SlideShare a Scribd company logo

Using Kamailio for Scalability and Security

Fred Posner
Fred Posner

Fred Posner presentation at Astricon 2017 in Orlando, Florida

Technology
1 of 46
Download to read offline
Using Kamailio for Scalability and Security Fred Posner, VoIP Engineer LOD Communications • The Palner Group @fredposner
What the what? • Kah Mah Illie Oh • Kah Mylie Oh • Kamailio
Who am I? • Fred Posner • @fredposner • VoIP Engineer • Florida based • Kamailio, Asterisk, and other Open Source projects
What is Kamailio? • Open Source SIP Server • Thousands of call setups 
 per second • GPL
What is Kamailio? • SIP Proxy server • SIP Registrar server • SIP Location server • SIP Application server • SIP Dispatcher server • SIP Websocket server
What isn’t Kamailio? • SIP Phone • Media Server • B2BUA
 Can you name an open source project that is all of these?
Why Kamailio? • Fast • Flexible • Reliable
Key Features • Modular • Scalability and Flexible by design • IPv4, IPv6 • TLS/TCP/UDP • WebSocket • NAT Traversal • JSON, XMLRPC, HTTP APIs • SQL & NOSQL • Embedded Interpreters (Lua, Java, Perl, Python, more) • Load Balancing • LCR • Asynchronous processing (TCP / TLS, SIP Routing), external API • and mucho mucho mas
Modular Design
Most Common Deployment
Scalable Deployment
–Douglas MacArthur “There is no security on this earth. Only opportunity.”
The Problem • Theft of Service • Denial of Service • High CPU / Memory / Bandwidth • Phone Bill
Filter User Agent if (is_method("INVITE|REGISTER")) {
 if($ua =~ "(friendly-scanner|sipvicious)") {
 xlog("L_INFO","Script kiddie - bye");
 exit;
 }
 } if (is_method("INVITE|REGISTER")) {
 if($ua =~ "(friendly-scanner|sipvicious)") {
 xlog("L_INFO","Script kiddie - bye");
 sl_send_reply("200","OK");
 exit;
 }
 }
Core
if ($ua =~ "(friendly-scanner|sipvicious|sipcli)") { xlog("L_INFO","script kiddies from IP:$si:$sp - $ua n"); exit; } # - ignore requests with sql injection if($au =~ "(=)|(--)|(')|(#)|(%27)|(%24)" and $au != $null) { xlog("L_INFO","[R-REQINIT:$ci] sql injection from IP:$si:$sp - $au n"); exit; } if (!mf_process_maxfwd_header("10")) { xlog("L_INFO","[R-REQINIT:$ci] Too Many Hops (IP:$si:$sp)n"); sl_send_reply("483","Too Many Hops RI1"); exit; } if(is_method("OPTIONS") && uri==myself && $rU==$null) { sl_send_reply(“200”,"Thank you for flying Kamailio”); exit; } if(!sanity_check("1511", "7")) { xlog("L_INFO","Malformed SIP message from $si:$sp ru = $ru n"); exit; }
PIKE
loadmodule "pike.so" ... # ----- PIKE params -----
 modparam("pike", "sampling_time_unit", 2)
 modparam("pike", "reqs_density_per_unit", 24)
 modparam("pike", "remove_latency", 4) ... # check if flood settings hit (and block)
 if (!pike_check_req()) {
 xlog("L_INFO","blocking $rm from $fu (IP:$si:$sp)n");
 $sht(ipban=>$si) = 1;
 sl_send_reply("200","OK");
 exit;
 }
HTABLE
–@miconda “If you’re not using HTABLE, you’re doing something wrong.”
HTABLE • Hash Table Module • Stored in shared memory • Custom cache system • Replication via DMQ
loadmodule "htable.so" ... # ----- HTABLE params -----
 # ip ban htable with autoexpire after 5 minutes
 modparam("htable", “htable","ipban=>size=8;autoexpire=300;")
 modparam("htable", "htable", 
 "regs=>size=8;initval=0;autoexpire=180;") ... $sht(ipban=>$si) = 1;
 $sht(regs=>$si) = $sht(regs=>$si) + 1;
HTABLE EXAMPLES if($sht(ipban=>$si)!=$null) {
 if (!is_method("REGISTER")) {
 sl_send_reply("200","OK");
 } else {
 sl_send_reply("401","Unauthorized RQ");
 }
 
