SlideShare una empresa de Scribd logo

Kamailio - SIP Firewall for Carrier Grade Traffic

D
Daniel-Constantin Mierla

Presentation done at Cluecon 2013, Chicago, USA - using Kamailio for securing carrier grade SIP/VoIP platforms.

Tecnología
1 de 29
Descargar para leer sin conexión
Kamailio SIP Server SIP Firewall For Carrier Grade Traffic Daniel-Constantin Mierla Co-Founder Kamailio www.kamailio.org www.asipto.com
(c) asipto.com 2 Over 10 Years Evolution 2002 Jun 2005 Jul 2008 Aug 2008 Nov 2008 SIP Express Router (SER) OpenSER Kamailio Other Forks... Same application: Kamailio - SER Oct 2009 Jan 2010 v3.0.0 Integration Completed v1.5.0 Oct 2011 v3.1.0 Sep 2001 First Line Of Code Open Source GPL FhG Fokus Institute Berlin rename v3.2.0 Oct 2010 Awarded Best Open Source Networking Software 2009 By InfoWorld 10 Years Jun 2012 v3.3.0 ITSPA UK Award Mar 2013 v4.0.0 Kamailio
Source Structure - 3.x.x - Kamailio vs. SER 3 KamailioDistribution SIPExpressRouterDistribution modules_k/ acc acc_radius alias_db auth_db auth_diameter auth_radius benchmark call_control cfgutils cpl-c db_cluster ... over 80 modules modules/ app_lua app_mono app_python async auth auth_identity avpops blst carrierroute cfg_db cfg_rpc ... over 50 modules modules_s/ acc_db acc_radius acc_syslog auth_db auth_radius avp avp_db avp_radius bdb cpl-c db_ops ... over 40 modules the entire source code tree core sip parser - memory manager config file parser and interpreter locking system - timers config variable frameworks internal libraries DB API v1 - DB APIv2 MI API - JSON - UUID utils - binrpc
Source Structure - 4.x.x- Kamailio 4 KamailioDistribution SIPExpressRouterDistribution modules_k/ modules/ app_lua app_mono app_python async auth auth_identity avpops blst carrierroute cfg_db cfg_rpc ... over 150 modules modules_s/ the entire source code tree core sip parser - memory manager config file parser and interpreter locking system - timers config variable frameworks internal libraries DB API v1 - DB APIv2 MI API - JSON - UUID utils - binrpc
(c) asipto.com 2012 - Highlights 5 Over 10 IMS Extensions Websockets generic database clusteringembedded mono interpreter C#, Python, Java, .... cassandra connector http://www.kamailio.org/wiki/features/new-in-3.3.x http://www.kamailio.org/wiki/features/new-in-4.0.x IPv6 review embedded MSRP Relay time recurrence matching embedded HTTP RPC/Provisioning APIs presence/rls/xcap OMA/RCS enhancements GRUU SIP Outbound SCA
(c) asipto.com 2013 - Highlights 6 app_java sipt tm htable cfgutils siputilssnmpstats usrloc http://www.kamailio.org/wiki/features/new-in-devel dnssec cnxcc (prepaid) stun sctp auth_ephemeral (webrtc) debugger (log pv assignment)
(c) asipto.com 7 Development statistics
(c) asipto.com 8 http://conference.kamailio.com
(c) asipto.com 9
among next cool things
Routing SIP with Kamailio by Daniel-Constantin Mierla Elena-Ramona Modroiu
13 Book Details - http://asipto.com/u/kab  Evolution  started last year for v3.3.x  target: getting started guide and typical use cases  delayed by decision to complete Kamailio-SER integration (then Kamailio Word)  last modules merged, some renamed  significant changes in installation process  Nowadays  existing content  over 280 pages (A4) - apart of ToC  22 chapters  roadmap to full release  3-5 new chapters  check the 3.3 to 4.0 updates  examples enhanced with SIP traces  reviews (both native and non-native English speakers)  Selling  electronic format (e.g., pdf, ebook), later paper format (if such interest)  plans to make it available to purchase before full release  if all goes as expected - as soon as mid of August, 2013
SIP Firewall For Carrier Grade Traffic blocking unwanted traffic
15 Everyone is evil in the world wild sipnet!
16 request_route { drop; } reply_route { drop; } Full Kamailio Config to Deal With
17 Problem completely solved! Thank you, questions?
18 Trying to get friendlier - DoS Attacks • bandwidth • cpu • memory • MONEY
19 Attacks  malicious attacks  for direct attacker benefits  get access to the host and call for free  for damages on target (or fame)  consume resources on target  involuntary attacks  client side  broken clients  server side  misconfigurations (e.g., too low max expire time) ‘Undisclosed’ sources have demonstrated that the root of the issues in computer science resides in between chair and keyboard.
20  Problem  unexpected high volume of SIP traffic from the same IP address  Situations  someone tries to gain access to the server  misconfigured devices  Solution  keep the list of banned IP addresses in memory (hash table via htable module)  items in hash table are automatically deleted if their values are not updated for a while  if source IP of the SIP packet matches a key in hash table, then stop processing  simply drop, no SIP response (save the bandwidth)  sending a 200 OK response makes the attacker believe that it has succeeded  if not, then count the number of packets per configured time interface  if limit exceeded, stop processing and add add the source ip in the hash table  Consideration  skip trusted peers from checking (trunks, PSTN gateways, media servers,...)  do it very early in processing path, at the top of routing logic Flood Detection and Blocking IP Addresses
