1. Diameter Security Application User Guide with UDR
  2. Understanding DSA Functionality and Logic
  3. DSA Stateless Countermeasure Logic
  4. Origin Host and Origin Realm Consistency Check (OhOrCstChk)

2.4.4 Origin Host and Origin Realm Consistency Check (OhOrCstChk)

This countermeasure screens the ingress diameter request message to check if the FQDN string of Origin-Host ends with the Origin-Realm string.

The option is available to provision an exception list of Realms. Any ingress diameter request message with Origin-Realm matching the exception list is exempted from this countermeasure’s screening.

This countermeasure considers the ingress diameter request message as vulnerable if the following condition is true:

  • The Origin-Realm is not configured in the exception list of Realms and the Origin-Host’s FQDN string is not ending with Origin-Realm’s string.

Apart from the mandatory configuration in DSA Mandatory Configuration, configure System_Config_Options Table for configuring exception list of Realms, which are exempted from this countermeasure’s screening.