 exit;
 } ... $sht(regs=>$si) = $sht(regs=>$si) + 1;
 if($sht(regs=>$si)>5) {
 xlog("L_INFO","more than 5 regs from $si n");
 if(src_ip!=myself) {
 $sht(ipban=>$si) = 1;
 }
 
 send_reply(401, "Unauthorized AU");
 exit;
 }
RATELIMIT PIPELIMIT
loadmodule "pipelimit.so" ... # ----- PIPELIMIT params -----
 modparam("pipelimit", "reply_code", 503)
 modparam("pipelimit", "reply_reason", "You are doing too much.")
 modparam("pipelimit", "timer_interval", PIPESECONDS) ... #limit all IP to registrations of 3 per sec
 $var(plreglimit) = 3 * PIPESECONDS;
 if (!pl_check("$si", "TAILDROP", "$var(plreglimit)")) {
 xlog("L_INFO","regs per sec exceeded $var(plreglimit) n");
 pl_drop(“PIPESECONDS");
 exit;
 }
PERMISSIONS
loadmodule "permissions.so" ... # ----- PERMISSIONS params -----
 modparam("permissions", "db_url", DBURL)
 modparam("permissions", "db_mode", 1) ... #only allow group 688 to make OUTbound calls
 if(!allow_source_address("688")) {
 
 #block unauth accessing 2cps or higher
 $var(plreglimit) = 2 * PIPESECONDS;
 
 if (!pl_check("$si", "TAILDROP", "$var(plreglimit)")) {
 xlog("L_INFO","[R-PSTN:$ci]: Unath outbound exceeded $var(plreglimit) n");
 route(KILL);
 }
 
