[OpenSIPS-Users] RLS services content validation?
Iñaki Baz Castillo
ibc at aliax.net
Thu Jul 9 20:29:04 CEST 2009
El Jueves, 9 de Julio de 2009, Adrian Georgescu escribió:
> Scenario 2
>
> 1. I create a RLS list with pointers to resource lists document (which
> are HTTP URIs) to other domains
> 2. I send a Subscribe to the list
> 3. The server starts sending one million HTTP GETS amplifying my
> single SIP Subscribe into a DOS attack on its own resources or a
> foreign HTTP domain
>
> Scenario 3
>
> 1. I simply upload bogus data like bogus SIP URIs that might not
> resolve or point back to the server rls-services lists generating
> loops imposible to detect the reasons for
> 2. The server kills itself Subscribing to itself
Imagine the URI's in the list look like:
sip:xxx at no-responding-host.com;transport=tcp
Good bye OpenSIPS SIP-TCP stack XDD
Scenario 4
1. I upload a list with just one entry "sip:mylist at domain.org" on the xcap
server.
2. I generate a RLS pointing to this list and name the RLS
"sip:mylist at domain.org".
3. I send a Subscribe to the address of the list ("sip:mylist at domain.org").
4. It would loop forever, creating a new subscription for each loop XDD
--
Iñaki Baz Castillo <ibc at aliax.net>
More information about the Users
mailing list