Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Kamailio SIP Server
SIP Firewall For Carrier Grade Traffic
Daniel-Constantin Mierla
Co-Founder Kamailio
www.kamailio.org
w...
(c) asipto.com 2
Over 10 Years Evolution
2002 Jun 2005 Jul 2008 Aug 2008 Nov 2008
SIP Express Router (SER)
OpenSER Kamaili...
Source Structure - 3.x.x - Kamailio vs. SER
3
KamailioDistribution
SIPExpressRouterDistribution
modules_k/
acc
acc_radius
...
Source Structure - 4.x.x- Kamailio
4
KamailioDistribution
SIPExpressRouterDistribution
modules_k/ modules/
app_lua
app_mon...
(c) asipto.com
2012 - Highlights
5
Over 10 IMS Extensions
Websockets
generic
database
clusteringembedded mono interpreter
...
(c) asipto.com
2013 - Highlights
6
app_java
sipt
tm
htable
cfgutils
siputilssnmpstats
usrloc
http://www.kamailio.org/wiki/...
(c) asipto.com 7
Development statistics
(c) asipto.com 8
http://conference.kamailio.com
(c) asipto.com 9
among next cool things
Routing SIP with Kamailio
by
Daniel-Constantin Mierla
Elena-Ramona Modroiu
13
Book Details - http://asipto.com/u/kab
 Evolution
 started last year for v3.3.x
 target: getting started guide and t...
SIP Firewall For Carrier Grade Traffic
blocking unwanted traffic
15
Everyone is evil
in the
world wild sipnet!
16
request_route {
drop;
}
reply_route {
drop;
}
Full Kamailio Config to Deal With
17
Problem	 completely	 solved!
Thank	 you,	 questions?
18
Trying to get friendlier - DoS Attacks
• bandwidth
• cpu
• memory
• MONEY
19
Attacks
 malicious attacks
 for direct attacker benefits
 get access to the host and call for free
 for damages on ...
20
 Problem
 unexpected high volume of SIP traffic from the same IP address
 Situations
 someone tries to gain access ...
21
Flood Detection and Blocking IP Addresses
	

 if(src_ip!=__TRUSTED__)
	

 {
	

 	

 if($sht(ipban=>$si)!=$null)
	

 	

...
22
 Problem
 unexpected number of failed authentication for various users
 Situations
 someone tries to guess password...
23
Dictionary Attack Detection and Blocking Users
	

 	

 if(is_present_hf("Authorization") || is_present_hf("Proxy-Author...
24
	

 	

 # authenticate requests
	

 	

 auth_check("$fd", "subscriber", "1");
	

 	

 $var(rc) = $rc;
	

 	

 if($var(r...
25
 Problem
 an attacker could eventually get access in way or another (e.g., social
engineering), then limit the damage...
26
request_route {
....
if(is_method(“BYE”)) {
$sht(acalls=>$ci) = $null;
}
....
}
reply_route {
....
if(is_method(“INVITE...
27
# limit to maximum 3 active calls per user
route[ACLIMIT] {
if(is_method(“INVITE”) && !has_totag()) {
lock(“$fU”);
$var...
28
 One of Kamailio laws
 If htable module is not used, something might go wrong with your deployment
(and business) at ...
29
Daniel-Constantin Mierla
Co-Founder Kamailio
http://www.asipto.com
daniel@asipto.com
Thank you!
Questions?
twitter: @mi...
Kamailio - SIP Firewall for Carrier Grade Traffic
Upcoming SlideShare
Loading in …5
×

Kamailio - SIP Firewall for Carrier Grade Traffic

Presentation done at Cluecon 2013, Chicago, USA - using Kamailio for securing carrier grade SIP/VoIP platforms.