21 Flood Detection and Blocking IP Addresses if(src_ip!=__TRUSTED__) { if($sht(ipban=>$si)!=$null) { # ip is already blocked xdbg("request from blocked IP - $rm from $fu (IP:$si:$sp)n"); exit; } if (!pike_check_req()) { xlog("L_ALERT","ALERT: pike blocking $rm from $fu (IP:$si:$sp)n"); $sht(ipban=>$si) = 1; exit; } } loadmodule "htable.so" loadmodule "pike.so" # ----- pike params ----- modparam("pike", "sampling_time_unit", 2) modparam("pike", "reqs_density_per_unit", 24) modparam("pike", "remove_latency", 4) # ----- htable params ----- # ip ban htable with autoexpire after 5 minutes modparam("htable", "htable", "ipban=>size=8;autoexpire=300;") the configuration
22  Problem  unexpected number of failed authentication for various users  Situations  someone tries to guess passwords for legit users  misconfigured devices  Solution  keep the list of blocked usernames in memory (again via htable module)  items in hash table are automatically deleted if their values are not updated for a while  along with the username, store the timestamp of the last failed authentication and number of failed authentication in a raw  if the request has auth headers and username is found in hash table, then  if the last failed authentication is older than a predefined interval of time, give the user another chance  otherwise forbids the traffic without any authentication challenge sent back  if not found in hash table, then authenticate  if credentials mismatch, then increase the authentication failure counter and update the last authentication failure timestamp  if authentication failure attempts limit is reached, don’t challenge back  if authentication is ok, reset the counter Dictionary Attack Detection and Blocking Users
23 Dictionary Attack Detection and Blocking Users if(is_present_hf("Authorization") || is_present_hf("Proxy-Authorization")) { if($sht(userban=>$au::auth_count)==3) { $var(exp) = $Ts - 900; if($sht(userban=>$au::last_auth) > $var(exp)) { sl_send_reply("403", "Try later"); exit; } else { $sht(userban=>$au::auth_count) = 0; } } } modparam("htable", "htable", "ipban=>size=8;autoexpire=300;") the configuration
24 # authenticate requests auth_check("$fd", "subscriber", "1"); $var(rc) = $rc; if($var(rc)<0) { switch($var(rc)) { case -1: sl_send_reply("403", "Forbidden"); exit; case -2: $var(auth_count) = $shtinc(userban=>$au::auth_count); if($var(auth_count) == 3) xlog("auth failed 3rd time - src ip: $sin"); $sht(userban=>$au::last_auth) = $Ts; break; } auth_challenge("$fd", "0"); exit; } $sht(userban=>$au::auth_count) = 0; Dictionary Attack Detection and Blocking Users
25  Problem  an attacker could eventually get access in way or another (e.g., social engineering), then limit the damages as much as possible  Situations  lot of active calls from same user, which physically could not do that  Solution  keep a lightweight list of active calls in memory (again via htable module)  items in hash table are automatically deleted if their values are not updated for a while (cope with missing BYE cases)  items are added when the call is initiated  items are removed if no positive answer for INVITE or in case of BYE  carrier grade => lightweight dialog tracking  Call-ID is the key for hash table  the value of items in hash table is caller id (username)  when a new call comes in  count the values in the hash table that matches the caller id  if the limit is not reached, add a new item, otherwise deny the call Limiting the Number of Active Calls Per User
26 request_route { .... if(is_method(“BYE”)) { $sht(acalls=>$ci) = $null; } .... } reply_route { .... if(is_method(“INVITE”) && $rs>=300) { $sht(acalls=>$ci) = $null; } .... } modparam("htable", "htable", "acalls=>size=8;autoexpire=7200;") modparam(“cfgutils”, “lock_set_size”, 8)the configuration Limiting the Number of Active Calls Per User
27 # limit to maximum 3 active calls per user route[ACLIMIT] { if(is_method(“INVITE”) && !has_totag()) { lock(“$fU”); $var(ac) = $shtcv(acalls=>eq$fU); if($var(ac) >= 3) { unlock(“$fU”); send_reply(“403”, “Too many active calls”); exit; } $sht(acalls=>$ci) = $fU; unlock(“$fU”); } } request_route { .... route(ACLIMIT); route(RELAY); } Limiting the Number of Active Calls Per User
28  One of Kamailio laws  If htable module is not used, something might go wrong with your deployment (and business) at a point in time.  The target for solutions were  rely on Kamailio-only  use the lightweight solutions that scale a lot  Alternatives  real time integration with firewall for DoS protection using fail2ban  http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack  active calls tracking  dialog module: store lot of details for each call, but can detect when call is down  OPTIONS keepalives within dialog  it is not a back to back user agent (i.e, cseq numbers of dialog not updated)  in memory SQL tables via sqlops modules  easy to customize make reports and specify what details are store per dialog Remarks
29 Daniel-Constantin Mierla Co-Founder Kamailio http://www.asipto.com daniel@asipto.com Thank you! Questions? twitter: @miconda http://www.linkedin.com/in/miconda

