2.4.14 Destination Host and Destination Realm Format Check (DhDrFrmChk)
DSA validates the realm of the Destination-Host AVP (if present) with realm information present in Destination-Realm.
This countermeasure considers the ingress diameter request message as vulnerable if these
conditions are true:
- If count of AVPs in message is greater than one.
- If realm is not same in both AVP's.
Note:
Appropriate ART configuration needs to be done for routing the egress request messages (only towards foreign networks) to DSA so that ingress answer message from the foreign peers can be screened for vulnerability by this countermeasure. For more information, refer to ART Configuration for DSA.