 sl_send_reply("403","Not relaying PSTN1");
 exit;
 }

TLS
loadmodule "tls.so" ... # ----- tls params -----
 modparam("tls", "config", "/usr/local/etc/kamailio/tls.cfg") ... [server:default]
 method = TLSv1
 verify_certificate = no
 require_certificate = no
 private_key = /usr/local/etc/kamailio/privkey1.pem
 certificate = /usr/local/etc/kamailio/fullchain1.pem ... listen=tls:192.168.25.31:5061 advertise PUBLICIP:5061 #-- TLS Socket
 enable_tls = yes
TOPOH
 TOPOS
loadmodule "topoh.so" ... # ----- TOPOH params -----
 modparam("topoh", "mask_key", "LetsMakeAPassword")
 modparam("topoh", "mask_ip", "127.0.0.8")
 modparam("topoh", “mask_callid", 1)
 modparam("topoh", "uparam_name", "line")
 modparam("topoh", "uparam_prefix", "sr-")
 modparam("topoh", "vparam_name", "branch")
 modparam("topoh", "vparam_prefix", "z9hG4bKsr-")
 modparam("topoh", "callid_prefix", "!!:")
 modparam("topoh", "sanity_checks", 1) ...
SIP Edge Proxy —“SBC” • Since 2001 • NAT • RTP Proxy 
 (rtpproxy/rtpengine) • TOPOH Module
 (topology hiding) • Accounting
Scale SIP/RTC • Load Balancing • Dispatcher Module • Various Algorithms • Node monitoring • Re-route of failures
Scaled Deployment
Scaled Deployment VoicemailQueuePSTN
DISPATCHER
loadmodule "dispatcher.so" ... # ----- dispatcher params -----
 modparam("dispatcher", "db_url", DBURL)
 modparam("dispatcher", "table_name", "dispatcher")
 modparam("dispatcher", "flags", 2)
 modparam("dispatcher", "dst_avp", "$avp(dsdst)")
 modparam("dispatcher", "grp_avp", "$avp(dsgrp)")
 modparam("dispatcher", "cnt_avp", "$avp(dscnt)")
 modparam("dispatcher", "dstid_avp", "$avp(dsdstid)")
 modparam("dispatcher", "sock_avp", "$avp(dssocket)")
 modparam("dispatcher", "attrs_avp", "$avp(dsattrs)")
 modparam("dispatcher", "ds_hash_size", 3)
 modparam("dispatcher", "force_dst", 1)
 modparam("dispatcher", "ds_ping_interval", 20)
 modparam("dispatcher", "ds_ping_from", “sip:pinger@YOURDOMAIN")
 modparam("dispatcher", "ds_probing_mode", 2)
 modparam("dispatcher", "ds_probing_threshold", 2)
 modparam("dispatcher", "ds_ping_reply_codes", "class=2;code=480;code=404") ... if(!ds_select_dst("$avp(dispset)", "8")) {
 xlog("L_INFO","No destination available for set $avp(dispset) - send 404.n");
 send_reply("404", "No destination PSTN2");
 exit;
 }
REGISTRAR
REGISTRAR • Offload registrations from Asterisk • MySQL, LDAP, etc. • Mid-registrar services
Mid-Registrar • since 2010 • https://www.kamailio.org/ docs/modules/stable/ modules/uac.html • remote registrar even handles R-URI modifications if(uac_reg_lookup("$rU", "$ru")) {
 xlog("request from a remote SIP provider [$ou => $ru]n");
 }
 lookup("location");
API Routing • http_client / http_async_client • evapi
 http://kamailio.org/docs/modules/ stable/modules/evapi.html • rtjson
 http://kamailio.org/docs/modules/ stable/modules/rtjson.html • nodejs
It’s About Power • Flexibility in language, protocol, format, and controllers • Lua, Python, JavaScript, Perl, Squirrel, etc • HTTP, RPC, EVAPI, SIP, etc • XML, JSON, custom • node+js, SQL, php, Custom apps, etc • Power to Scale
See you in Berlin! kamailioworld.com kamailio.org
Ask a good question… 
 Get a cookie. Fred Posner
 @fredposner
 qxork.com

Recommended

Expanding Asterisk with Kamailio
Expanding Asterisk with KamailioExpanding Asterisk with Kamailio
Expanding Asterisk with KamailioFred Posner
 
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...Fred Posner
 
Scaling Asterisk with Kamailio
Scaling Asterisk with KamailioScaling Asterisk with Kamailio
Scaling Asterisk with KamailioFred Posner
 
SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)Fred Posner
 
Kamailio - Load Balancing Load Balancers
Kamailio - Load Balancing Load BalancersKamailio - Load Balancing Load Balancers
Kamailio - Load Balancing Load BalancersDaniel-Constantin Mierla
 
Kamailio - API Based SIP Routing
Kamailio - API Based SIP RoutingKamailio - API Based SIP Routing
Kamailio - API Based SIP RoutingDaniel-Constantin Mierla
 
Kamailio :: A Quick Introduction
Kamailio :: A Quick IntroductionKamailio :: A Quick Introduction
Kamailio :: A Quick IntroductionOlle E Johansson
 
Kamailio - Secure Communication
Kamailio - Secure CommunicationKamailio - Secure Communication
Kamailio - Secure CommunicationDaniel-Constantin Mierla
 

Recommended

Expanding Asterisk with Kamailio
Expanding Asterisk with KamailioExpanding Asterisk with Kamailio
Expanding Asterisk with KamailioFred Posner
 
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...Fred Posner
 
Scaling Asterisk with Kamailio
Scaling Asterisk with KamailioScaling Asterisk with Kamailio
Scaling Asterisk with KamailioFred Posner
 
SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)Fred Posner
 
Kamailio - Load Balancing Load Balancers
Kamailio - Load Balancing Load BalancersKamailio - Load Balancing Load Balancers
Kamailio - Load Balancing Load BalancersDaniel-Constantin Mierla
 
Kamailio - API Based SIP Routing
Kamailio - API Based SIP RoutingKamailio - API Based SIP Routing
Kamailio - API Based SIP RoutingDaniel-Constantin Mierla
 
