SlideShare a Scribd company logo

Expanding Asterisk with Kamailio

Download as ODP, PDF
Fred Posner
Fred Posner

Kamailio combined with Asterisk creates and incredibly robust and durable VoIP framework. With scalability and security, adding Kamailio to an asterisk deployment makes sense and saves money.

Technology
1 of 30
Expanding Asterisk with Kamailio Fred Posner @fredposner qxork.com
Who am I?
Why Asterisk?
If Asterisk can do all that...
Why do we need Kamailio? and....
How do you pronounce Kamailio? Kah – Mah – Illie - Oh
What is Kamailio? SIP Proxy Server SIP Registrar Server SIP Location Server SIP Application Server SIP Dispatcher Server
What isn't Kamailio? SIP Phone B2BUA Media Server
Typical Reasons to Implement Kamailio ● Scaling – High Volume of Calls – High Number of Users ● Security ● Load Balancing ● LCR (Least Cost Routing)
How many calls can Asterisk handle? 200 or 400. There is no 100.
Asterisk “Activities” Affect CPS/Load ● Music on Hold ● Codec Transcoding ● IVR Handling ● AGI Scripts ● Call Recording ● Queues ● Voicemail
Registrations Authentication NAT CallsPresence Call LimitExt to Ext Location STOPSTOP THETHE INSANITINSANIT
Internet / PSTN Kamailio There must be a better way! Kamailio: – Authentication, NAT, Location, LCR, Registration, Extension to Extension calls, Security Asterisk: – Queues, Media, Call Processing, Voicemail, Conferences, etc.
Load Balancing n + 1 scaling made easy with dispatcher module
DISPATCHER Module # Dispatch requests route[DISPATCH] { # round robin dispatching if(!ds_select_dst("1", "4")) { send_reply("404", "Ouch"); exit; } t_on_failure("RTF_DISPATCH"); route(RELAY); exit; } failure_route[RTF_DISPATCH] { if (t_is_canceled()) { exit; } # next DST - only for 500 or local timeout if (t_check_status("500") or (t_branch_timeout() and !t_branch_replied())) { if(ds_next_dst()) { t_on_failure("RTF_DISPATCH"); route(RELAY); exit; } } }
Internet / PSTN Kamailio
Security
Ever seen something like this? [Oct 1 23:01:26] NOTICE[3063][C-00002d55] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!2#48' rejected because extension not found in context 'default'. [Oct 1 23:01:26] NOTICE[3063][C-00002d56] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!' rejected because extension not found in context 'default'. [Oct 1 23:01:26] NOTICE[3063][C-00002d57] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!' rejected because extension not found in context 'default'. [Oct 1 23:01:26] NOTICE[3063][C-00002d58] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!' rejected because extension not found in context 'default'. [Oct 1 23:01:26] NOTICE[3063][C-00002d59] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!' rejected because extension not found in context 'default'. [Oct 1 23:01:26] NOTICE[3063][C-00002d5a] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!qaz' rejected because extension not found in context 'default'.
Asterisk Security Tools ● fail2ban ● custom script ● IPTABLES ● hardened dialplan ● Hardened sip.conf ● Log analyzers happen after the attack ● CPU/Memory resources ● Only protects single box
Kamailio Security ● GEOIP ● HTABLE ● PIKE (flood detection) ● PIPELIMIT (counter) ● PERMISSIONS ● RATELIMIT (counter) ● SANITY (formatting)
PIKE / HTABLES/PERMISSIONS if((src_ip!=myself) && !allow_source_address(1)) { if($sht(ipban=>$si)!=$null) { # ip is already blocked exit; } if (!pike_check_req()) { $sht(ipban=>$si) = 1; exit; } }
SIP Message Inspection / HTABLES if ($ua =~ "(friendly-scanner|sipvicious|sipcli)") { if(src_ip!=myself) { $sht(ipban=>$si) = 1; } exit; } if($au =~ "(=)|(--)|(')|(#)|(%27)|(%24)" and $au != $null) { if(src_ip!=myself) { $sht(ipban=>$si) = 1; } exit; }
Handle Before Reaching Asterisk [R-REQINIT:PIPELIMIT] invites to 192.168.101.21 exceeded 5cps [R-REQINIT:PIPELIMIT] invites to 192.168.101.23 exceeded 5cps [R-REQINIT:PIPELIMIT] invites to 192.168.101.22 exceeded 5cps [R-REQINIT:ANTIFLOOD] script kiddies from IP:85.93.91.162:5063 - dropping and blocking [R-REQINIT:ANTIFLOOD] script kiddies from IP:212.83.188.161:5068 - dropping and blocking [R-REQINIT:ANTIFLOOD] script kiddies from IP:85.93.89.219:5066 - dropping and blocking [R-REQINIT:ANTIFLOOD] script kiddies from IP:85.25.74.70:5150 - dropping and blocking
Kamailio Saves Money
Financial Benefits ● Kamailio reduces fraud risk (security) ● Kamailio reduces carrier cost (lcr) ● Kamailio reduces opportunity costs (downtime)
Kamailio Plays Well with Others ● IPv4 & IPv6 ● UDP/TCP ● TLS ● SCTP ● All codecs ● WebRTC ● Supporting RFC3261, RFC3262, RFC3263, RFC3880, RFC4474, RFC2865, RFC2866, RFC4975, RFC3486, RFC 3265, RFC 3856, RFC 3863, RFC 4480, RFC 3903, RFC 3857, RFC 3858, RFC 3680, RFC3581, RFC1918, RFC2617, RFC4122, RFC4510, RFC4515, RFC4662, RFC4826, RFC4745 and RFC5025, RFC3410, RFC3327, RFC2741, RFC4516, etc.
Kamailio: Positives ● Very fast ● Minimal hardware ● More than 200 modules ● Centralization ● Saves Money ● LCR ● Scalable ● Failover ● Strong Community ● Promotes Growth
Kamailio: Negatives ● Must know SIP ● Must really know SIP ● Need strong SIP knowledge
Expanding Asterisk with Kamailio Fred Posner @fredposner qxork.com Thank you
Expanding Asterisk with Kamailio Fred Posner @fredposner Questions