  • Be the first to comment

Kamailio - SIP Firewall for Carrier Grade Traffic

  1. 1. Kamailio SIP Server SIP Firewall For Carrier Grade Traffic Daniel-Constantin Mierla Co-Founder Kamailio www.kamailio.org www.asipto.com
  2. 2. (c) asipto.com 2 Over 10 Years Evolution 2002 Jun 2005 Jul 2008 Aug 2008 Nov 2008 SIP Express Router (SER) OpenSER Kamailio Other Forks... Same application: Kamailio - SER Oct 2009 Jan 2010 v3.0.0 Integration Completed v1.5.0 Oct 2011 v3.1.0 Sep 2001 First Line Of Code Open Source GPL FhG Fokus Institute Berlin rename v3.2.0 Oct 2010 Awarded Best Open Source Networking Software 2009 By InfoWorld 10 Years Jun 2012 v3.3.0 ITSPA UK Award Mar 2013 v4.0.0 Kamailio
  3. 3. Source Structure - 3.x.x - Kamailio vs. SER 3 KamailioDistribution SIPExpressRouterDistribution modules_k/ acc acc_radius alias_db auth_db auth_diameter auth_radius benchmark call_control cfgutils cpl-c db_cluster ... over 80 modules modules/ app_lua app_mono app_python async auth auth_identity avpops blst carrierroute cfg_db cfg_rpc ... over 50 modules modules_s/ acc_db acc_radius acc_syslog auth_db auth_radius avp avp_db avp_radius bdb cpl-c db_ops ... over 40 modules the entire source code tree core sip parser - memory manager config file parser and interpreter locking system - timers config variable frameworks internal libraries DB API v1 - DB APIv2 MI API - JSON - UUID utils - binrpc
  4. 4. Source Structure - 4.x.x- Kamailio 4 KamailioDistribution SIPExpressRouterDistribution modules_k/ modules/ app_lua app_mono app_python async auth auth_identity avpops blst carrierroute cfg_db cfg_rpc ... over 150 modules modules_s/ the entire source code tree core sip parser - memory manager config file parser and interpreter locking system - timers config variable frameworks internal libraries DB API v1 - DB APIv2 MI API - JSON - UUID utils - binrpc
  5. 5. (c) asipto.com 2012 - Highlights 5 Over 10 IMS Extensions Websockets generic database clusteringembedded mono interpreter C#, Python, Java, .... cassandra connector http://www.kamailio.org/wiki/features/new-in-3.3.x http://www.kamailio.org/wiki/features/new-in-4.0.x IPv6 review embedded MSRP Relay time recurrence matching embedded HTTP RPC/Provisioning APIs presence/rls/xcap OMA/RCS enhancements GRUU SIP Outbound SCA
  6. 6. (c) asipto.com 2013 - Highlights 6 app_java sipt tm htable cfgutils siputilssnmpstats usrloc http://www.kamailio.org/wiki/features/new-in-devel dnssec cnxcc (prepaid) stun sctp auth_ephemeral (webrtc) debugger (log pv assignment)
  7. 7. (c) asipto.com 7 Development statistics
  8. 8. (c) asipto.com 8 http://conference.kamailio.com
  9. 9. (c) asipto.com 9
  10. 10. among next cool things
  11. 11. Routing SIP with Kamailio by Daniel-Constantin Mierla Elena-Ramona Modroiu
  12. 12. 13 Book Details - http://asipto.com/u/kab  Evolution  started last year for v3.3.x  target: getting started guide and typical use cases  delayed by decision to complete Kamailio-SER integration (then Kamailio Word)  last modules merged, some renamed  significant changes in installation process  Nowadays  existing content  over 280 pages (A4) - apart of ToC  22 chapters  roadmap to full release  3-5 new chapters  check the 3.3 to 4.0 updates  examples enhanced with SIP traces  reviews (both native and non-native English speakers)  Selling  electronic format (e.g., pdf, ebook), later paper format (if such interest)  plans to make it available to purchase before full release  if all goes as expected - as soon as mid of August, 2013
  13. 13. SIP Firewall For Carrier Grade Traffic blocking unwanted traffic
  14. 14. 15 Everyone is evil in the world wild sipnet!
  15. 15. 16 request_route { drop; } reply_route { drop; } Full Kamailio Config to Deal With
  16. 16. 17 Problem completely solved! Thank you, questions?
  17. 17. 18 Trying to get friendlier - DoS Attacks • bandwidth • cpu • memory • MONEY
  18. 18. 19 Attacks  malicious attacks  for direct attacker benefits  get access to the host and call for free  for damages on target (or fame)  consume resources on target  involuntary attacks  client side  broken clients  server side  misconfigurations (e.g., too low max expire time) ‘Undisclosed’ sources have demonstrated that the root of the issues in computer science resides in between chair and keyboard.
  19. 19. 20  Problem  unexpected high volume of SIP traffic from the same IP address  Situations  someone tries to gain access to the server  misconfigured devices  Solution  keep the list of banned IP addresses in memory (hash table via htable module)  items in hash table are automatically deleted if their values are not updated for a while  if source IP of the SIP packet matches a key in hash table, then stop processing  simply drop, no SIP response (save the bandwidth)  sending a 200 OK response makes the attacker believe that it has succeeded  if not, then count the number of packets per configured time interface  if limit exceeded, stop processing and add add the source ip in the hash table  Consideration  skip trusted peers from checking (trunks, PSTN gateways, media servers,...)  do it very early in processing path, at the top of routing logic Flood Detection and Blocking IP Addresses
