Commits

bogd...@689a6050-402a-0410-94f2-e92a70836424  committed fdaf14b Draft

TM will no longer do retransmission for the 407/401 replies (if no ACK is received) for both local or proxied replies.

According to RFC 3261, retransmitting 407s/401s is probably a bad idea:

26.3.2.4 DoS Protection

<snip/>

UAs and proxy servers SHOULD challenge questionable requests with
only a single 401 (Unauthorized) or 407 (Proxy Authentication
Required), forgoing the normal response retransmission algorithm, and
thus behaving statelessly towards unauthenticated requests.

Retransmitting the 401 (Unauthorized) or 407 (Proxy Authentication
Required) status response amplifies the problem of an attacker
using a falsified header field value (such as Via) to direct
traffic to a third party.

In summary, the mutual authentication of proxy servers through
mechanisms such as TLS significantly reduces the potential for rogue
intermediaries to introduce falsified requests or responses that can
deny service. This commensurately makes it harder for attackers to
make innocent SIP nodes into agents of amplification.

Credits for original patch to "David".
Closed patch #3496382

  • Participants
  • Parent commits 701c906

Comments (0)

Files changed (1)

File modules/tm/t_reply.c

 		if (!is_hopbyhop_cancel(trans)) {
 			cleanup_uac_timers( trans );
 			if (is_invite(trans)) cancel_uacs( trans, cancel_bitmap );
-			set_final_timer(  trans );
+			/* for auth related replies, we do not do retransmission 
+			   (via set_final_timer()), but only wait for a final 
+			   reply (put_on_wait() ) - see RFC 3261 (26.3.2.4 DoS Protection) */
+			if ((code != 401) && (code != 407))
+				set_final_timer(  trans );
+			else
+				put_on_wait(trans);
 		}
 	}
 
 	 * to avoid race conditions
 	 */
 	if (reply_status == RPS_COMPLETED) {
-		set_final_timer(t);
+		/* for auth related replies, we do not do retransmission 
+		   (via set_final_timer()), but only wait for a final 
+		   reply (put_on_wait() ) - see RFC 3261 (26.3.2.4 DoS Protection) */
+		if ((relayed_code != 401) && (relayed_code != 407))
+			set_final_timer(t);
+		else
+			put_on_wait(t);
 	}
 
 	/* send it now (from the private buffer) */