Recomendados

Expanding Asterisk with Kamailio
Expanding Asterisk with KamailioExpanding Asterisk with Kamailio
Expanding Asterisk with KamailioFred Posner
 
Kamailio - API Based SIP Routing
Kamailio - API Based SIP RoutingKamailio - API Based SIP Routing
Kamailio - API Based SIP RoutingDaniel-Constantin Mierla
 
Kamailio :: A Quick Introduction
Kamailio :: A Quick IntroductionKamailio :: A Quick Introduction
Kamailio :: A Quick IntroductionOlle E Johansson
 
Kamailio, FreeSWITCH, and You
Kamailio, FreeSWITCH, and YouKamailio, FreeSWITCH, and You
Kamailio, FreeSWITCH, and YouFred Posner
 
Scaling Asterisk with Kamailio
Scaling Asterisk with KamailioScaling Asterisk with Kamailio
Scaling Asterisk with KamailioFred Posner
 
Three Ways Kamailio Can Help Your FreeSWITCH Deployment
Three Ways Kamailio Can Help Your FreeSWITCH DeploymentThree Ways Kamailio Can Help Your FreeSWITCH Deployment
Three Ways Kamailio Can Help Your FreeSWITCH DeploymentFred Posner
 
Kamailio - Secure Communication
Kamailio - Secure CommunicationKamailio - Secure Communication
Kamailio - Secure CommunicationDaniel-Constantin Mierla
 
rtpengine - Media Relaying and Beyond
rtpengine - Media Relaying and Beyondrtpengine - Media Relaying and Beyond
rtpengine - Media Relaying and BeyondAndreas Granig
 

Recomendados

Expanding Asterisk with Kamailio
Expanding Asterisk with KamailioExpanding Asterisk with Kamailio
Expanding Asterisk with KamailioFred Posner
 
Kamailio - API Based SIP Routing
Kamailio - API Based SIP RoutingKamailio - API Based SIP Routing
Kamailio - API Based SIP RoutingDaniel-Constantin Mierla
 
Kamailio :: A Quick Introduction
Kamailio :: A Quick IntroductionKamailio :: A Quick Introduction
Kamailio :: A Quick IntroductionOlle E Johansson
 
Kamailio, FreeSWITCH, and You
Kamailio, FreeSWITCH, and YouKamailio, FreeSWITCH, and You
Kamailio, FreeSWITCH, and YouFred Posner
 
Scaling Asterisk with Kamailio
Scaling Asterisk with KamailioScaling Asterisk with Kamailio
Scaling Asterisk with KamailioFred Posner
 
Three Ways Kamailio Can Help Your FreeSWITCH Deployment
Three Ways Kamailio Can Help Your FreeSWITCH DeploymentThree Ways Kamailio Can Help Your FreeSWITCH Deployment
Three Ways Kamailio Can Help Your FreeSWITCH DeploymentFred Posner
 
Kamailio - Secure Communication
Kamailio - Secure CommunicationKamailio - Secure Communication
Kamailio - Secure CommunicationDaniel-Constantin Mierla
 
rtpengine - Media Relaying and Beyond
rtpengine - Media Relaying and Beyondrtpengine - Media Relaying and Beyond
rtpengine - Media Relaying and BeyondAndreas Granig
 
Using Kamailio for Scalability and Security
Using Kamailio for Scalability and SecurityUsing Kamailio for Scalability and Security
Using Kamailio for Scalability and SecurityFred Posner
 
SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)Fred Posner
 
Getting started with SIP Express Media Server SIP app server and SBC - workshop
Getting started with SIP Express Media Server SIP app server and SBC - workshopGetting started with SIP Express Media Server SIP app server and SBC - workshop
Getting started with SIP Express Media Server SIP app server and SBC - workshopstefansayer
 
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...Fred Posner
 
SIP: Call Id, Cseq, Via-branch, From & To-tag role play
SIP: Call Id, Cseq, Via-branch, From & To-tag role playSIP: Call Id, Cseq, Via-branch, From & To-tag role play
SIP: Call Id, Cseq, Via-branch, From & To-tag role playSridhar Kumar N
 
Kamailio - SIP Routing in Lua
Kamailio - SIP Routing in LuaKamailio - SIP Routing in Lua
Kamailio - SIP Routing in LuaDaniel-Constantin Mierla
 
FreeSWITCH Modules for Asterisk Developers
FreeSWITCH Modules for Asterisk DevelopersFreeSWITCH Modules for Asterisk Developers
FreeSWITCH Modules for Asterisk DevelopersMoises Silva
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
Session Initiation Protocol
Session Initiation ProtocolSession Initiation Protocol
Session Initiation ProtocolMatt Bynum
 
Kamailio with Docker and Kubernetes
Kamailio with Docker and KubernetesKamailio with Docker and Kubernetes
Kamailio with Docker and KubernetesPaolo Visintin
 
Sipwise rtpengine
Sipwise rtpengineSipwise rtpengine
Sipwise rtpengineAndreas Granig
 
Kamailio - Load Balancing Load Balancers
Kamailio - Load Balancing Load BalancersKamailio - Load Balancing Load Balancers
Kamailio - Load Balancing Load BalancersDaniel-Constantin Mierla
 