Recommended

Three Ways Kamailio Can Help Your FreeSWITCH Deployment
Three Ways Kamailio Can Help Your FreeSWITCH DeploymentThree Ways Kamailio Can Help Your FreeSWITCH Deployment
Three Ways Kamailio Can Help Your FreeSWITCH Deployment
Fred Posner
 
Kamailio - API Based SIP Routing
Kamailio - API Based SIP RoutingKamailio - API Based SIP Routing
Kamailio - API Based SIP Routing
Daniel-Constantin Mierla
 
SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)
Fred Posner
 
Kamailio, FreeSWITCH, and You
Kamailio, FreeSWITCH, and YouKamailio, FreeSWITCH, and You
Kamailio, FreeSWITCH, and You
Fred Posner
 
Scaling Asterisk with Kamailio
Scaling Asterisk with KamailioScaling Asterisk with Kamailio
Scaling Asterisk with Kamailio
Fred Posner
 
Sipwise rtpengine
Sipwise rtpengineSipwise rtpengine
Sipwise rtpengine
Andreas Granig
 
rtpengine and kamailio - or how to simulate calls at scale
rtpengine and kamailio - or how to simulate calls at scalertpengine and kamailio - or how to simulate calls at scale
rtpengine and kamailio - or how to simulate calls at scale
Andreas Granig
 
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Fred Posner
 

Recommended

Three Ways Kamailio Can Help Your FreeSWITCH Deployment
Three Ways Kamailio Can Help Your FreeSWITCH DeploymentThree Ways Kamailio Can Help Your FreeSWITCH Deployment
Three Ways Kamailio Can Help Your FreeSWITCH Deployment
Fred Posner
 
Kamailio - API Based SIP Routing
Kamailio - API Based SIP RoutingKamailio - API Based SIP Routing
Kamailio - API Based SIP Routing
Daniel-Constantin Mierla
 
SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)
Fred Posner
 
Kamailio, FreeSWITCH, and You
Kamailio, FreeSWITCH, and YouKamailio, FreeSWITCH, and You
Kamailio, FreeSWITCH, and You
Fred Posner
 
Scaling Asterisk with Kamailio
Scaling Asterisk with KamailioScaling Asterisk with Kamailio
Scaling Asterisk with Kamailio
Fred Posner
 
