[OpenSIPS-Devel] SF.net SVN: opensips:[8811] trunk/modules/tm/t_reply.c

Bogdan-Andrei Iancu bogdan at opensips.org
Wed Mar 21 17:36:58 CET 2012


Revision: 8811
          http://opensips.svn.sourceforge.net/opensips/?rev=8811&view=rev
Author:   bogdan_iancu
Date:     2012-03-21 16:36:58 +0000 (Wed, 21 Mar 2012)
Log Message:
-----------
TM will no longer do retransmission for the 407/401 replies (if no ACK is received) for both local or proxied replies.

According to RFC 3261, retransmitting 407s/401s is probably a bad idea:

26.3.2.4 DoS Protection

<snip/>

UAs and proxy servers SHOULD challenge questionable requests with
only a single 401 (Unauthorized) or 407 (Proxy Authentication
Required), forgoing the normal response retransmission algorithm, and
thus behaving statelessly towards unauthenticated requests.

Retransmitting the 401 (Unauthorized) or 407 (Proxy Authentication
Required) status response amplifies the problem of an attacker
using a falsified header field value (such as Via) to direct
traffic to a third party.

In summary, the mutual authentication of proxy servers through
mechanisms such as TLS significantly reduces the potential for rogue
intermediaries to introduce falsified requests or responses that can
deny service. This commensurately makes it harder for attackers to
make innocent SIP nodes into agents of amplification.


Credits for original patch to "David".
Closed patch #3496382

Modified Paths:
--------------
    trunk/modules/tm/t_reply.c

This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.




More information about the Devel mailing list