The attacker is sending INVITE from a particular address. You are sending 401 back to that address. By no return route, I mean that there is no way for the response packet to reach that address.
(As the attacker never sees the 401, they do not know how to authenticate, and, in particular, don't know the value of the random challenge used, so they are unable to continue and try a password.)
If you have no return route to a valid SIP client, you should see as series of repeats of the INVITE at increasing intervals until the client gives up. You should not see an ACK. You might get the no replay to critical response message. Again, if the client is authenticated it will stall at the 401 stage.
Statistics : Posted by genobe • on Fri May 08, 2015 5:47 am • Replies 15 • Views 1929
(As the attacker never sees the 401, they do not know how to authenticate, and, in particular, don't know the value of the random challenge used, so they are unable to continue and try a password.)
If you have no return route to a valid SIP client, you should see as series of repeats of the INVITE at increasing intervals until the client gives up. You should not see an ACK. You might get the no replay to critical response message. Again, if the client is authenticated it will stall at the 401 stage.
Statistics : Posted by genobe • on Fri May 08, 2015 5:47 am • Replies 15 • Views 1929