08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Kamailio - SIP Firewall for Carrier Grade Traffic
1. Kamailio SIP Server
SIP Firewall For Carrier Grade Traffic
Daniel-Constantin Mierla
Co-Founder Kamailio
www.kamailio.org
www.asipto.com
2. (c) asipto.com 2
Over 10 Years Evolution
2002 Jun 2005 Jul 2008 Aug 2008 Nov 2008
SIP Express Router (SER)
OpenSER Kamailio
Other Forks...
Same application: Kamailio - SER
Oct 2009 Jan 2010
v3.0.0
Integration
Completed
v1.5.0
Oct 2011
v3.1.0
Sep 2001
First
Line
Of
Code
Open
Source
GPL
FhG
Fokus
Institute
Berlin
rename
v3.2.0
Oct 2010
Awarded
Best Open
Source
Networking
Software
2009
By InfoWorld
10
Years
Jun 2012
v3.3.0
ITSPA
UK
Award
Mar 2013
v4.0.0
Kamailio
3. Source Structure - 3.x.x - Kamailio vs. SER
3
KamailioDistribution
SIPExpressRouterDistribution
modules_k/
acc
acc_radius
alias_db
auth_db
auth_diameter
auth_radius
benchmark
call_control
cfgutils
cpl-c
db_cluster
...
over 80 modules
modules/
app_lua
app_mono
app_python
async
auth
auth_identity
avpops
blst
carrierroute
cfg_db
cfg_rpc
...
over 50 modules
modules_s/
acc_db
acc_radius
acc_syslog
auth_db
auth_radius
avp
avp_db
avp_radius
bdb
cpl-c
db_ops
...
over 40 modules
the entire source code tree
core
sip parser - memory manager
config file parser and interpreter
locking system - timers
config variable frameworks
internal libraries
DB API v1 - DB APIv2
MI API - JSON - UUID
utils - binrpc
4. Source Structure - 4.x.x- Kamailio
4
KamailioDistribution
SIPExpressRouterDistribution
modules_k/ modules/
app_lua
app_mono
app_python
async
auth
auth_identity
avpops
blst
carrierroute
cfg_db
cfg_rpc
...
over 150 modules
modules_s/
the entire source code tree
core
sip parser - memory manager
config file parser and interpreter
locking system - timers
config variable frameworks
internal libraries
DB API v1 - DB APIv2
MI API - JSON - UUID
utils - binrpc
12. Routing SIP with Kamailio
by
Daniel-Constantin Mierla
Elena-Ramona Modroiu
13. 13
Book Details - http://asipto.com/u/kab
Evolution
started last year for v3.3.x
target: getting started guide and typical use cases
delayed by decision to complete Kamailio-SER integration (then Kamailio Word)
last modules merged, some renamed
significant changes in installation process
Nowadays
existing content
over 280 pages (A4) - apart of ToC
22 chapters
roadmap to full release
3-5 new chapters
check the 3.3 to 4.0 updates
examples enhanced with SIP traces
reviews (both native and non-native English speakers)
Selling
electronic format (e.g., pdf, ebook), later paper format (if such interest)
plans to make it available to purchase before full release
if all goes as expected - as soon as mid of August, 2013
14. SIP Firewall For Carrier Grade Traffic
blocking unwanted traffic
18. 18
Trying to get friendlier - DoS Attacks
• bandwidth
• cpu
• memory
• MONEY
19. 19
Attacks
malicious attacks
for direct attacker benefits
get access to the host and call for free
for damages on target (or fame)
consume resources on target
involuntary attacks
client side
broken clients
server side
misconfigurations (e.g., too low max expire time)
‘Undisclosed’ sources have demonstrated that the root of the issues
in computer science resides in between chair and keyboard.