Sip
SipSip
SipAnirban Roy
 
Introduction to FreeSWITCH
Introduction to FreeSWITCHIntroduction to FreeSWITCH
Introduction to FreeSWITCHChien Cheng Wu
 
SIPREC RTPEngine Media Forking
SIPREC RTPEngine Media ForkingSIPREC RTPEngine Media Forking
SIPREC RTPEngine Media ForkingHossein Yavari
 
Introduction to SIP
Introduction to SIP Introduction to SIP
Introduction to SIP neerav_adhikari
 
Intel dpdk Tutorial
Intel dpdk TutorialIntel dpdk Tutorial
Intel dpdk TutorialSaifuddin Kaijar
 
Kamailio on Docker
Kamailio on DockerKamailio on Docker
Kamailio on DockerChien Cheng Wu
 
Understanding Session Border Controllers
Understanding Session Border ControllersUnderstanding Session Border Controllers
Understanding Session Border Controllersstefansayer
 
rtpengine and kamailio - or how to simulate calls at scale
rtpengine and kamailio - or how to simulate calls at scalertpengine and kamailio - or how to simulate calls at scale
rtpengine and kamailio - or how to simulate calls at scaleAndreas Granig
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applicationsDaniel Garcia (a.k.a cr0hn)
 
Kamailio - Surfing Big Waves Of SIP With Style
Kamailio - Surfing Big Waves Of SIP With StyleKamailio - Surfing Big Waves Of SIP With Style
Kamailio - Surfing Big Waves Of SIP With StyleDaniel-Constantin Mierla
 

Más contenido relacionado

La actualidad más candente

Using Kamailio for Scalability and Security
Using Kamailio for Scalability and SecurityUsing Kamailio for Scalability and Security
Using Kamailio for Scalability and SecurityFred Posner
 
SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)Fred Posner
 
Getting started with SIP Express Media Server SIP app server and SBC - workshop
Getting started with SIP Express Media Server SIP app server and SBC - workshopGetting started with SIP Express Media Server SIP app server and SBC - workshop
Getting started with SIP Express Media Server SIP app server and SBC - workshopstefansayer
 
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...Fred Posner
 
SIP: Call Id, Cseq, Via-branch, From & To-tag role play
SIP: Call Id, Cseq, Via-branch, From & To-tag role playSIP: Call Id, Cseq, Via-branch, From & To-tag role play
SIP: Call Id, Cseq, Via-branch, From & To-tag role playSridhar Kumar N
 
FreeSWITCH Modules for Asterisk Developers
FreeSWITCH Modules for Asterisk DevelopersFreeSWITCH Modules for Asterisk Developers
FreeSWITCH Modules for Asterisk DevelopersMoises Silva
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
Session Initiation Protocol
Session Initiation ProtocolSession Initiation Protocol
Session Initiation ProtocolMatt Bynum
 
Kamailio with Docker and Kubernetes
Kamailio with Docker and KubernetesKamailio with Docker and Kubernetes
Kamailio with Docker and KubernetesPaolo Visintin
 
Introduction to FreeSWITCH
Introduction to FreeSWITCHIntroduction to FreeSWITCH
Introduction to FreeSWITCHChien Cheng Wu
 
SIPREC RTPEngine Media Forking
SIPREC RTPEngine Media ForkingSIPREC RTPEngine Media Forking
SIPREC RTPEngine Media ForkingHossein Yavari
 
Understanding Session Border Controllers
Understanding Session Border ControllersUnderstanding Session Border Controllers
Understanding Session Border Controllersstefansayer
 
rtpengine and kamailio - or how to simulate calls at scale
rtpengine and kamailio - or how to simulate calls at scalertpengine and kamailio - or how to simulate calls at scale
rtpengine and kamailio - or how to simulate calls at scaleAndreas Granig
 

La actualidad más candente (20)

Using Kamailio for Scalability and Security
Using Kamailio for Scalability and SecurityUsing Kamailio for Scalability and Security
Using Kamailio for Scalability and Security
 
SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)
 
Getting started with SIP Express Media Server SIP app server and SBC - workshop
Getting started with SIP Express Media Server SIP app server and SBC - workshopGetting started with SIP Express Media Server SIP app server and SBC - workshop
Getting started with SIP Express Media Server SIP app server and SBC - workshop
 
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
 
SIP: Call Id, Cseq, Via-branch, From & To-tag role play
SIP: Call Id, Cseq, Via-branch, From & To-tag role playSIP: Call Id, Cseq, Via-branch, From & To-tag role play
SIP: Call Id, Cseq, Via-branch, From & To-tag role play
 
Kamailio - SIP Routing in Lua
Kamailio - SIP Routing in LuaKamailio - SIP Routing in Lua
Kamailio - SIP Routing in Lua
 
FreeSWITCH Modules for Asterisk Developers
FreeSWITCH Modules for Asterisk DevelopersFreeSWITCH Modules for Asterisk Developers
FreeSWITCH Modules for Asterisk Developers
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
Session Initiation Protocol
Session Initiation ProtocolSession Initiation Protocol
Session Initiation Protocol
 
