![27
# limit to maximum 3 active calls per user
route[ACLIMIT] {
if(is_method(“INVITE”) && !has_totag()) {
lock(“$fU”);
$var(ac) = $shtcv(acalls=>eq$fU);
if($var(ac) >= 3) {
unlock(“$fU”);
send_reply(“403”, “Too many active calls”);
exit;
}
$sht(acalls=>$ci) = $fU;
unlock(“$fU”);
}
}
request_route {
....
route(ACLIMIT);
route(RELAY);
}
Limiting the Number of Active Calls Per User](https://image.slidesharecdn.com/dcm-kamailio-cluecon-140817145418-phpapp01/85/Kamailio-SIP-Firewall-for-Carrier-Grade-Traffic-27-320.jpg)
Kamailio - SIP Firewall for Carrier Grade Traffic
- 1. Kamailio SIP Server SIP Firewall For Carrier Grade Traffic Daniel-Constantin Mierla Co-Founder Kamailio www.kamailio.org www.asipto.com
- 2. (c) asipto.com 2 Over 10 Years Evolution 2002 Jun 2005 Jul 2008 Aug 2008 Nov 2008 SIP Express Router (SER) OpenSER Kamailio Other Forks... Same application: Kamailio - SER Oct 2009 Jan 2010 v3.0.0 Integration Completed v1.5.0 Oct 2011 v3.1.0 Sep 2001 First Line Of Code Open Source GPL FhG Fokus Institute Berlin rename v3.2.0 Oct 2010 Awarded Best Open Source Networking Software 2009 By InfoWorld 10 Years Jun 2012 v3.3.0 ITSPA UK Award Mar 2013 v4.0.0 Kamailio
- 3. Source Structure - 3.x.x - Kamailio vs. SER 3 KamailioDistribution SIPExpressRouterDistribution modules_k/ acc acc_radius alias_db auth_db auth_diameter auth_radius benchmark call_control cfgutils cpl-c db_cluster ... over 80 modules modules/ app_lua app_mono app_python async auth auth_identity avpops blst carrierroute cfg_db cfg_rpc ... over 50 modules modules_s/ acc_db acc_radius acc_syslog auth_db auth_radius avp avp_db avp_radius bdb cpl-c db_ops ... over 40 modules the entire source code tree core sip parser - memory manager config file parser and interpreter locking system - timers config variable frameworks internal libraries DB API v1 - DB APIv2 MI API - JSON - UUID utils - binrpc
- 4. Source Structure - 4.x.x- Kamailio 4 KamailioDistribution SIPExpressRouterDistribution modules_k/ modules/ app_lua app_mono app_python async auth auth_identity avpops blst carrierroute cfg_db cfg_rpc ... over 150 modules modules_s/ the entire source code tree core sip parser - memory manager config file parser and interpreter locking system - timers config variable frameworks internal libraries DB API v1 - DB APIv2 MI API - JSON - UUID utils - binrpc
- 5. (c) asipto.com 2012 - Highlights 5 Over 10 IMS Extensions Websockets generic database clusteringembedded mono interpreter C#, Python, Java, .... cassandra connector http://www.kamailio.org/wiki/features/new-in-3.3.x http://www.kamailio.org/wiki/features/new-in-4.0.x IPv6 review embedded MSRP Relay time recurrence matching embedded HTTP RPC/Provisioning APIs presence/rls/xcap OMA/RCS enhancements GRUU SIP Outbound SCA
- 6. (c) asipto.com 2013 - Highlights 6 app_java sipt tm htable cfgutils siputilssnmpstats usrloc http://www.kamailio.org/wiki/features/new-in-devel dnssec cnxcc (prepaid) stun sctp auth_ephemeral (webrtc) debugger (log pv assignment)
- 7. (c) asipto.com 7 Development statistics
- 10. among next cool things
- 12. Routing SIP with Kamailio by Daniel-Constantin Mierla Elena-Ramona Modroiu
- 13. 13 Book Details - http://asipto.com/u/kab Evolution started last year for v3.3.x target: getting started guide and typical use cases delayed by decision to complete Kamailio-SER integration (then Kamailio Word) last modules merged, some renamed significant changes in installation process Nowadays existing content over 280 pages (A4) - apart of ToC 22 chapters roadmap to full release 3-5 new chapters check the 3.3 to 4.0 updates examples enhanced with SIP traces reviews (both native and non-native English speakers) Selling electronic format (e.g., pdf, ebook), later paper format (if such interest) plans to make it available to purchase before full release if all goes as expected - as soon as mid of August, 2013
- 14. SIP Firewall For Carrier Grade Traffic blocking unwanted traffic
- 15. 15 Everyone is evil in the world wild sipnet!
- 16. 16 request_route { drop; } reply_route { drop; } Full Kamailio Config to Deal With
- 17. 17 Problem completely solved! Thank you, questions?
- 18. 18 Trying to get friendlier - DoS Attacks • bandwidth • cpu • memory • MONEY
- 19. 19 Attacks malicious attacks for direct attacker benefits get access to the host and call for free for damages on target (or fame) consume resources on target involuntary attacks client side broken clients server side misconfigurations (e.g., too low max expire time) ‘Undisclosed’ sources have demonstrated that the root of the issues in computer science resides in between chair and keyboard.