Sipwise rtpengine
Sipwise rtpengineSipwise rtpengine
Sipwise rtpengine
Andreas Granig
 
rtpengine and kamailio - or how to simulate calls at scale
rtpengine and kamailio - or how to simulate calls at scalertpengine and kamailio - or how to simulate calls at scale
rtpengine and kamailio - or how to simulate calls at scale
Andreas Granig
 
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Fred Posner
 
Astricon 10 (October 2013) - SIP over WebSocket on Kamailio
Astricon 10 (October 2013) - SIP over WebSocket on KamailioAstricon 10 (October 2013) - SIP over WebSocket on Kamailio
Astricon 10 (October 2013) - SIP over WebSocket on Kamailio
Crocodile WebRTC SDK and Cloud Signalling Network
 
Using Kamailio for Scalability and Security
Using Kamailio for Scalability and SecurityUsing Kamailio for Scalability and Security
Using Kamailio for Scalability and Security
Fred Posner
 
Kamailio - Secure Communication
Kamailio - Secure CommunicationKamailio - Secure Communication
Kamailio - Secure Communication
Daniel-Constantin Mierla
 
Kamailio :: A Quick Introduction
Kamailio :: A Quick IntroductionKamailio :: A Quick Introduction
Kamailio :: A Quick Introduction
Olle E Johansson
 
Kamailio - Load Balancing Load Balancers
Kamailio - Load Balancing Load BalancersKamailio - Load Balancing Load Balancers
Kamailio - Load Balancing Load Balancers
Daniel-Constantin Mierla
 
Kamailio with Docker and Kubernetes
Kamailio with Docker and KubernetesKamailio with Docker and Kubernetes
Kamailio with Docker and Kubernetes
Paolo Visintin
 
rtpengine - Media Relaying and Beyond
rtpengine - Media Relaying and Beyondrtpengine - Media Relaying and Beyond
rtpengine - Media Relaying and Beyond
Andreas Granig
 
Kamailio - SIP Routing in Lua
Kamailio - SIP Routing in LuaKamailio - SIP Routing in Lua
Kamailio - SIP Routing in Lua
Daniel-Constantin Mierla
 
Kamailio on Docker
Kamailio on DockerKamailio on Docker
Kamailio on Docker
Chien Cheng Wu
 
Continuous Integration and Kamailio
Continuous Integration and KamailioContinuous Integration and Kamailio
Continuous Integration and Kamailio
Giacomo Vacca
 
Introduction to Kamailio (TADSummit 2020 Asia)
Introduction to Kamailio (TADSummit 2020 Asia)Introduction to Kamailio (TADSummit 2020 Asia)
Introduction to Kamailio (TADSummit 2020 Asia)
Fred Posner
 
Scaling FreeSWITCH Performance
Scaling FreeSWITCH PerformanceScaling FreeSWITCH Performance
Scaling FreeSWITCH Performance
Moises Silva
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
Thomas Graf
 
Using ARI and AGI to Connect Asterisk Instances
Using ARI and AGI to Connect Asterisk Instances Using ARI and AGI to Connect Asterisk Instances
Using ARI and AGI to Connect Asterisk Instances
Jöran Vinzens
 
SIP Testing with FreeSWITCH
SIP Testing with FreeSWITCHSIP Testing with FreeSWITCH
SIP Testing with FreeSWITCH
Moises Silva
 
FreeSWITCH as a Microservice
FreeSWITCH as a MicroserviceFreeSWITCH as a Microservice
FreeSWITCH as a Microservice
Evan McGee
 
FreeSWITCH as a Kickass SBC
FreeSWITCH as a Kickass SBCFreeSWITCH as a Kickass SBC
FreeSWITCH as a Kickass SBC
Moises Silva
 
SIPREC RTPEngine Media Forking
SIPREC RTPEngine Media ForkingSIPREC RTPEngine Media Forking
SIPREC RTPEngine Media Forking
Hossein Yavari
 
Asterisk sip channel performance
Asterisk sip channel performanceAsterisk sip channel performance
Asterisk sip channel performance
Flavio Eduardo de Andrade Goncalves
 
FreeSWITCH on Docker
FreeSWITCH on DockerFreeSWITCH on Docker
FreeSWITCH on Docker
建澄 吳
 