Kamailio with Docker and Kubernetes
Kamailio with Docker and KubernetesKamailio with Docker and Kubernetes
Kamailio with Docker and Kubernetes
 
Sipwise rtpengine
Sipwise rtpengineSipwise rtpengine
Sipwise rtpengine
 
Kamailio - Load Balancing Load Balancers
Kamailio - Load Balancing Load BalancersKamailio - Load Balancing Load Balancers
Kamailio - Load Balancing Load Balancers
 
Sip
SipSip
Sip
 
Introduction to FreeSWITCH
Introduction to FreeSWITCHIntroduction to FreeSWITCH
Introduction to FreeSWITCH
 
SIPREC RTPEngine Media Forking
SIPREC RTPEngine Media ForkingSIPREC RTPEngine Media Forking
SIPREC RTPEngine Media Forking
 
Introduction to SIP
Introduction to SIP Introduction to SIP
Introduction to SIP
 
Intel dpdk Tutorial
Intel dpdk TutorialIntel dpdk Tutorial
Intel dpdk Tutorial
 
Kamailio on Docker
Kamailio on DockerKamailio on Docker
Kamailio on Docker
 
Understanding Session Border Controllers
Understanding Session Border ControllersUnderstanding Session Border Controllers
Understanding Session Border Controllers
 
rtpengine and kamailio - or how to simulate calls at scale
rtpengine and kamailio - or how to simulate calls at scalertpengine and kamailio - or how to simulate calls at scale
rtpengine and kamailio - or how to simulate calls at scale
 

Similar a Kamailio - SIP Firewall for Carrier Grade Traffic

Kamailio - Surfing Big Waves Of SIP With Style
Kamailio - Surfing Big Waves Of SIP With StyleKamailio - Surfing Big Waves Of SIP With Style
Kamailio - Surfing Big Waves Of SIP With StyleDaniel-Constantin Mierla
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Swift distributed tracing method and tools v2
Swift distributed tracing method and tools v2Swift distributed tracing method and tools v2
Swift distributed tracing method and tools v2zhang hua
 
112 portfpres.pdf
112 portfpres.pdf112 portfpres.pdf
112 portfpres.pdfsash236
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Balázs Tatár
 
Strata Presentation: One Billion Objects in 2GB: Big Data Analytics on Small ...
Strata Presentation: One Billion Objects in 2GB: Big Data Analytics on Small ...Strata Presentation: One Billion Objects in 2GB: Big Data Analytics on Small ...
Strata Presentation: One Billion Objects in 2GB: Big Data Analytics on Small ...randyguck
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programmingAnte Gulam
 
Presto anatomy
Presto anatomyPresto anatomy
Presto anatomyDongmin Yu
 
Monitoring with Prometheus
Monitoring with PrometheusMonitoring with Prometheus
Monitoring with PrometheusShiao-An Yuan
 
Secure Programming
Secure ProgrammingSecure Programming
Secure Programmingalpha0
 
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...Allison Miller
 
Webinar elastic stack {on telecom} english webinar part (1)
Webinar elastic stack {on telecom} english webinar part (1)Webinar elastic stack {on telecom} english webinar part (1)
Webinar elastic stack {on telecom} english webinar part (1)Yassine, LASRI
 
Streaming Way to Webscale: How We Scale Bitly via Streaming
Streaming Way to Webscale: How We Scale Bitly via StreamingStreaming Way to Webscale: How We Scale Bitly via Streaming
Streaming Way to Webscale: How We Scale Bitly via StreamingAll Things Open
 
Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠Integris Security LLC
 
Kamailio and VoIP Wild World
Kamailio and VoIP Wild WorldKamailio and VoIP Wild World
Kamailio and VoIP Wild World2600Hz
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJSThang Chung
 

Similar a Kamailio - SIP Firewall for Carrier Grade Traffic (20)

Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applications
 
Kamailio - Surfing Big Waves Of SIP With Style
Kamailio - Surfing Big Waves Of SIP With StyleKamailio - Surfing Big Waves Of SIP With Style
Kamailio - Surfing Big Waves Of SIP With Style
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Swift distributed tracing method and tools v2
Swift distributed tracing method and tools v2Swift distributed tracing method and tools v2
Swift distributed tracing method and tools v2
 
112 portfpres.pdf
112 portfpres.pdf112 portfpres.pdf
112 portfpres.pdf
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019
 
Strata Presentation: One Billion Objects in 2GB: Big Data Analytics on Small ...
Strata Presentation: One Billion Objects in 2GB: Big Data Analytics on Small ...Strata Presentation: One Billion Objects in 2GB: Big Data Analytics on Small ...
Strata Presentation: One Billion Objects in 2GB: Big Data Analytics on Small ...
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programming
 
Presto anatomy
Presto anatomyPresto anatomy
Presto anatomy
 
Monitoring with Prometheus
Monitoring with PrometheusMonitoring with Prometheus
Monitoring with Prometheus
 
Secure Programming
Secure ProgrammingSecure Programming
Secure Programming
 
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
 
Webinar elastic stack {on telecom} english webinar part (1)
Webinar elastic stack {on telecom} english webinar part (1)Webinar elastic stack {on telecom} english webinar part (1)
Webinar elastic stack {on telecom} english webinar part (1)
 