Kamailio :: A Quick Introduction
Kamailio :: A Quick IntroductionKamailio :: A Quick Introduction
Kamailio :: A Quick IntroductionOlle E Johansson
 
Kamailio - Secure Communication
Kamailio - Secure CommunicationKamailio - Secure Communication
Kamailio - Secure CommunicationDaniel-Constantin Mierla
 
rtpengine - Media Relaying and Beyond
rtpengine - Media Relaying and Beyondrtpengine - Media Relaying and Beyond
rtpengine - Media Relaying and BeyondAndreas Granig
 
Three Ways Kamailio Can Help Your FreeSWITCH Deployment
Three Ways Kamailio Can Help Your FreeSWITCH DeploymentThree Ways Kamailio Can Help Your FreeSWITCH Deployment
Three Ways Kamailio Can Help Your FreeSWITCH DeploymentFred Posner
 
Kamailio - SIP Routing in Lua
Kamailio - SIP Routing in LuaKamailio - SIP Routing in Lua
Kamailio - SIP Routing in LuaDaniel-Constantin Mierla
 
Kamailio, FreeSWITCH, and You
Kamailio, FreeSWITCH, and YouKamailio, FreeSWITCH, and You
Kamailio, FreeSWITCH, and YouFred Posner
 
Introduction to Kamailio (TADSummit 2020 Asia)
Introduction to Kamailio (TADSummit 2020 Asia)Introduction to Kamailio (TADSummit 2020 Asia)
Introduction to Kamailio (TADSummit 2020 Asia)Fred Posner
 
Kamailio on Docker
Kamailio on DockerKamailio on Docker
Kamailio on DockerChien Cheng Wu
 
rtpengine and kamailio - or how to simulate calls at scale
rtpengine and kamailio - or how to simulate calls at scalertpengine and kamailio - or how to simulate calls at scale
rtpengine and kamailio - or how to simulate calls at scaleAndreas Granig
 
Sipwise rtpengine
Sipwise rtpengineSipwise rtpengine
Sipwise rtpengineAndreas Granig
 
Kamailio with Docker and Kubernetes
Kamailio with Docker and KubernetesKamailio with Docker and Kubernetes
Kamailio with Docker and KubernetesPaolo Visintin
 
Aynchronous Processing in Kamailio Configuration File
Aynchronous Processing in Kamailio Configuration FileAynchronous Processing in Kamailio Configuration File
Aynchronous Processing in Kamailio Configuration FileDaniel-Constantin Mierla
 
Kamailio, FreeSWITCH, and the Half-Blood Prince
Kamailio, FreeSWITCH, and the Half-Blood PrinceKamailio, FreeSWITCH, and the Half-Blood Prince
Kamailio, FreeSWITCH, and the Half-Blood PrinceFred Posner
 
Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Olle E Johansson
 
Kamailio - SIP Firewall for Carrier Grade Traffic
Kamailio - SIP Firewall for Carrier Grade TrafficKamailio - SIP Firewall for Carrier Grade Traffic
Kamailio - SIP Firewall for Carrier Grade TrafficDaniel-Constantin Mierla
 
Astricon 10 (October 2013) - SIP over WebSocket on Kamailio
Astricon 10 (October 2013) - SIP over WebSocket on KamailioAstricon 10 (October 2013) - SIP over WebSocket on Kamailio
Astricon 10 (October 2013) - SIP over WebSocket on KamailioCrocodile WebRTC SDK and Cloud Signalling Network
 
SIPREC RTPEngine Media Forking
SIPREC RTPEngine Media ForkingSIPREC RTPEngine Media Forking
SIPREC RTPEngine Media ForkingHossein Yavari
 
Asterisk, HTML5 and NodeJS; a world of endless possibilities
Asterisk, HTML5 and NodeJS; a world of endless possibilitiesAsterisk, HTML5 and NodeJS; a world of endless possibilities
Asterisk, HTML5 and NodeJS; a world of endless possibilitiesDan Jenkins
 