Kamailio - SIP Firewall for Carrier Grade Traffic
Kamailio - SIP Firewall for Carrier Grade TrafficKamailio - SIP Firewall for Carrier Grade Traffic
Kamailio - SIP Firewall for Carrier Grade Traffic
Daniel-Constantin Mierla
 
Participate in SIPit
Participate in SIPitParticipate in SIPit
Participate in SIPit
Olle E Johansson
 

More Related Content

What's hot

Asterisk sip channel performance
Asterisk sip channel performanceAsterisk sip channel performance
Asterisk sip channel performance
Flavio Eduardo de Andrade Goncalves
 

What's hot (20)

Astricon 10 (October 2013) - SIP over WebSocket on Kamailio
Astricon 10 (October 2013) - SIP over WebSocket on KamailioAstricon 10 (October 2013) - SIP over WebSocket on Kamailio
Astricon 10 (October 2013) - SIP over WebSocket on Kamailio
 
Using Kamailio for Scalability and Security
Using Kamailio for Scalability and SecurityUsing Kamailio for Scalability and Security
Using Kamailio for Scalability and Security
 
Kamailio - Secure Communication
Kamailio - Secure CommunicationKamailio - Secure Communication
Kamailio - Secure Communication
 
Kamailio :: A Quick Introduction
Kamailio :: A Quick IntroductionKamailio :: A Quick Introduction
Kamailio :: A Quick Introduction
 
Kamailio - Load Balancing Load Balancers
Kamailio - Load Balancing Load BalancersKamailio - Load Balancing Load Balancers
Kamailio - Load Balancing Load Balancers
 
Kamailio with Docker and Kubernetes
Kamailio with Docker and KubernetesKamailio with Docker and Kubernetes
Kamailio with Docker and Kubernetes
 
rtpengine - Media Relaying and Beyond
rtpengine - Media Relaying and Beyondrtpengine - Media Relaying and Beyond
rtpengine - Media Relaying and Beyond
 
Kamailio - SIP Routing in Lua
Kamailio - SIP Routing in LuaKamailio - SIP Routing in Lua
Kamailio - SIP Routing in Lua
 
Kamailio on Docker
Kamailio on DockerKamailio on Docker
Kamailio on Docker
 
Continuous Integration and Kamailio
Continuous Integration and KamailioContinuous Integration and Kamailio
Continuous Integration and Kamailio
 
Introduction to Kamailio (TADSummit 2020 Asia)
Introduction to Kamailio (TADSummit 2020 Asia)Introduction to Kamailio (TADSummit 2020 Asia)
Introduction to Kamailio (TADSummit 2020 Asia)
 
Scaling FreeSWITCH Performance
Scaling FreeSWITCH PerformanceScaling FreeSWITCH Performance
Scaling FreeSWITCH Performance
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
Using ARI and AGI to Connect Asterisk Instances
Using ARI and AGI to Connect Asterisk Instances Using ARI and AGI to Connect Asterisk Instances
Using ARI and AGI to Connect Asterisk Instances
 
SIP Testing with FreeSWITCH
SIP Testing with FreeSWITCHSIP Testing with FreeSWITCH
SIP Testing with FreeSWITCH
 
FreeSWITCH as a Microservice
FreeSWITCH as a MicroserviceFreeSWITCH as a Microservice
FreeSWITCH as a Microservice
 
FreeSWITCH as a Kickass SBC
FreeSWITCH as a Kickass SBCFreeSWITCH as a Kickass SBC
FreeSWITCH as a Kickass SBC
 
SIPREC RTPEngine Media Forking
SIPREC RTPEngine Media ForkingSIPREC RTPEngine Media Forking
SIPREC RTPEngine Media Forking
 
Asterisk sip channel performance
Asterisk sip channel performanceAsterisk sip channel performance
Asterisk sip channel performance
 
FreeSWITCH on Docker
FreeSWITCH on DockerFreeSWITCH on Docker
FreeSWITCH on Docker
 

Viewers also liked

Kamailio World 2014 workshop - cnxcc prepaid module
Kamailio World 2014 workshop - cnxcc prepaid moduleKamailio World 2014 workshop - cnxcc prepaid module
Kamailio World 2014 workshop - cnxcc prepaid module
caruizdiaz
 
