RFC3261: SIP:26.3.2.4 DoS防护

26.3.2.4 DoS Protection
26.3.2.4 DoS防护

   In order to minimize the risk of a denial-of-service attack against architectures using these security solutions, implementers should take note of the following guidelines.

为了最大限度地降低针对使用这些安全解决方案的体系结构的拒绝服务攻击的风险，实现人员应注意以下准则。

   When the host on which a SIP proxy server is operating is routable from the public Internet, it SHOULD be deployed in an administrative domain with defensive operational policies (blocking source-routed traffic, preferably filtering ping traffic).  Both TLS and IPSec can also make use of bastion hosts at the edges of administrative domains that participate in the security associations to aggregate secure tunnels and sockets.  These bastion hosts can also take the brunt of denial-of-service attacks, ensuring that SIP hosts within the administrative domain are not encumbered with superfluous messaging.

当SIP代理服务器运行的主机可从公共互联网路由时，应将其部署在具有防御操作策略的管理域中（阻止源路由流量，最好过滤ping流量）。TLS和IPSec还可以利用参与安全关联的管理域边缘的堡垒主机来聚合安全隧道和套接字。这些堡垒主机还可以承受拒绝服务攻击的冲击，确保管理域内的SIP主机不会受到多余消息的干扰。

   No matter what security solutions are deployed, floods of messages directed at proxy servers can lock up proxy server resources and prevent desirable traffic from reaching its destination.  There is a computational expense associated with processing a SIP transaction at a proxy server, and that expense is greater for stateful proxy servers than it is for stateless proxy servers.  Therefore, stateful proxies are more susceptible to flooding than stateless proxy servers.

无论部署了什么安全解决方案，指向代理服务器的大量消息都会锁定代理服务器资源，并阻止所需的流量到达其目的地。存在与在代理服务器处处理SIP事务相关联的计算开销，并且有状态代理服务器的该开销大于无状态代理服务器。因此，有状态代理比无状态代理服务器更容易受到洪泛的影响。

   UAs and proxy servers SHOULD challenge questionable requests with only a single 401 (Unauthorized) or 407 (Proxy Authentication Required), forgoing the normal response retransmission algorithm, and thus behaving statelessly towards unauthenticated requests.

UA和代理服务器应该只使用一个401（未授权）或407（需要代理身份验证）来质疑有问题的请求，放弃正常的响应重传算法，从而对未经身份验证的请求采取无状态的行为。

      Retransmitting the 401 (Unauthorized) or 407 (Proxy Authentication Required) status response amplifies the problem of an attacker using a falsified header field value (such as Via) to direct traffic to a third party.

重新发送401（未授权）或407（需要代理验证）状态响应会加剧攻击者使用伪造的报头字段值（如Via）将流量引导到第三方的问题。

   In summary, the mutual authentication of proxy servers through mechanisms such as TLS significantly reduces the potential for rogue intermediaries to introduce falsified requests or responses that can deny service.  This commensurately makes it harder for attackers to make innocent SIP nodes into agents of amplification.

总之，通过TLS等机制对代理服务器进行的相互身份验证大大降低了流氓中介引入伪造请求或响应以拒绝服务的可能性。这相应地使攻击者更难将无辜的SIP节点变成放大代理。