Media Handling in FreeSWITCH
Media Handling in FreeSWITCHMedia Handling in FreeSWITCH
Media Handling in FreeSWITCHMoises Silva
 
FreeSWITCH as a Kickass SBC
FreeSWITCH as a Kickass SBCFreeSWITCH as a Kickass SBC
FreeSWITCH as a Kickass SBCMoises Silva
 
Session Border Controllers - Top 10 FAQ
Session Border Controllers - Top 10 FAQSession Border Controllers - Top 10 FAQ
Session Border Controllers - Top 10 FAQAlan Percy
 
SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldOlle E Johansson
 
Kamailio and VoIP Wild World
Kamailio and VoIP Wild WorldKamailio and VoIP Wild World
Kamailio and VoIP Wild World2600Hz
 
Kamailio and VoIP Wild World
Kamailio and VoIP Wild WorldKamailio and VoIP Wild World
Kamailio and VoIP Wild WorldDaniel-Constantin Mierla
 

More Related Content

What's hot

rtpengine - Media Relaying and Beyond
rtpengine - Media Relaying and Beyondrtpengine - Media Relaying and Beyond
rtpengine - Media Relaying and BeyondAndreas Granig
 
Three Ways Kamailio Can Help Your FreeSWITCH Deployment
Three Ways Kamailio Can Help Your FreeSWITCH DeploymentThree Ways Kamailio Can Help Your FreeSWITCH Deployment
Three Ways Kamailio Can Help Your FreeSWITCH DeploymentFred Posner
 
Kamailio, FreeSWITCH, and You
Kamailio, FreeSWITCH, and YouKamailio, FreeSWITCH, and You
Kamailio, FreeSWITCH, and YouFred Posner
 
Introduction to Kamailio (TADSummit 2020 Asia)
Introduction to Kamailio (TADSummit 2020 Asia)Introduction to Kamailio (TADSummit 2020 Asia)
Introduction to Kamailio (TADSummit 2020 Asia)Fred Posner
 
rtpengine and kamailio - or how to simulate calls at scale
rtpengine and kamailio - or how to simulate calls at scalertpengine and kamailio - or how to simulate calls at scale
rtpengine and kamailio - or how to simulate calls at scaleAndreas Granig
 
Kamailio with Docker and Kubernetes
Kamailio with Docker and KubernetesKamailio with Docker and Kubernetes
Kamailio with Docker and KubernetesPaolo Visintin
 
Aynchronous Processing in Kamailio Configuration File
Aynchronous Processing in Kamailio Configuration FileAynchronous Processing in Kamailio Configuration File
Aynchronous Processing in Kamailio Configuration FileDaniel-Constantin Mierla
 
Kamailio, FreeSWITCH, and the Half-Blood Prince
Kamailio, FreeSWITCH, and the Half-Blood PrinceKamailio, FreeSWITCH, and the Half-Blood Prince
Kamailio, FreeSWITCH, and the Half-Blood PrinceFred Posner
 
Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Olle E Johansson
 
Kamailio - SIP Firewall for Carrier Grade Traffic
Kamailio - SIP Firewall for Carrier Grade TrafficKamailio - SIP Firewall for Carrier Grade Traffic
Kamailio - SIP Firewall for Carrier Grade TrafficDaniel-Constantin Mierla
 
SIPREC RTPEngine Media Forking
SIPREC RTPEngine Media ForkingSIPREC RTPEngine Media Forking
SIPREC RTPEngine Media ForkingHossein Yavari
 
Asterisk, HTML5 and NodeJS; a world of endless possibilities
Asterisk, HTML5 and NodeJS; a world of endless possibilitiesAsterisk, HTML5 and NodeJS; a world of endless possibilities
Asterisk, HTML5 and NodeJS; a world of endless possibilitiesDan Jenkins
 
Media Handling in FreeSWITCH
Media Handling in FreeSWITCHMedia Handling in FreeSWITCH
Media Handling in FreeSWITCHMoises Silva
 
FreeSWITCH as a Kickass SBC
FreeSWITCH as a Kickass SBCFreeSWITCH as a Kickass SBC
FreeSWITCH as a Kickass SBCMoises Silva
 