Kamailio World 2014 - Introduction to IMS Application Servers
Kamailio World 2014 - Introduction to IMS Application ServersKamailio World 2014 - Introduction to IMS Application Servers
Kamailio World 2014 - Introduction to IMS Application Servers
caruizdiaz
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
Fatih Ozavci
 
The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 Workshop
Fatih Ozavci
 
VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers Awaken
Fatih Ozavci
 

Viewers also liked (20)

Kamailio - SIP Firewall for Carrier Grade Traffic
Kamailio - SIP Firewall for Carrier Grade TrafficKamailio - SIP Firewall for Carrier Grade Traffic
Kamailio - SIP Firewall for Carrier Grade Traffic
 
Participate in SIPit
Participate in SIPitParticipate in SIPit
Participate in SIPit
 
Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.
 
Kamailio - The Story for Asterisk
Kamailio - The Story for AsteriskKamailio - The Story for Asterisk
Kamailio - The Story for Asterisk
 
Toll Fraud detection with automatic mitigation using CGRateS
Toll Fraud detection with automatic mitigation using CGRateSToll Fraud detection with automatic mitigation using CGRateS
Toll Fraud detection with automatic mitigation using CGRateS
 
Kamailio - SIP Servers Everywhere
Kamailio - SIP Servers EverywhereKamailio - SIP Servers Everywhere
Kamailio - SIP Servers Everywhere
 
Kamailio World 2014 workshop - cnxcc prepaid module
Kamailio World 2014 workshop - cnxcc prepaid moduleKamailio World 2014 workshop - cnxcc prepaid module
Kamailio World 2014 workshop - cnxcc prepaid module
 
Usando el módulo PIKE en Elastix MT
Usando el módulo PIKE en Elastix MTUsando el módulo PIKE en Elastix MT
Usando el módulo PIKE en Elastix MT
 
Kamailio - Large Unified Communication Platforms
Kamailio - Large Unified Communication PlatformsKamailio - Large Unified Communication Platforms
Kamailio - Large Unified Communication Platforms
 
Kamailio World 2014 - Introduction to IMS Application Servers
Kamailio World 2014 - Introduction to IMS Application ServersKamailio World 2014 - Introduction to IMS Application Servers
Kamailio World 2014 - Introduction to IMS Application Servers
 
High Availability Asterisk and FreePBX on Microsoft Azure
High Availability Asterisk and FreePBX on Microsoft AzureHigh Availability Asterisk and FreePBX on Microsoft Azure
High Availability Asterisk and FreePBX on Microsoft Azure
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
 
VoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesVoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco Phones
 
VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP
 
The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 Workshop
 
SIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreSIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and more
 
Astricon 2010: Scaling Asterisk installations
Astricon 2010: Scaling Asterisk installationsAstricon 2010: Scaling Asterisk installations
Astricon 2010: Scaling Asterisk installations
 
Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!
 
VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers Awaken
 
Avaya Aura 6.x suite licensing
Avaya Aura 6.x suite licensingAvaya Aura 6.x suite licensing
Avaya Aura 6.x suite licensing
 

Similar to Expanding Asterisk with Kamailio

InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
Yossi Sassi
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsd
webuploader
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
CODE BLUE
 
Astricon 2007
Astricon 2007Astricon 2007
Astricon 2007
Stefano Carlini
 

Similar to Expanding Asterisk with Kamailio (20)

Asterisksecuritykingasterisk 130723131448-phpapp01
Asterisksecuritykingasterisk 130723131448-phpapp01Asterisksecuritykingasterisk 130723131448-phpapp01
Asterisksecuritykingasterisk 130723131448-phpapp01
 
What Is IVR ?
What Is IVR ?What Is IVR ?
What Is IVR ?
 
