Re: [Ekiga-list] DOS problem

From: <bnc netspeed com au>
To: ekiga-list gnome org
Subject: Re: [Ekiga-list] DOS problem
Date: Sun, 25 Oct 2009 14:39:33 +1000

Eugen,
> >>>> I have mentioned this problem before but I now have some more
> >>>> info.
> >>>>
> >>>> I have about 40 numbers in my contact list, when ekiga tries to
> >>>> register it issues a dns subscribe request for every single phone
> >>>> number really quickly and repeats this.
> >>>> I have just rung my isp and they saw the requests coming in and
> >>>> treat it as a DOS attack and block my phone for 30mins.
> >>>> Hence the registration drops out, and the cycle starts again.
> >>>>
> >>>> In my case most of my contact list are normal phones not actual
> >>>> sip addresses, it makes no sense to try to determine their
> >>>> status.
> >>>>
> >>>> So my ekiga 3.2.6 is unusable at present.
> >>>>
> >>>> Please advise if there is a way to turn this function off.
> >>> There is no way currently.
> >>> I do not know how to fix that without adding a new obscure setting
> >>> to Ekiga.
> >>>
> >>> Perhaps using the address book would be more appropriate than the
> >>> contact list for that specific case ?
> >> The problem is not that ekiga does a DNS request for each contact
> >> (even if a DNS cache could be implemented in opal to optimise
> >> this); the problem is that it issues many DNS requests.  How does
> >> this happen?
> >>
> >> Could that be a DNS configuration problem?  Reporter, could you
> >> check:
> >> - how many DNS requests are sent with only one contact (one or
> >> many?)
> > I removed all of my contacts except one.
> > Fired up ekiga again and approx 8 dns messages got fired off. These
> > were being repeated every 30secs or so.
> > Went into accounts and unregistered, the dns messages stopped.
> > 
> > Waited 30mins because my isp told me that they block the port for
> > that time.
> > 
> > Went into accounts and reregistered, same deal as above.
> > 
> >> (In *normal* gconf configuration, you could save your config  with
> >> "cp -a .gconf/apps/ekiga .gconf/apps/ekiga-save", and restore it
> >> afterwards)
> > did not do this but I can soon put the numbers back.
> > 
> >> - with wireshark if your firsts DNS requests receive errors, so
> >> ekiga
> >>
> > Ok, I am familiar with wireshark, but have not done this yet. What
> > would be the best ports to put it on?
> > dns(53) or 5060?
> 
> Close network-using applications (such as icedove/thuderbird).  You
> start wireshark, listen to your interface, start ekiga, wait for the
> flood, stop listening in wireshark.  That's all.
> 
Ok, I now have a wireshark trace from a machine I can dial from using
3.0.1 and another machine with 3.2.6 which fails. 
 
Comparing the two I find this PUBLISH request.


PUBLISH sip:99999999 sip internode on net SIP/2.0
CSeq: 73 PUBLISH
Via: SIP/2.0/UDP 192.168.1.2:5066;branch=z9hG4bK76c50d8f-87bf-de11-98df-0025d35ead70;rport
User-Agent: Ekiga/3.2.6
From:
<sip:99999999 sip internode on net>;tag=e0980c8f-87bf-de11-98df-0025d35ead70
Call-ID: d2e4f18e-87bf-de11-98df-0025d35ead70 lbnc To:
<sip:99999999 sip internode on net> Contact:
<sip:99999999 192 168 1 2:5066> Expires: 500
Event: presence
Content-Type: application/pidf+xml
Content-Length: 343
Max-Forwards: 70

<?xml version="1.0" encoding="UTF-8"?>
<presence xmlns="urn:ietf:params:xml:ns:pidf"
entity="pres:99999999 sip internode on net"> <tuple
id="sip:99999999 sip internode on net_on_lbnc"> <note>online</note>
<status>
<basic>open</basic>
</status>
<contact priority="1">99999999 sip internode on net</contact>
</tuple>
</presence>
SIP/2.0 405 Method Not Allowed
CSeq: 73 PUBLISH
Via: SIP/2.0/UDP
192.168.1.2:5066;received=202.78.39.96;branch=z9hG4bK76c50d8f-87bf-de11-98df-0025d35ead70;rport=5066
From:
<sip:99999999 sip internode on net>;tag=e0980c8f-87bf-de11-98df-0025d35ead70
Call-ID: d2e4f18e-87bf-de11-98df-0025d35ead70 lbnc To:
<sip:99999999 sip internode on net>;tag=aprqngfrt-8jnrul00000i4
Allow: INVITE,ACK,BYE,REGISTER,CANCEL,PRACK,INFO,SUBSCRIBE,NOTIFY,UPDATE

I do not understand what it is trying to publish, but PUBLISH does not
appear in the Allow string.

I have other observations but would like to understand this first.

> > Am I supposed to put a dns server somewhere into ekiga?
> 
> No.  Could you just show us the content of /etc/resolv.conf?
> 
Yes, this was a problem, when you update the network stuff using the
gui in suse it does not update resolv.conf:(

I manually updated resolv.conf with the opendns numbers and they are
working fine.

Thanks,
Brian

References:
- [Ekiga-list] ekiga 3.2.6 won't call
  - From: Javier Barroso
- Re: [Ekiga-list] ekiga 3.2.6 won't call
  - From: yannick
- Re: [Ekiga-list] ekiga 3.2.6 won't call
  - From: Damien Sandras
- Re: [Ekiga-list] ekiga 3.2.6 won't call
  - From: Javier Barroso
- Re: [Ekiga-list] ekiga 3.2.6 won't call
  - From: Javier Barroso
- [Ekiga-list] DOS problem
  - From: bnc
- Re: [Ekiga-list] DOS problem
  - From: Damien Sandras
- Re: [Ekiga-list] DOS problem
  - From: Eugen Dedu
- Re: [Ekiga-list] DOS problem
  - From: bnc
- Re: [Ekiga-list] DOS problem
  - From: Eugen Dedu

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]