Session Border Controllers - Top 10 FAQ
Session Border Controllers - Top 10 FAQSession Border Controllers - Top 10 FAQ
Session Border Controllers - Top 10 FAQAlan Percy
 
SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldOlle E Johansson
 

What's hot (20)

rtpengine - Media Relaying and Beyond
rtpengine - Media Relaying and Beyondrtpengine - Media Relaying and Beyond
rtpengine - Media Relaying and Beyond
 
Three Ways Kamailio Can Help Your FreeSWITCH Deployment
Three Ways Kamailio Can Help Your FreeSWITCH DeploymentThree Ways Kamailio Can Help Your FreeSWITCH Deployment
Three Ways Kamailio Can Help Your FreeSWITCH Deployment
 
Kamailio - SIP Routing in Lua
Kamailio - SIP Routing in LuaKamailio - SIP Routing in Lua
Kamailio - SIP Routing in Lua
 
Kamailio, FreeSWITCH, and You
Kamailio, FreeSWITCH, and YouKamailio, FreeSWITCH, and You
Kamailio, FreeSWITCH, and You
 
Introduction to Kamailio (TADSummit 2020 Asia)
Introduction to Kamailio (TADSummit 2020 Asia)Introduction to Kamailio (TADSummit 2020 Asia)
Introduction to Kamailio (TADSummit 2020 Asia)
 
Kamailio on Docker
Kamailio on DockerKamailio on Docker
Kamailio on Docker
 
rtpengine and kamailio - or how to simulate calls at scale
rtpengine and kamailio - or how to simulate calls at scalertpengine and kamailio - or how to simulate calls at scale
rtpengine and kamailio - or how to simulate calls at scale
 
Sipwise rtpengine
Sipwise rtpengineSipwise rtpengine
Sipwise rtpengine
 
Kamailio with Docker and Kubernetes
Kamailio with Docker and KubernetesKamailio with Docker and Kubernetes
Kamailio with Docker and Kubernetes
 
Aynchronous Processing in Kamailio Configuration File
Aynchronous Processing in Kamailio Configuration FileAynchronous Processing in Kamailio Configuration File
Aynchronous Processing in Kamailio Configuration File
 
Kamailio, FreeSWITCH, and the Half-Blood Prince
Kamailio, FreeSWITCH, and the Half-Blood PrinceKamailio, FreeSWITCH, and the Half-Blood Prince
Kamailio, FreeSWITCH, and the Half-Blood Prince
 
Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.
 
Kamailio - SIP Firewall for Carrier Grade Traffic
Kamailio - SIP Firewall for Carrier Grade TrafficKamailio - SIP Firewall for Carrier Grade Traffic
Kamailio - SIP Firewall for Carrier Grade Traffic
 
Astricon 10 (October 2013) - SIP over WebSocket on Kamailio
Astricon 10 (October 2013) - SIP over WebSocket on KamailioAstricon 10 (October 2013) - SIP over WebSocket on Kamailio
Astricon 10 (October 2013) - SIP over WebSocket on Kamailio
 
SIPREC RTPEngine Media Forking
SIPREC RTPEngine Media ForkingSIPREC RTPEngine Media Forking
SIPREC RTPEngine Media Forking
 
Asterisk, HTML5 and NodeJS; a world of endless possibilities
Asterisk, HTML5 and NodeJS; a world of endless possibilitiesAsterisk, HTML5 and NodeJS; a world of endless possibilities
Asterisk, HTML5 and NodeJS; a world of endless possibilities
 
Media Handling in FreeSWITCH
Media Handling in FreeSWITCHMedia Handling in FreeSWITCH
Media Handling in FreeSWITCH
 
FreeSWITCH as a Kickass SBC
FreeSWITCH as a Kickass SBCFreeSWITCH as a Kickass SBC
FreeSWITCH as a Kickass SBC
 
Session Border Controllers - Top 10 FAQ
Session Border Controllers - Top 10 FAQSession Border Controllers - Top 10 FAQ
Session Border Controllers - Top 10 FAQ
 
SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer world
 

Similar to Using Kamailio for Scalability and Security

Kamailio and VoIP Wild World
Kamailio and VoIP Wild WorldKamailio and VoIP Wild World
Kamailio and VoIP Wild World2600Hz
 
FOSDEM 2017 - RTC Services With Lua and Kamailio
FOSDEM 2017 - RTC Services With Lua and KamailioFOSDEM 2017 - RTC Services With Lua and Kamailio
FOSDEM 2017 - RTC Services With Lua and KamailioDaniel-Constantin Mierla
 
Kamailio - Surfing Big Waves Of SIP With Style
Kamailio - Surfing Big Waves Of SIP With StyleKamailio - Surfing Big Waves Of SIP With Style
Kamailio - Surfing Big Waves Of SIP With StyleDaniel-Constantin Mierla
 
East Bay Ruby Tropo presentation
East Bay Ruby Tropo presentationEast Bay Ruby Tropo presentation
East Bay Ruby Tropo presentationAdam Kalsey
 
Kamailioworld 2018 - Modular and test driven SIP Routing with Lua
Kamailioworld 2018 - Modular and test driven SIP Routing with LuaKamailioworld 2018 - Modular and test driven SIP Routing with Lua
Kamailioworld 2018 - Modular and test driven SIP Routing with LuaSebastian Damm
 
Fun with exploits old and new
Fun with exploits old and newFun with exploits old and new
Fun with exploits old and newLarry Cashdollar
 
Next Generation DevOps in Drupal: DrupalCamp London 2014
Next Generation DevOps in Drupal: DrupalCamp London 2014Next Generation DevOps in Drupal: DrupalCamp London 2014
Next Generation DevOps in Drupal: DrupalCamp London 2014Barney Hanlon
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
 
OSMC 2014: Monitoring VoIP Systems | Sebastian Damm
OSMC 2014: Monitoring VoIP Systems | Sebastian DammOSMC 2014: Monitoring VoIP Systems | Sebastian Damm
OSMC 2014: Monitoring VoIP Systems | Sebastian DammNETWAYS
 
Monitoring VoIP Systems
Monitoring VoIP SystemsMonitoring VoIP Systems
Monitoring VoIP Systemssipgate
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
 
Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020Timothy Spann
 
How to build a High Performance PSGI/Plack Server
How to build a High Performance PSGI/Plack Server How to build a High Performance PSGI/Plack Server
How to build a High Performance PSGI/Plack Server Masahiro Nagano
 
Designing High Performance RTC Signaling Servers
Designing High Performance RTC Signaling ServersDesigning High Performance RTC Signaling Servers
Designing High Performance RTC Signaling ServersDaniel-Constantin Mierla
 
Ingesting hdfs intosolrusingsparktrimmed
Ingesting hdfs intosolrusingsparktrimmedIngesting hdfs intosolrusingsparktrimmed
Ingesting hdfs intosolrusingsparktrimmedwhoschek
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...sonjeku1
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programmingAnte Gulam
 

Similar to Using Kamailio for Scalability and Security (20)

Kamailio and VoIP Wild World
Kamailio and VoIP Wild WorldKamailio and VoIP Wild World
Kamailio and VoIP Wild World
 
Kamailio and VoIP Wild World
Kamailio and VoIP Wild WorldKamailio and VoIP Wild World
Kamailio and VoIP Wild World
 
FOSDEM 2017 - RTC Services With Lua and Kamailio
FOSDEM 2017 - RTC Services With Lua and KamailioFOSDEM 2017 - RTC Services With Lua and Kamailio
FOSDEM 2017 - RTC Services With Lua and Kamailio
 
Kamailio - Surfing Big Waves Of SIP With Style
Kamailio - Surfing Big Waves Of SIP With StyleKamailio - Surfing Big Waves Of SIP With Style
Kamailio - Surfing Big Waves Of SIP With Style
 
Kamailio - SIP Servers Everywhere
Kamailio - SIP Servers EverywhereKamailio - SIP Servers Everywhere
Kamailio - SIP Servers Everywhere
 