Asterisk Introduction
Asterisk IntroductionAsterisk Introduction
Asterisk Introduction
 
SIP Server Optimizations for Mobile Networks
SIP Server Optimizations for Mobile NetworksSIP Server Optimizations for Mobile Networks
SIP Server Optimizations for Mobile Networks
 
Securing Asterisk: A practical approach
Securing Asterisk: A practical approachSecuring Asterisk: A practical approach
Securing Asterisk: A practical approach
 
Ruby voip
Ruby voipRuby voip
Ruby voip
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
Kamailio and VoIP Wild World
Kamailio and VoIP Wild WorldKamailio and VoIP Wild World
Kamailio and VoIP Wild World
 
Kamailio and VoIP Wild World
Kamailio and VoIP Wild WorldKamailio and VoIP Wild World
Kamailio and VoIP Wild World
 
Adhearsion and Telegraph Framework Presentation
Adhearsion and Telegraph Framework PresentationAdhearsion and Telegraph Framework Presentation
Adhearsion and Telegraph Framework Presentation
 
SIP for geeks
SIP for geeksSIP for geeks
SIP for geeks
 
Offensive MitM
Offensive MitMOffensive MitM
Offensive MitM
 
Designing High Performance RTC Signaling Servers
Designing High Performance RTC Signaling ServersDesigning High Performance RTC Signaling Servers
Designing High Performance RTC Signaling Servers
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation Strategies
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsd
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
 
Astricon 2007
Astricon 2007Astricon 2007
Astricon 2007
 
Asterisk PBX Presentation, 2006
Asterisk PBX Presentation, 2006Asterisk PBX Presentation, 2006
Asterisk PBX Presentation, 2006
 

More from Fred Posner

More from Fred Posner (7)

Security Asterisk or FreePBX with APIBAN
Security Asterisk or FreePBX with APIBANSecurity Asterisk or FreePBX with APIBAN
Security Asterisk or FreePBX with APIBAN
 
Kamalio and Asterisk: What, Why & How
Kamalio and Asterisk: What, Why & HowKamalio and Asterisk: What, Why & How
Kamalio and Asterisk: What, Why & How
 
Protect Kamailio Against DoS Attacks With APIBan
Protect Kamailio Against DoS Attacks With APIBanProtect Kamailio Against DoS Attacks With APIBan
Protect Kamailio Against DoS Attacks With APIBan
 
Kamailio, FreeSWITCH, and the Half-Blood Prince
Kamailio, FreeSWITCH, and the Half-Blood PrinceKamailio, FreeSWITCH, and the Half-Blood Prince
Kamailio, FreeSWITCH, and the Half-Blood Prince
 
CommCon 2020: Kamailio for RTC Stability, Scaling, and Security
CommCon 2020: Kamailio for RTC Stability, Scaling, and SecurityCommCon 2020: Kamailio for RTC Stability, Scaling, and Security
CommCon 2020: Kamailio for RTC Stability, Scaling, and Security
 
Three Ways Kamailio Can Help Your Asterisk Deployment
Three Ways Kamailio Can Help Your Asterisk DeploymentThree Ways Kamailio Can Help Your Asterisk Deployment
Three Ways Kamailio Can Help Your Asterisk Deployment
 
Advanced SIP: Communicating with Humans (Kamailio World 2019)
Advanced SIP: Communicating with Humans (Kamailio World 2019)Advanced SIP: Communicating with Humans (Kamailio World 2019)
Advanced SIP: Communicating with Humans (Kamailio World 2019)
 

Recently uploaded

The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
Safe Software
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
WSO2
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 

Recently uploaded (20)

