default.cfg Changes in DOS Prevention

- drop only REGITSER, SUBSCRIBE or OPTIONS that has an IP as a To domain
  or no to domain
- for Invites, drop the ones that have an IP as an auth_realm.

kamailio/default.cfg

@@ -398,24 +398,32 @@ route[EXTERNAL_TO_INTERNAL_RELAY]
 
 route[DOS_PREVENTION]
 {
-    if (allow_source_address(TRUSTED_ADR_GROUP)) {
+    # allow request from internal network or from whitelist
+    if (isflagset(FLAG_INTERNALLY_SOURCED) || allow_source_address(TRUSTED_ADR_GROUP)) {
         xlog("L_DBG", "Request from trusted IP $rm $si\n");
         return;
     }
 
     #  drop requests with no To domain or IP To domain (friendly-scanner)
-    if ($td == $null || $td=~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}") {
+    if (is_method("REGISTER|SUBSCRIBE|OPTIONS") && 
+        ($td == $null || $td=~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}")) {
         xlog("L_ERR", "Possible attack- wrong td: $rm to $ru from $fu, UA $ua, IP $si\n");
         exit;
     }
 
-    if (!isflagset(FLAG_INTERNALLY_SOURCED)) {
-        if (!pike_check_req()) {
-            if( $rc == -2) {
-                xlog("L_ERR", "DOS attack: $rm to $ru from $fu, UA $ua, IP $si\n");
-            }
-            exit;
+    # drop Invite with IP auth realm
+    if (is_method("INVITE") && is_present_hf("Proxy-Authorization") && 
+        $ar =~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}" ) {
+        xlog("L_ERR", "Possible attack- Invite realm $ar: to $ru from $fu, UA $ua, IP $si\n");
+        exit;
+    }
+
+    # use pike check for the others
+    if (!pike_check_req()) {
+        if( $rc == -2) {
+            xlog("L_ERR", "DOS attack: $rm to $ru from $fu, UA $ua, IP $si\n");
         }
+        exit;
     }
 }