Streaming Way to Webscale: How We Scale Bitly via Streaming
Streaming Way to Webscale: How We Scale Bitly via StreamingStreaming Way to Webscale: How We Scale Bitly via Streaming
Streaming Way to Webscale: How We Scale Bitly via Streaming
 
Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠
 
Kamailio and VoIP Wild World
Kamailio and VoIP Wild WorldKamailio and VoIP Wild World
Kamailio and VoIP Wild World
 
Kamailio and VoIP Wild World
Kamailio and VoIP Wild WorldKamailio and VoIP Wild World
Kamailio and VoIP Wild World
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJS
 

Más de Daniel-Constantin Mierla

FOSDEM 2017 - RTC Services With Lua and Kamailio
FOSDEM 2017 - RTC Services With Lua and KamailioFOSDEM 2017 - RTC Services With Lua and Kamailio
FOSDEM 2017 - RTC Services With Lua and KamailioDaniel-Constantin Mierla
 
TAD Summit 2016 - The Mobile World Up Side Down
TAD Summit 2016 - The Mobile World Up Side DownTAD Summit 2016 - The Mobile World Up Side Down
TAD Summit 2016 - The Mobile World Up Side DownDaniel-Constantin Mierla
 
Designing High Performance RTC Signaling Servers
Designing High Performance RTC Signaling ServersDesigning High Performance RTC Signaling Servers
Designing High Performance RTC Signaling ServersDaniel-Constantin Mierla
 
SIP Server Optimizations for Mobile Networks
SIP Server Optimizations for Mobile NetworksSIP Server Optimizations for Mobile Networks
SIP Server Optimizations for Mobile NetworksDaniel-Constantin Mierla
 
Kamailio - Large Unified Communication Platforms
Kamailio - Large Unified Communication PlatformsKamailio - Large Unified Communication Platforms
Kamailio - Large Unified Communication PlatformsDaniel-Constantin Mierla
 
Kamailio - Unifying SIP and Web Worlds with Lua
Kamailio - Unifying SIP and Web Worlds with LuaKamailio - Unifying SIP and Web Worlds with Lua
Kamailio - Unifying SIP and Web Worlds with LuaDaniel-Constantin Mierla
 
Aynchronous Processing in Kamailio Configuration File
Aynchronous Processing in Kamailio Configuration FileAynchronous Processing in Kamailio Configuration File
Aynchronous Processing in Kamailio Configuration FileDaniel-Constantin Mierla
 

Más de Daniel-Constantin Mierla (16)

FOSDEM 2017 - RTC Services With Lua and Kamailio
FOSDEM 2017 - RTC Services With Lua and KamailioFOSDEM 2017 - RTC Services With Lua and Kamailio
FOSDEM 2017 - RTC Services With Lua and Kamailio
 
TAD Summit 2016 - The Mobile World Up Side Down
TAD Summit 2016 - The Mobile World Up Side DownTAD Summit 2016 - The Mobile World Up Side Down
TAD Summit 2016 - The Mobile World Up Side Down
 
Snappy Kamailio
Snappy KamailioSnappy Kamailio
Snappy Kamailio
 
Kamailio Updates - VUC 588
Kamailio Updates - VUC 588Kamailio Updates - VUC 588
Kamailio Updates - VUC 588
 
Designing High Performance RTC Signaling Servers
Designing High Performance RTC Signaling ServersDesigning High Performance RTC Signaling Servers
Designing High Performance RTC Signaling Servers
 
SIP Server Optimizations for Mobile Networks
SIP Server Optimizations for Mobile NetworksSIP Server Optimizations for Mobile Networks
SIP Server Optimizations for Mobile Networks
 
10 Years SER - Awards
10 Years SER - Awards10 Years SER - Awards
10 Years SER - Awards
 
Sculpturing SIP World
Sculpturing SIP WorldSculpturing SIP World
Sculpturing SIP World
 
CPDL - Charging Plan Definition Language
CPDL - Charging Plan Definition LanguageCPDL - Charging Plan Definition Language
CPDL - Charging Plan Definition Language
 
SER - SIP Express Router
SER - SIP Express RouterSER - SIP Express Router
SER - SIP Express Router
 
SIP Router Project
SIP Router ProjectSIP Router Project
SIP Router Project
 
Kamailio - Large Unified Communication Platforms
Kamailio - Large Unified Communication PlatformsKamailio - Large Unified Communication Platforms
Kamailio - Large Unified Communication Platforms
 
Kamailio - Unifying SIP and Web Worlds with Lua
Kamailio - Unifying SIP and Web Worlds with LuaKamailio - Unifying SIP and Web Worlds with Lua
Kamailio - Unifying SIP and Web Worlds with Lua
 
Kamailio - SIP Servers Everywhere
Kamailio - SIP Servers EverywhereKamailio - SIP Servers Everywhere
Kamailio - SIP Servers Everywhere
 
Kamailio - The Story for Asterisk
Kamailio - The Story for AsteriskKamailio - The Story for Asterisk
Kamailio - The Story for Asterisk
 
Aynchronous Processing in Kamailio Configuration File
Aynchronous Processing in Kamailio Configuration FileAynchronous Processing in Kamailio Configuration File
Aynchronous Processing in Kamailio Configuration File
 

