I am a security consultant. I recently wrote some code and to test the INVITE class I sent 1,000 INVITE packets to one of out * boxes in a simple INVITE flood DoS attack. I did this two day ago. And the * server is still responding with 180 and 183 messages to my attacking machine. My attack machine is sending ICMP type 3 (Destination Unreachable) to the * server but it seems that they are ignored by the * server.
My question is why is * not stopping after it receives an ICMP type 3? (It also does this with REGISTER but continually floods with OPTIONS packets until I send a 200 okay.)
SIP is UDP, which means that it is rather difficult to correlate ICMP with “connections”.
If I remember correctly, provisional responses are only sent when they change, or when the requestor repeats the INVITE, so I find it difficult to see how the responses could continue unless the requests were continuing.
You should probably run asterisk with sip set debug on, and a reasonable core set debug level, to see the details.
Actually, I have a feeling only one socket is used for all the SIP traffic, so a single ICMP would cause a complete denial of service, if it were acted upon.