20. 20
Problem
unexpected high volume of SIP traffic from the same IP address
Situations
someone tries to gain access to the server
misconfigured devices
Solution
keep the list of banned IP addresses in memory (hash table via htable module)
items in hash table are automatically deleted if their values are not updated for a while
if source IP of the SIP packet matches a key in hash table, then stop processing
simply drop, no SIP response (save the bandwidth)
sending a 200 OK response makes the attacker believe that it has succeeded
if not, then count the number of packets per configured time interface
if limit exceeded, stop processing and add add the source ip in the hash table
Consideration
skip trusted peers from checking (trunks, PSTN gateways, media servers,...)
do it very early in processing path, at the top of routing logic
Flood Detection and Blocking IP Addresses
21. 21
Flood Detection and Blocking IP Addresses
if(src_ip!=__TRUSTED__)
{
if($sht(ipban=>$si)!=$null)
{
# ip is already blocked
xdbg("request from blocked IP - $rm from $fu (IP:$si:$sp)n");
exit;
}
if (!pike_check_req())
{
xlog("L_ALERT","ALERT: pike blocking $rm from $fu (IP:$si:$sp)n");
$sht(ipban=>$si) = 1;
exit;
}
}
loadmodule "htable.so"
loadmodule "pike.so"
# ----- pike params -----
modparam("pike", "sampling_time_unit", 2)
modparam("pike", "reqs_density_per_unit", 24)
modparam("pike", "remove_latency", 4)
# ----- htable params -----
# ip ban htable with autoexpire after 5 minutes
modparam("htable", "htable", "ipban=>size=8;autoexpire=300;")
the configuration
22. 22
Problem
unexpected number of failed authentication for various users
Situations
someone tries to guess passwords for legit users
misconfigured devices
Solution
keep the list of blocked usernames in memory (again via htable module)
items in hash table are automatically deleted if their values are not updated for a while
along with the username, store the timestamp of the last failed authentication and
number of failed authentication in a raw
if the request has auth headers and username is found in hash table, then
if the last failed authentication is older than a predefined interval of time, give the user
another chance
otherwise forbids the traffic without any authentication challenge sent back
if not found in hash table, then authenticate
if credentials mismatch, then increase the authentication failure counter and update the
last authentication failure timestamp
if authentication failure attempts limit is reached, don’t challenge back
if authentication is ok, reset the counter
Dictionary Attack Detection and Blocking Users
25. 25
Problem
an attacker could eventually get access in way or another (e.g., social
engineering), then limit the damages as much as possible
Situations
lot of active calls from same user, which physically could not do that
Solution
keep a lightweight list of active calls in memory (again via htable module)
items in hash table are automatically deleted if their values are not updated for a while
(cope with missing BYE cases)
items are added when the call is initiated
items are removed if no positive answer for INVITE or in case of BYE
carrier grade => lightweight dialog tracking
Call-ID is the key for hash table
the value of items in hash table is caller id (username)
when a new call comes in
count the values in the hash table that matches the caller id
if the limit is not reached, add a new item, otherwise deny the call
Limiting the Number of Active Calls Per User
26. 26
request_route {
....
if(is_method(“BYE”)) {
$sht(acalls=>$ci) = $null;
}
....
}
reply_route {
....
if(is_method(“INVITE”) && $rs>=300) {
$sht(acalls=>$ci) = $null;
}
....
}
modparam("htable", "htable", "acalls=>size=8;autoexpire=7200;")
modparam(“cfgutils”, “lock_set_size”, 8)the configuration
Limiting the Number of Active Calls Per User
27. 27
# limit to maximum 3 active calls per user
route[ACLIMIT] {
if(is_method(“INVITE”) && !has_totag()) {
lock(“$fU”);
$var(ac) = $shtcv(acalls=>eq$fU);
if($var(ac) >= 3) {
unlock(“$fU”);
send_reply(“403”, “Too many active calls”);
exit;
}
$sht(acalls=>$ci) = $fU;
unlock(“$fU”);
}
}
request_route {
....
route(ACLIMIT);
route(RELAY);
}
Limiting the Number of Active Calls Per User
28. 28
One of Kamailio laws
If htable module is not used, something might go wrong with your deployment
(and business) at a point in time.
The target for solutions were
rely on Kamailio-only
use the lightweight solutions that scale a lot
Alternatives
real time integration with firewall for DoS protection using fail2ban
http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack
active calls tracking
dialog module: store lot of details for each call, but can detect when call is down
OPTIONS keepalives within dialog
it is not a back to back user agent (i.e, cseq numbers of dialog not updated)
in memory SQL tables via sqlops modules
easy to customize make reports and specify what details are store per dialog
Remarks