Último

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Último (20)

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

Kamailio - SIP Firewall for Carrier Grade Traffic

  • 1. Kamailio SIP Server SIP Firewall For Carrier Grade Traffic Daniel-Constantin Mierla Co-Founder Kamailio www.kamailio.org www.asipto.com
  • 2. (c) asipto.com 2 Over 10 Years Evolution 2002 Jun 2005 Jul 2008 Aug 2008 Nov 2008 SIP Express Router (SER) OpenSER Kamailio Other Forks... Same application: Kamailio - SER Oct 2009 Jan 2010 v3.0.0 Integration Completed v1.5.0 Oct 2011 v3.1.0 Sep 2001 First Line Of Code Open Source GPL FhG Fokus Institute Berlin rename v3.2.0 Oct 2010 Awarded Best Open Source Networking Software 2009 By InfoWorld 10 Years Jun 2012 v3.3.0 ITSPA UK Award Mar 2013 v4.0.0 Kamailio
  • 3. Source Structure - 3.x.x - Kamailio vs. SER 3 KamailioDistribution SIPExpressRouterDistribution modules_k/ acc acc_radius alias_db auth_db auth_diameter auth_radius benchmark call_control cfgutils cpl-c db_cluster ... over 80 modules modules/ app_lua app_mono app_python async auth auth_identity avpops blst carrierroute cfg_db cfg_rpc ... over 50 modules modules_s/ acc_db acc_radius acc_syslog auth_db auth_radius avp avp_db avp_radius bdb cpl-c db_ops ... over 40 modules the entire source code tree core sip parser - memory manager config file parser and interpreter locking system - timers config variable frameworks internal libraries DB API v1 - DB APIv2 MI API - JSON - UUID utils - binrpc
  • 4. Source Structure - 4.x.x- Kamailio 4 KamailioDistribution SIPExpressRouterDistribution modules_k/ modules/ app_lua app_mono app_python async auth auth_identity avpops blst carrierroute cfg_db cfg_rpc ... over 150 modules modules_s/ the entire source code tree core sip parser - memory manager config file parser and interpreter locking system - timers config variable frameworks internal libraries DB API v1 - DB APIv2 MI API - JSON - UUID utils - binrpc
  • 5. (c) asipto.com 2012 - Highlights 5 Over 10 IMS Extensions Websockets generic database clusteringembedded mono interpreter C#, Python, Java, .... cassandra connector http://www.kamailio.org/wiki/features/new-in-3.3.x http://www.kamailio.org/wiki/features/new-in-4.0.x IPv6 review embedded MSRP Relay time recurrence matching embedded HTTP RPC/Provisioning APIs presence/rls/xcap OMA/RCS enhancements GRUU SIP Outbound SCA
  • 6. (c) asipto.com 2013 - Highlights 6 app_java sipt tm htable cfgutils siputilssnmpstats usrloc http://www.kamailio.org/wiki/features/new-in-devel dnssec cnxcc (prepaid) stun sctp auth_ephemeral (webrtc) debugger (log pv assignment)
  • 10. among next cool things
  • 11.
  • 12. Routing SIP with Kamailio by Daniel-Constantin Mierla Elena-Ramona Modroiu
  • 13. 13 Book Details - http://asipto.com/u/kab  Evolution  started last year for v3.3.x  target: getting started guide and typical use cases  delayed by decision to complete Kamailio-SER integration (then Kamailio Word)  last modules merged, some renamed  significant changes in installation process  Nowadays  existing content  over 280 pages (A4) - apart of ToC  22 chapters  roadmap to full release  3-5 new chapters  check the 3.3 to 4.0 updates  examples enhanced with SIP traces  reviews (both native and non-native English speakers)  Selling  electronic format (e.g., pdf, ebook), later paper format (if such interest)  plans to make it available to purchase before full release  if all goes as expected - as soon as mid of August, 2013
  • 14. SIP Firewall For Carrier Grade Traffic blocking unwanted traffic
  • 15. 15 Everyone is evil in the world wild sipnet!
  • 18. 18 Trying to get friendlier - DoS Attacks • bandwidth • cpu • memory • MONEY
  • 19. 19 Attacks  malicious attacks  for direct attacker benefits  get access to the host and call for free  for damages on target (or fame)  consume resources on target  involuntary attacks  client side  broken clients  server side  misconfigurations (e.g., too low max expire time) ‘Undisclosed’ sources have demonstrated that the root of the issues in computer science resides in between chair and keyboard.
  • 20. 20  Problem  unexpected high volume of SIP traffic from the same IP address  Situations  someone tries to gain access to the server  misconfigured devices  Solution  keep the list of banned IP addresses in memory (hash table via htable module)  items in hash table are automatically deleted if their values are not updated for a while  if source IP of the SIP packet matches a key in hash table, then stop processing  simply drop, no SIP response (save the bandwidth)  sending a 200 OK response makes the attacker believe that it has succeeded  if not, then count the number of packets per configured time interface  if limit exceeded, stop processing and add add the source ip in the hash table  Consideration  skip trusted peers from checking (trunks, PSTN gateways, media servers,...)  do it very early in processing path, at the top of routing logic Flood Detection and Blocking IP Addresses