  20. 20. 21 Flood Detection and Blocking IP Addresses if(src_ip!=__TRUSTED__) { if($sht(ipban=>$si)!=$null) { # ip is already blocked xdbg("request from blocked IP - $rm from $fu (IP:$si:$sp)n"); exit; } if (!pike_check_req()) { xlog("L_ALERT","ALERT: pike blocking $rm from $fu (IP:$si:$sp)n"); $sht(ipban=>$si) = 1; exit; } } loadmodule "htable.so" loadmodule "pike.so" # ----- pike params ----- modparam("pike", "sampling_time_unit", 2) modparam("pike", "reqs_density_per_unit", 24) modparam("pike", "remove_latency", 4) # ----- htable params ----- # ip ban htable with autoexpire after 5 minutes modparam("htable", "htable", "ipban=>size=8;autoexpire=300;") the configuration
  21. 21. 22  Problem  unexpected number of failed authentication for various users  Situations  someone tries to guess passwords for legit users  misconfigured devices  Solution  keep the list of blocked usernames in memory (again via htable module)  items in hash table are automatically deleted if their values are not updated for a while  along with the username, store the timestamp of the last failed authentication and number of failed authentication in a raw  if the request has auth headers and username is found in hash table, then  if the last failed authentication is older than a predefined interval of time, give the user another chance  otherwise forbids the traffic without any authentication challenge sent back  if not found in hash table, then authenticate  if credentials mismatch, then increase the authentication failure counter and update the last authentication failure timestamp  if authentication failure attempts limit is reached, don’t challenge back  if authentication is ok, reset the counter Dictionary Attack Detection and Blocking Users
  22. 22. 23 Dictionary Attack Detection and Blocking Users if(is_present_hf("Authorization") || is_present_hf("Proxy-Authorization")) { if($sht(userban=>$au::auth_count)==3) { $var(exp) = $Ts - 900; if($sht(userban=>$au::last_auth) > $var(exp)) { sl_send_reply("403", "Try later"); exit; } else { $sht(userban=>$au::auth_count) = 0; } } } modparam("htable", "htable", "ipban=>size=8;autoexpire=300;") the configuration
  23. 23. 24 # authenticate requests auth_check("$fd", "subscriber", "1"); $var(rc) = $rc; if($var(rc)<0) { switch($var(rc)) { case -1: sl_send_reply("403", "Forbidden"); exit; case -2: $var(auth_count) = $shtinc(userban=>$au::auth_count); if($var(auth_count) == 3) xlog("auth failed 3rd time - src ip: $sin"); $sht(userban=>$au::last_auth) = $Ts; break; } auth_challenge("$fd", "0"); exit; } $sht(userban=>$au::auth_count) = 0; Dictionary Attack Detection and Blocking Users
  24. 24. 25  Problem  an attacker could eventually get access in way or another (e.g., social engineering), then limit the damages as much as possible  Situations  lot of active calls from same user, which physically could not do that  Solution  keep a lightweight list of active calls in memory (again via htable module)  items in hash table are automatically deleted if their values are not updated for a while (cope with missing BYE cases)  items are added when the call is initiated  items are removed if no positive answer for INVITE or in case of BYE  carrier grade => lightweight dialog tracking  Call-ID is the key for hash table  the value of items in hash table is caller id (username)  when a new call comes in  count the values in the hash table that matches the caller id  if the limit is not reached, add a new item, otherwise deny the call Limiting the Number of Active Calls Per User
  25. 25. 26 request_route { .... if(is_method(“BYE”)) { $sht(acalls=>$ci) = $null; } .... } reply_route { .... if(is_method(“INVITE”) && $rs>=300) { $sht(acalls=>$ci) = $null; } .... } modparam("htable", "htable", "acalls=>size=8;autoexpire=7200;") modparam(“cfgutils”, “lock_set_size”, 8)the configuration Limiting the Number of Active Calls Per User
  26. 26. 27 # limit to maximum 3 active calls per user route[ACLIMIT] { if(is_method(“INVITE”) && !has_totag()) { lock(“$fU”); $var(ac) = $shtcv(acalls=>eq$fU); if($var(ac) >= 3) { unlock(“$fU”); send_reply(“403”, “Too many active calls”); exit; } $sht(acalls=>$ci) = $fU; unlock(“$fU”); } } request_route { .... route(ACLIMIT); route(RELAY); } Limiting the Number of Active Calls Per User
  27. 27. 28  One of Kamailio laws  If htable module is not used, something might go wrong with your deployment (and business) at a point in time.  The target for solutions were  rely on Kamailio-only  use the lightweight solutions that scale a lot  Alternatives  real time integration with firewall for DoS protection using fail2ban  http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack  active calls tracking  dialog module: store lot of details for each call, but can detect when call is down  OPTIONS keepalives within dialog  it is not a back to back user agent (i.e, cseq numbers of dialog not updated)  in memory SQL tables via sqlops modules  easy to customize make reports and specify what details are store per dialog Remarks
  28. 28. 29 Daniel-Constantin Mierla Co-Founder Kamailio http://www.asipto.com daniel@asipto.com Thank you! Questions? twitter: @miconda http://www.linkedin.com/in/miconda

    Be the first to comment

    Login to see the comments

  • BahtiyarBircan

    Dec. 22, 2014
  • qoiuyt3003

    Mar. 26, 2015
  • imraniqbal

    Jul. 3, 2015

Presentation done at Cluecon 2013, Chicago, USA - using Kamailio for securing carrier grade SIP/VoIP platforms.

Views

Total views

4,724

On Slideshare

0

From embeds

0

Number of embeds

34

Actions

Downloads

167

Shares

0

Comments

0

Likes

3

×