On Fri, 26 Nov 2021, 18:59 Max Tulyev, <maxtul@netassist.ua> wrote:
Hi Gavin,
Hi Max,
I thought to do something similar ;)
What stopped you creating something? Or did you? Interested :)
As I can see in the code, you count somebody as a bad actor just because of one UDP packet is received. It is a bad idea, because it is easy to spoof that packet and make a DoS against some good actor.
The next stage is to tag these probes as passive, then reply in SIP, like you say and allow registrations and calls etc then mark them as aggressive. I'm not actually replying to the packets, so no reflection attacks.
Right way: you have to simulate a SIP dialog with this actor, i.e. reply them something and wait for the reaction. If the reaction will be like in a normal SIP call processing - congratulations, you found a hacker! If not, like you sent them a packet they do not expect - it is a DoS and a spoofed packet.
Agreed! Thank you for reading and your reply.