The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 

Expanding Asterisk with Kamailio

  • 1. Expanding Asterisk with Kamailio Fred Posner @fredposner qxork.com
  • 4. If Asterisk can do all that...
  • 5. Why do we need Kamailio? and....
  • 6. How do you pronounce Kamailio? Kah – Mah – Illie - Oh
  • 7. What is Kamailio? SIP Proxy Server SIP Registrar Server SIP Location Server SIP Application Server SIP Dispatcher Server
  • 8. What isn't Kamailio? SIP Phone B2BUA Media Server
  • 9. Typical Reasons to Implement Kamailio ● Scaling – High Volume of Calls – High Number of Users ● Security ● Load Balancing ● LCR (Least Cost Routing)
  • 10. How many calls can Asterisk handle? 200 or 400. There is no 100.
  • 11. Asterisk “Activities” Affect CPS/Load ● Music on Hold ● Codec Transcoding ● IVR Handling ● AGI Scripts ● Call Recording ● Queues ● Voicemail
  • 12. Registrations Authentication NAT CallsPresence Call LimitExt to Ext Location STOPSTOP THETHE INSANITINSANIT
  • 13. Internet / PSTN Kamailio There must be a better way! Kamailio: – Authentication, NAT, Location, LCR, Registration, Extension to Extension calls, Security Asterisk: – Queues, Media, Call Processing, Voicemail, Conferences, etc.
  • 14. Load Balancing n + 1 scaling made easy with dispatcher module
  • 15. DISPATCHER Module # Dispatch requests route[DISPATCH] { # round robin dispatching if(!ds_select_dst("1", "4")) { send_reply("404", "Ouch"); exit; } t_on_failure("RTF_DISPATCH"); route(RELAY); exit; } failure_route[RTF_DISPATCH] { if (t_is_canceled()) { exit; } # next DST - only for 500 or local timeout if (t_check_status("500") or (t_branch_timeout() and !t_branch_replied())) { if(ds_next_dst()) { t_on_failure("RTF_DISPATCH"); route(RELAY); exit; } } }
  • 18. Ever seen something like this? [Oct 1 23:01:26] NOTICE[3063][C-00002d55] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!2#48' rejected because extension not found in context 'default'. [Oct 1 23:01:26] NOTICE[3063][C-00002d56] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!' rejected because extension not found in context 'default'. [Oct 1 23:01:26] NOTICE[3063][C-00002d57] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!' rejected because extension not found in context 'default'. [Oct 1 23:01:26] NOTICE[3063][C-00002d58] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!' rejected because extension not found in context 'default'. [Oct 1 23:01:26] NOTICE[3063][C-00002d59] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!' rejected because extension not found in context 'default'. [Oct 1 23:01:26] NOTICE[3063][C-00002d5a] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!qaz' rejected because extension not found in context 'default'.
  • 19. Asterisk Security Tools ● fail2ban ● custom script ● IPTABLES ● hardened dialplan ● Hardened sip.conf ● Log analyzers happen after the attack ● CPU/Memory resources ● Only protects single box
  • 20. Kamailio Security ● GEOIP ● HTABLE ● PIKE (flood detection) ● PIPELIMIT (counter) ● PERMISSIONS ● RATELIMIT (counter) ● SANITY (formatting)
  • 21. PIKE / HTABLES/PERMISSIONS if((src_ip!=myself) && !allow_source_address(1)) { if($sht(ipban=>$si)!=$null) { # ip is already blocked exit; } if (!pike_check_req()) { $sht(ipban=>$si) = 1; exit; } }
  • 22. SIP Message Inspection / HTABLES if ($ua =~ "(friendly-scanner|sipvicious|sipcli)") { if(src_ip!=myself) { $sht(ipban=>$si) = 1; } exit; } if($au =~ "(=)|(--)|(')|(#)|(%27)|(%24)" and $au != $null) { if(src_ip!=myself) { $sht(ipban=>$si) = 1; } exit; }
  • 23. Handle Before Reaching Asterisk [R-REQINIT:PIPELIMIT] invites to 192.168.101.21 exceeded 5cps [R-REQINIT:PIPELIMIT] invites to 192.168.101.23 exceeded 5cps [R-REQINIT:PIPELIMIT] invites to 192.168.101.22 exceeded 5cps [R-REQINIT:ANTIFLOOD] script kiddies from IP:85.93.91.162:5063 - dropping and blocking [R-REQINIT:ANTIFLOOD] script kiddies from IP:212.83.188.161:5068 - dropping and blocking [R-REQINIT:ANTIFLOOD] script kiddies from IP:85.93.89.219:5066 - dropping and blocking [R-REQINIT:ANTIFLOOD] script kiddies from IP:85.25.74.70:5150 - dropping and blocking
  • 25. Financial Benefits ● Kamailio reduces fraud risk (security) ● Kamailio reduces carrier cost (lcr) ● Kamailio reduces opportunity costs (downtime)
  • 26. Kamailio Plays Well with Others ● IPv4 & IPv6 ● UDP/TCP ● TLS ● SCTP ● All codecs ● WebRTC ● Supporting RFC3261, RFC3262, RFC3263, RFC3880, RFC4474, RFC2865, RFC2866, RFC4975, RFC3486, RFC 3265, RFC 3856, RFC 3863, RFC 4480, RFC 3903, RFC 3857, RFC 3858, RFC 3680, RFC3581, RFC1918, RFC2617, RFC4122, RFC4510, RFC4515, RFC4662, RFC4826, RFC4745 and RFC5025, RFC3410, RFC3327, RFC2741, RFC4516, etc.
  • 27. Kamailio: Positives ● Very fast ● Minimal hardware ● More than 200 modules ● Centralization ● Saves Money ● LCR ● Scalable ● Failover ● Strong Community ● Promotes Growth
  • 28. Kamailio: Negatives ● Must know SIP ● Must really know SIP ● Need strong SIP knowledge
  • 29. Expanding Asterisk with Kamailio Fred Posner @fredposner qxork.com Thank you
  • 30. Expanding Asterisk with Kamailio Fred Posner @fredposner Questions

