Kamailio combined with Asterisk creates and incredibly robust and durable VoIP framework. With scalability and security, adding Kamailio to an asterisk deployment makes sense and saves money.
9. Typical Reasons to Implement Kamailio
● Scaling
– High Volume of Calls
– High Number of Users
● Security
● Load Balancing
● LCR (Least Cost Routing)
10. How many calls can Asterisk handle?
200 or 400. There is no 100.
11. Asterisk “Activities” Affect CPS/Load
● Music on Hold
● Codec Transcoding
● IVR Handling
● AGI Scripts
● Call Recording
● Queues
● Voicemail
13. Internet / PSTN
Kamailio
There must be a better way!
Kamailio:
– Authentication, NAT,
Location, LCR, Registration,
Extension to Extension calls,
Security
Asterisk:
– Queues, Media, Call
Processing, Voicemail,
Conferences, etc.
18. Ever seen something like this?
[Oct 1 23:01:26] NOTICE[3063][C-00002d55] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!2#48' rejected because extension not
found in context 'default'.
[Oct 1 23:01:26] NOTICE[3063][C-00002d56] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!' rejected because extension not found in
context 'default'.
[Oct 1 23:01:26] NOTICE[3063][C-00002d57] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!' rejected because extension not found in
context 'default'.
[Oct 1 23:01:26] NOTICE[3063][C-00002d58] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!' rejected because extension not found in
context 'default'.
[Oct 1 23:01:26] NOTICE[3063][C-00002d59] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!' rejected because extension not found in
context 'default'.
[Oct 1 23:01:26] NOTICE[3063][C-00002d5a] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!qaz' rejected because extension not found
in context 'default'.
19. Asterisk Security Tools
● fail2ban
● custom script
● IPTABLES
● hardened dialplan
● Hardened sip.conf
● Log analyzers happen
after the attack
● CPU/Memory resources
● Only protects single box
23. Handle Before Reaching Asterisk
[R-REQINIT:PIPELIMIT] invites to 192.168.101.21 exceeded 5cps
[R-REQINIT:PIPELIMIT] invites to 192.168.101.23 exceeded 5cps
[R-REQINIT:PIPELIMIT] invites to 192.168.101.22 exceeded 5cps
[R-REQINIT:ANTIFLOOD] script kiddies from
IP:85.93.91.162:5063 - dropping and blocking
[R-REQINIT:ANTIFLOOD] script kiddies from
IP:212.83.188.161:5068 - dropping and blocking
[R-REQINIT:ANTIFLOOD] script kiddies from
IP:85.93.89.219:5066 - dropping and blocking
[R-REQINIT:ANTIFLOOD] script kiddies from
IP:85.25.74.70:5150 - dropping and blocking
Fred Posner
VoIP Engineer/Consultant
LOD
The Palner Group
Started in 2003
Vonage Competitor
Broadsoft / Acme Packet
Switched to Asterisk / OpenSER
Beautiful Wife Yeni
Started Bearkery Bakery in 2010
Live in Florida
Big Fred Cookie
Asterisk GREAT PRODUCT
We're at Astricon afterall
All features you'd ever want
Very customizable
Powerful
Open Source
Queues
Call Recording
Voicemail
IVR
AND SO MUCH MORE
If Asterisk is so incredible... then...
Why do we need Kamailio?
and... More importantly...
Not Without Problems
EVERYTHING HAS STRENGTHS & WEAKNESSES
Believe it or not... I'm a great guy,
...but I have a weight problem.
Working on weakness creates strength to grow.
Ever hear of Pozzolans?
Lime is used in concrete OK by itself... nothing special.
Add Pozzolans... Increased strength / durability
Decreased weakness
Pozzolan Effect
Kamailio & Asterisk together work the same way.
Want a B2BUA?
Use Asterisk =)
All of these are Asterisk
SIP Version of Do or Do Not. There is No Try.
As most of you know...
simple question
difficult answer
What you do with Asterisk affects call load
& hardware too of course
Some systems can run thousands of channels
Others may have difficulty with more than 400
Reduce Asterisk Overhead
Focus on core strengths
Additional cps concerns
Flash Operator Panel? 20 cps
Fail2Ban? Effects cps greatly
Logging
Network (jitter, etc.)
OS
150 cps?
Really depends on codecs, hardware, network
Max calls? 10,000? 100?
On embedded systems, with limited resources—100s cps
As stateless load balancer, >5000 call setups per second
4GB memory, Kamailio can serve over 300k subscribers
System can easily scale adding more Kamailio servers
Kamailio LCR handles millions of routing rules(and that's the built in modules)
Even with just 1 Asterisk server (like above)...using Kamailio can increase user/call capacity
Load balancing is built into Kamailio
Makes n + 1 scaling simple
Drastically increase call load / capacity
Fault Tolerant
Location failures
Can add more kamailio boxes as well.
You can group clusters by function / limits
Voicemail
IVR
Recordings
Conferences
You can set limits by box as well
This box can handle 100 calls at 2 cps
This box can handle 500 calls at 20 cps
Kamailio expands the security capabilities of Asterisk
Rejection of call attempts
Rejection of registration attempts
Brute force password attacks
Anyone been hit by a brute force attack from AWS?
Thousands of attempts in a very short period of time
Current methods of handling happen after the attack
Take resources AWAY from call handling
Protects a single box
Kamailio is flexible.
The way I handle security is different than Daniel or
X person or Y.
Different is good.
You can learn something from EVERYONE
The best experts keep an open mind
“Good writers borrow, great writers steal”--TS Elliot
Built in module PIKE helps detect flooding
Combine with HTABLES to block temporarily
RAM based. Very fast.
White list with PERMISSIONS module
Also stored in memory
Here we check if a non-whitelisted IP is blocked
If so, drop them (just ignore it)
Not blocked, check if flooding...
Yeah? Block em & Drop em.
Friendly Scanner?
Drop & Block
SQL Injection?
Drop & Block
Most Script Kiddies use the reject messages
Now the real attack begins
Of course, different thoughts on this as well
Send 200 OK
Example of PIPELIMIT which is a fast counter
Oh this box currently is 5cps, move on
Oh look... a script kiddie
When we block an IP, it's blocked for everyone
Very scalable.
We can also handle calls by ourselves
Presence
IM integration
Extension to Extension calls
Strong Community
Active mail list
Active IRC channel
Pretty friendly... be patient with language