Howto:SIP resource allocation
Message allocations
When using UDP as transport protocol for SIP signaling, the SIP user agent (UAC/UAS) is responsible for retransmission in case of packet loss.
For this reason the user agent has to keep transmitted messages (requests or resopnses) to be able to do a re-transmission, in case the remote user agent receive this message. The user agent is obligated to keep transmitted messages for about 32 seconds. (Refer to: RFC-3261 "SIP: Session Initiation Protocol")
For every non-INVITE transaction the user agent has to saves the request and the final response (2 message allocations). For every INVITE transaction the user agent has to saves the request, the final response and the ACK (3 message allocations). Our SIP implementation allocates 2KB memory for every single message.
Security considerations
Using UDP as transport protocol for SIP signaling, makes the SIP implementation extremly vulnerable to Denial-of-Service attacks. You just have to send a burst of SIP requests (e.g. REGISTER) to an user agent. No matter if these requests are accepted or rejected, the user agent is obligated to keep all the transmitted responses for 32 seconds. If there is no limitation for message allocations, the system will quickly run out of memory.
To be save against this kind of attacks, we implemented a limitation for message allocations. Currently we limitate the system wide SIP message allocations to 200. This results in a maximum memory allocation of 400KB.
As soon as the allowed amount message allocations are exhausted, the system will stop receiving incoming SIP messages (request or response). The system is going to receive incoming SIP messages again as soon as the number of message allocations drops below the limit of 200 due to timer expiration.