server kills itself Subscribing to itself

Solution 1: The PA doesn't subscribe to the same list identifier (list SIP 
URI) when readin it from that list.

Solution 2: The XCAP server rejects the creation of a RLS if the name of the 
list (a SIP URI) is in fact an entry of the list. Well, not 100% correct, but 
you understand me :)



Just my 2 €


-- 
Iñaki Baz Castillo <ibc at aliax.net>



More information about the Users mailing list