1. Diameter Security Application User Guide with UDR
  2. Understanding DSA Functionality and Logic
  3. DSA Stateless Countermeasure Logic
  4. Destination Host and Destination Realm Format Check (DhDrFrmChk)

2.4.14 Destination Host and Destination Realm Format Check (DhDrFrmChk)

DSA validates the realm of the Destination-Host AVP (if present) with realm information present in Destination-Realm.

This countermeasure considers the ingress diameter request message as vulnerable if these conditions are true:
  • If count of AVPs in message is greater than one.
  • If realm is not same in both AVP's.
For each incoming request message where Destination Host AVP is present and if realm (DestinationHost) is equal to DestinationRealm, then the incoming message is allowed to be processed. It accepts only incoming messages with a DestinationHost matching the AVP Destination Realm.

Note:

Appropriate ART configuration needs to be done for routing the egress request messages (only towards foreign networks) to DSA so that ingress answer message from the foreign peers can be screened for vulnerability by this countermeasure. For more information, refer to ART Configuration for DSA.