sip.edu - Re: [sip.edu] Use of DNS SRV for SIP SP** prevention
Subject: SIP in higher education
List archive
- From: Christian Schlatter <>
- To:
- Subject: Re: [sip.edu] Use of DNS SRV for SIP SP** prevention
- Date: Fri, 21 Jul 2006 00:28:08 -0400
Candace Holman wrote:
Here is the archived mail that discusses John Todd's idea for use of DNS SRV records for domain-authentication-based SIP spam prevention. The proof of concept Asterisk script is listed at the end of the email. If anyone would like to embellish/optimize the script or apply to SER, please consider posting your efforts back to the SIP.edu mailing list.
https://mail.internet2.edu/wws/arc/sip.edu/2006-07/msg00012.html
I did a quick test using John's script with OpenSER. It can be very easily integrated:
At the end of the script I added
...
# If you are running Asterisk and want to use this script as an AGI,
# just comment out the first "echo" line below and uncomment the
# Asterisk AGI "SET VARIABLE" line to replace it.
#
echo $match
# echo "SET VARIABLE SRVMATCH $match"
fi
# ---- NEW: return value for OpenSER ----
if [ -n "$match" ]; then
exit 0
else
exit -1
fi
# ---------------------------------------
# end
One can then call the script in the OpenSER config like (assuming that the script is at /opt/checksrv):
...
if (!method=="REGISTER") {
# authenticate requests coming from local endpoints
if (from_uri==myself) {
if (!proxy_authorize("unc.edu", "subscriber")) {
proxy_challenge("unc.edu", "0");
exit;
};
} else {
# does the source IP match one of the From URI domain SRV records
# (only done for SIP requests from foreign domains)
if (!exec_msg("/opt/checksrv -v '$fd' '$si' >> /opt/checksrv.log")){
xlog("L_INFO", "checksrv FAILED\n");
# check failed, e.g. send call to IVR
} else {
xlog("L_INFO", "checksrv PASSED\n");
# from uri domain checked
};
};
};
/opt/checksrv.log includes checksrv's output. This only works with OpenSER > 1.0.1 and only _sip._udp SRV records are checked. For better performance the SRV check should be done in an OpenSER C module.
--
Christian
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- Use of DNS SRV for SIP SP** prevention, Candace Holman, 07/20/2006
- CID verification, Duane, 07/20/2006
- Re: [sip.edu] CID verification, Christian Schlatter, 07/20/2006
- Re: [sip.edu] CID verification, Duane, 07/20/2006
- Re: [sip.edu] CID verification, Candace Holman, 07/20/2006
- Re: [sip.edu] CID verification, Duane, 07/20/2006
- Re: [sip.edu] CID verification, Candace Holman, 07/20/2006
- Re: [sip.edu] CID verification, Duane, 07/20/2006
- Re: [sip.edu] CID verification, Christian Schlatter, 07/20/2006
- Re: [sip.edu] Use of DNS SRV for SIP SP** prevention, Christian Schlatter, 07/21/2006
- OpenSER and TLS, Kyle Haenfer, 07/21/2006
- Re: [sip.edu] OpenSER and TLS, Candace Holman, 07/21/2006
- Re: [sip.edu] Use of DNS SRV for SIP SP** prevention, Candace Holman, 07/21/2006
- Re: [sip.edu] Use of DNS SRV for SIP SP** prevention, Dennis Baron, 07/24/2006
- Re: [sip.edu] Use of DNS SRV for SIP SP** prevention, Candace Holman, 07/26/2006
- Re: [sip.edu] Use of DNS SRV for SIP SP** prevention, Ben Teitelbaum, 07/26/2006
- Re: [sip.edu] Use of DNS SRV for SIP SP** prevention, Candace Holman, 07/26/2006
- Re: [sip.edu] Use of DNS SRV for SIP SP** prevention, Dennis Baron, 07/24/2006
- OpenSER and TLS, Kyle Haenfer, 07/21/2006
- CID verification, Duane, 07/20/2006
Archive powered by MHonArc 2.6.16.