  • 21. 21 Flood Detection and Blocking IP Addresses if(src_ip!=__TRUSTED__) { if($sht(ipban=>$si)!=$null) { # ip is already blocked xdbg("request from blocked IP - $rm from $fu (IP:$si:$sp)n"); exit; } if (!pike_check_req()) { xlog("L_ALERT","ALERT: pike blocking $rm from $fu (IP:$si:$sp)n"); $sht(ipban=>$si) = 1; exit; } } loadmodule "htable.so" loadmodule "pike.so" # ----- pike params ----- modparam("pike", "sampling_time_unit", 2) modparam("pike", "reqs_density_per_unit", 24) modparam("pike", "remove_latency", 4) # ----- htable params ----- # ip ban htable with autoexpire after 5 minutes modparam("htable", "htable", "ipban=>size=8;autoexpire=300;") the configuration
  • 22. 22  Problem  unexpected number of failed authentication for various users  Situations  someone tries to guess passwords for legit users  misconfigured devices  Solution  keep the list of blocked usernames in memory (again via htable module)  items in hash table are automatically deleted if their values are not updated for a while  along with the username, store the timestamp of the last failed authentication and number of failed authentication in a raw  if the request has auth headers and username is found in hash table, then  if the last failed authentication is older than a predefined interval of time, give the user another chance  otherwise forbids the traffic without any authentication challenge sent back  if not found in hash table, then authenticate  if credentials mismatch, then increase the authentication failure counter and update the last authentication failure timestamp  if authentication failure attempts limit is reached, don’t challenge back  if authentication is ok, reset the counter Dictionary Attack Detection and Blocking Users
  • 23. 23 Dictionary Attack Detection and Blocking Users if(is_present_hf("Authorization") || is_present_hf("Proxy-Authorization")) { if($sht(userban=>$au::auth_count)==3) { $var(exp) = $Ts - 900; if($sht(userban=>$au::last_auth) > $var(exp)) { sl_send_reply("403", "Try later"); exit; } else { $sht(userban=>$au::auth_count) = 0; } } } modparam("htable", "htable", "ipban=>size=8;autoexpire=300;") the configuration
  • 24. 24 # authenticate requests auth_check("$fd", "subscriber", "1"); $var(rc) = $rc; if($var(rc)<0) { switch($var(rc)) { case -1: sl_send_reply("403", "Forbidden"); exit; case -2: $var(auth_count) = $shtinc(userban=>$au::auth_count); if($var(auth_count) == 3) xlog("auth failed 3rd time - src ip: $sin"); $sht(userban=>$au::last_auth) = $Ts; break; } auth_challenge("$fd", "0"); exit; } $sht(userban=>$au::auth_count) = 0; Dictionary Attack Detection and Blocking Users
  • 25. 25  Problem  an attacker could eventually get access in way or another (e.g., social engineering), then limit the damages as much as possible  Situations  lot of active calls from same user, which physically could not do that  Solution  keep a lightweight list of active calls in memory (again via htable module)  items in hash table are automatically deleted if their values are not updated for a while (cope with missing BYE cases)  items are added when the call is initiated  items are removed if no positive answer for INVITE or in case of BYE  carrier grade => lightweight dialog tracking  Call-ID is the key for hash table  the value of items in hash table is caller id (username)  when a new call comes in  count the values in the hash table that matches the caller id  if the limit is not reached, add a new item, otherwise deny the call Limiting the Number of Active Calls Per User
  • 26. 26 request_route { .... if(is_method(“BYE”)) { $sht(acalls=>$ci) = $null; } .... } reply_route { .... if(is_method(“INVITE”) && $rs>=300) { $sht(acalls=>$ci) = $null; } .... } modparam("htable", "htable", "acalls=>size=8;autoexpire=7200;") modparam(“cfgutils”, “lock_set_size”, 8)the configuration Limiting the Number of Active Calls Per User
  • 27. 27 # limit to maximum 3 active calls per user route[ACLIMIT] { if(is_method(“INVITE”) && !has_totag()) { lock(“$fU”); $var(ac) = $shtcv(acalls=>eq$fU); if($var(ac) >= 3) { unlock(“$fU”); send_reply(“403”, “Too many active calls”); exit; } $sht(acalls=>$ci) = $fU; unlock(“$fU”); } } request_route { .... route(ACLIMIT); route(RELAY); } Limiting the Number of Active Calls Per User
  • 28. 28  One of Kamailio laws  If htable module is not used, something might go wrong with your deployment (and business) at a point in time.  The target for solutions were  rely on Kamailio-only  use the lightweight solutions that scale a lot  Alternatives  real time integration with firewall for DoS protection using fail2ban  http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack  active calls tracking  dialog module: store lot of details for each call, but can detect when call is down  OPTIONS keepalives within dialog  it is not a back to back user agent (i.e, cseq numbers of dialog not updated)  in memory SQL tables via sqlops modules  easy to customize make reports and specify what details are store per dialog Remarks
  • 29. 29 Daniel-Constantin Mierla Co-Founder Kamailio http://www.asipto.com daniel@asipto.com Thank you! Questions? twitter: @miconda http://www.linkedin.com/in/miconda