Editor's Notes

  1. Fred Posner VoIP Engineer/Consultant LOD The Palner Group Started in 2003 Vonage Competitor Broadsoft / Acme Packet Switched to Asterisk / OpenSER Beautiful Wife Yeni Started Bearkery Bakery in 2010 Live in Florida Big Fred Cookie
  2. Asterisk GREAT PRODUCT We're at Astricon afterall All features you'd ever want Very customizable Powerful Open Source Queues Call Recording Voicemail IVR AND SO MUCH MORE
  3. If Asterisk is so incredible... then...
  4. Why do we need Kamailio? and... More importantly...
  5. Not Without Problems EVERYTHING HAS STRENGTHS & WEAKNESSES Believe it or not... I'm a great guy, ...but I have a weight problem. Working on weakness creates strength to grow. Ever hear of Pozzolans? Lime is used in concrete OK by itself... nothing special. Add Pozzolans... Increased strength / durability Decreased weakness Pozzolan Effect Kamailio & Asterisk together work the same way.
  6. Want a B2BUA? Use Asterisk =) All of these are Asterisk
  7. SIP Version of Do or Do Not. There is No Try. As most of you know... simple question difficult answer
  8. What you do with Asterisk affects call load & hardware too of course Some systems can run thousands of channels Others may have difficulty with more than 400 Reduce Asterisk Overhead Focus on core strengths
  9. Additional cps concerns Flash Operator Panel? 20 cps Fail2Ban? Effects cps greatly Logging Network (jitter, etc.) OS 150 cps? Really depends on codecs, hardware, network Max calls? 10,000? 100?
  10. On embedded systems, with limited resources—100s cps As stateless load balancer, >5000 call setups per second 4GB memory, Kamailio can serve over 300k subscribers System can easily scale adding more Kamailio servers Kamailio LCR handles millions of routing rules(and that's the built in modules) Even with just 1 Asterisk server (like above)...using Kamailio can increase user/call capacity
  11. Load balancing is built into Kamailio Makes n + 1 scaling simple
  12. Drastically increase call load / capacity Fault Tolerant Location failures Can add more kamailio boxes as well. You can group clusters by function / limits Voicemail IVR Recordings Conferences
  13. You can set limits by box as well This box can handle 100 calls at 2 cps This box can handle 500 calls at 20 cps
  14. Kamailio expands the security capabilities of Asterisk
  15. Rejection of call attempts Rejection of registration attempts Brute force password attacks Anyone been hit by a brute force attack from AWS? Thousands of attempts in a very short period of time
  16. Current methods of handling happen after the attack Take resources AWAY from call handling Protects a single box
  17. Kamailio is flexible. The way I handle security is different than Daniel or X person or Y. Different is good. You can learn something from EVERYONE The best experts keep an open mind “Good writers borrow, great writers steal”--TS Elliot
  18. Built in module PIKE helps detect flooding Combine with HTABLES to block temporarily RAM based. Very fast. White list with PERMISSIONS module Also stored in memory Here we check if a non-whitelisted IP is blocked If so, drop them (just ignore it) Not blocked, check if flooding... Yeah? Block em & Drop em.
  19. Friendly Scanner? Drop & Block SQL Injection? Drop & Block Most Script Kiddies use the reject messages Now the real attack begins Of course, different thoughts on this as well Send 200 OK
  20. Example of PIPELIMIT which is a fast counter Oh this box currently is 5cps, move on Oh look... a script kiddie
  21. When we block an IP, it's blocked for everyone Very scalable. We can also handle calls by ourselves Presence IM integration Extension to Extension calls Strong Community Active mail list Active IRC channel Pretty friendly... be patient with language