- 20. 20 Problem unexpected high volume of SIP traffic from the same IP address Situations someone tries to gain access to the server misconfigured devices Solution keep the list of banned IP addresses in memory (hash table via htable module) items in hash table are automatically deleted if their values are not updated for a while if source IP of the SIP packet matches a key in hash table, then stop processing simply drop, no SIP response (save the bandwidth) sending a 200 OK response makes the attacker believe that it has succeeded if not, then count the number of packets per configured time interface if limit exceeded, stop processing and add add the source ip in the hash table Consideration skip trusted peers from checking (trunks, PSTN gateways, media servers,...) do it very early in processing path, at the top of routing logic Flood Detection and Blocking IP Addresses
- 21. 21 Flood Detection and Blocking IP Addresses if(src_ip!=__TRUSTED__) { if($sht(ipban=>$si)!=$null) { # ip is already blocked xdbg("request from blocked IP - $rm from $fu (IP:$si:$sp)n"); exit; } if (!pike_check_req()) { xlog("L_ALERT","ALERT: pike blocking $rm from $fu (IP:$si:$sp)n"); $sht(ipban=>$si) = 1; exit; } } loadmodule "htable.so" loadmodule "pike.so" # ----- pike params ----- modparam("pike", "sampling_time_unit", 2) modparam("pike", "reqs_density_per_unit", 24) modparam("pike", "remove_latency", 4) # ----- htable params ----- # ip ban htable with autoexpire after 5 minutes modparam("htable", "htable", "ipban=>size=8;autoexpire=300;") the configuration
- 22. 22 Problem unexpected number of failed authentication for various users Situations someone tries to guess passwords for legit users misconfigured devices Solution keep the list of blocked usernames in memory (again via htable module) items in hash table are automatically deleted if their values are not updated for a while along with the username, store the timestamp of the last failed authentication and number of failed authentication in a raw if the request has auth headers and username is found in hash table, then if the last failed authentication is older than a predefined interval of time, give the user another chance otherwise forbids the traffic without any authentication challenge sent back if not found in hash table, then authenticate if credentials mismatch, then increase the authentication failure counter and update the last authentication failure timestamp if authentication failure attempts limit is reached, don’t challenge back if authentication is ok, reset the counter Dictionary Attack Detection and Blocking Users
- 23. 23 Dictionary Attack Detection and Blocking Users if(is_present_hf("Authorization") || is_present_hf("Proxy-Authorization")) { if($sht(userban=>$au::auth_count)==3) { $var(exp) = $Ts - 900; if($sht(userban=>$au::last_auth) > $var(exp)) { sl_send_reply("403", "Try later"); exit; } else { $sht(userban=>$au::auth_count) = 0; } } } modparam("htable", "htable", "ipban=>size=8;autoexpire=300;") the configuration
- 24. 24 # authenticate requests auth_check("$fd", "subscriber", "1"); $var(rc) = $rc; if($var(rc)<0) { switch($var(rc)) { case -1: sl_send_reply("403", "Forbidden"); exit; case -2: $var(auth_count) = $shtinc(userban=>$au::auth_count); if($var(auth_count) == 3) xlog("auth failed 3rd time - src ip: $sin"); $sht(userban=>$au::last_auth) = $Ts; break; } auth_challenge("$fd", "0"); exit; } $sht(userban=>$au::auth_count) = 0; Dictionary Attack Detection and Blocking Users
- 25. 25 Problem an attacker could eventually get access in way or another (e.g., social engineering), then limit the damages as much as possible Situations lot of active calls from same user, which physically could not do that Solution keep a lightweight list of active calls in memory (again via htable module) items in hash table are automatically deleted if their values are not updated for a while (cope with missing BYE cases) items are added when the call is initiated items are removed if no positive answer for INVITE or in case of BYE carrier grade => lightweight dialog tracking Call-ID is the key for hash table the value of items in hash table is caller id (username) when a new call comes in count the values in the hash table that matches the caller id if the limit is not reached, add a new item, otherwise deny the call Limiting the Number of Active Calls Per User
- 26. 26 request_route { .... if(is_method(“BYE”)) { $sht(acalls=>$ci) = $null; } .... } reply_route { .... if(is_method(“INVITE”) && $rs>=300) { $sht(acalls=>$ci) = $null; } .... } modparam("htable", "htable", "acalls=>size=8;autoexpire=7200;") modparam(“cfgutils”, “lock_set_size”, 8)the configuration Limiting the Number of Active Calls Per User
- 27. 27 # limit to maximum 3 active calls per user route[ACLIMIT] { if(is_method(“INVITE”) && !has_totag()) { lock(“$fU”); $var(ac) = $shtcv(acalls=>eq$fU); if($var(ac) >= 3) { unlock(“$fU”); send_reply(“403”, “Too many active calls”); exit; } $sht(acalls=>$ci) = $fU; unlock(“$fU”); } } request_route { .... route(ACLIMIT); route(RELAY); } Limiting the Number of Active Calls Per User
- 28. 28 One of Kamailio laws If htable module is not used, something might go wrong with your deployment (and business) at a point in time. The target for solutions were rely on Kamailio-only use the lightweight solutions that scale a lot Alternatives real time integration with firewall for DoS protection using fail2ban http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack active calls tracking dialog module: store lot of details for each call, but can detect when call is down OPTIONS keepalives within dialog it is not a back to back user agent (i.e, cseq numbers of dialog not updated) in memory SQL tables via sqlops modules easy to customize make reports and specify what details are store per dialog Remarks
- 29. 29 Daniel-Constantin Mierla Co-Founder Kamailio http://www.asipto.com daniel@asipto.com Thank you! Questions? twitter: @miconda http://www.linkedin.com/in/miconda