Reputation: 95
Sip: Prevent INVITE request information spoofing
I have a service that sends identification information through SIP INVITE requests, such as a user's username in the FROM header field. I would like to know if these is anyone to prevent an attacker, who already has access to my server, to create their own INVITE and send it to another user pretending to be another user in the network. Thank you and have a great one.
Upvotes: 0
Views: 196
Answers (1)
Reputation: 1021
An attacker doesn't need access to your server to send an INVITE request in your user's name. He can do that from anywhere in the network. This is where authentication comes in. The recipient (UAS) can challenge the request, forcing the attacker to resend the request with authentication information, such as (hashed) passwords.
Of course this mechanism relies on the attacker not having the username/password combinations. This could prove a problem if he already has access to your server. But I think you might have bigger problems in that case.
Upvotes: 1
Related Questions
- In SIP, why the Contact header field MUST be present in the Invite request
- Why doesn't a SIP server require authorization for this INVITE?
- How to read Call-Info Header from Invite Message using sipml5
- Third party registration in sip protocol
- Behavior of sip INVITE
- SIP Re-invite and user=phone
- SIP CSeq for INFO and INVITE methods
- STOP asterisk duplicate SIP INVITE
- How to stop Asterisk from repeating "SIP/2.0 401 Unauthorized" messages
- odd response after INVITE request, SIP