East Bay Ruby Tropo presentation
East Bay Ruby Tropo presentationEast Bay Ruby Tropo presentation
East Bay Ruby Tropo presentation
 
Kamailioworld 2018 - Modular and test driven SIP Routing with Lua
Kamailioworld 2018 - Modular and test driven SIP Routing with LuaKamailioworld 2018 - Modular and test driven SIP Routing with Lua
Kamailioworld 2018 - Modular and test driven SIP Routing with Lua
 
Fun with exploits old and new
Fun with exploits old and newFun with exploits old and new
Fun with exploits old and new
 
Next Generation DevOps in Drupal: DrupalCamp London 2014
Next Generation DevOps in Drupal: DrupalCamp London 2014Next Generation DevOps in Drupal: DrupalCamp London 2014
Next Generation DevOps in Drupal: DrupalCamp London 2014
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
OSMC 2014: Monitoring VoIP Systems | Sebastian Damm
OSMC 2014: Monitoring VoIP Systems | Sebastian DammOSMC 2014: Monitoring VoIP Systems | Sebastian Damm
OSMC 2014: Monitoring VoIP Systems | Sebastian Damm
 
Monitoring VoIP Systems
Monitoring VoIP SystemsMonitoring VoIP Systems
Monitoring VoIP Systems
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
 
Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020
 
How to build a High Performance PSGI/Plack Server
How to build a High Performance PSGI/Plack Server How to build a High Performance PSGI/Plack Server
How to build a High Performance PSGI/Plack Server
 
Designing High Performance RTC Signaling Servers
Designing High Performance RTC Signaling ServersDesigning High Performance RTC Signaling Servers
Designing High Performance RTC Signaling Servers
 
Ingesting hdfs intosolrusingsparktrimmed
Ingesting hdfs intosolrusingsparktrimmedIngesting hdfs intosolrusingsparktrimmed
Ingesting hdfs intosolrusingsparktrimmed
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programming
 
Kamailio Updates - VUC 588
Kamailio Updates - VUC 588Kamailio Updates - VUC 588
Kamailio Updates - VUC 588
 

More from Fred Posner

Security Asterisk or FreePBX with APIBAN
Security Asterisk or FreePBX with APIBANSecurity Asterisk or FreePBX with APIBAN
Security Asterisk or FreePBX with APIBANFred Posner
 
Kamalio and Asterisk: What, Why & How
Kamalio and Asterisk: What, Why & HowKamalio and Asterisk: What, Why & How
Kamalio and Asterisk: What, Why & HowFred Posner
 
Protect Kamailio Against DoS Attacks With APIBan
Protect Kamailio Against DoS Attacks With APIBanProtect Kamailio Against DoS Attacks With APIBan
Protect Kamailio Against DoS Attacks With APIBanFred Posner
 
CommCon 2020: Kamailio for RTC Stability, Scaling, and Security
CommCon 2020: Kamailio for RTC Stability, Scaling, and SecurityCommCon 2020: Kamailio for RTC Stability, Scaling, and Security
CommCon 2020: Kamailio for RTC Stability, Scaling, and SecurityFred Posner
 
Three Ways Kamailio Can Help Your Asterisk Deployment
Three Ways Kamailio Can Help Your Asterisk DeploymentThree Ways Kamailio Can Help Your Asterisk Deployment
Three Ways Kamailio Can Help Your Asterisk DeploymentFred Posner
 
Advanced SIP: Communicating with Humans (Kamailio World 2019)
Advanced SIP: Communicating with Humans (Kamailio World 2019)Advanced SIP: Communicating with Humans (Kamailio World 2019)
Advanced SIP: Communicating with Humans (Kamailio World 2019)Fred Posner
 

More from Fred Posner (6)

Security Asterisk or FreePBX with APIBAN
Security Asterisk or FreePBX with APIBANSecurity Asterisk or FreePBX with APIBAN
Security Asterisk or FreePBX with APIBAN
 
Kamalio and Asterisk: What, Why & How
Kamalio and Asterisk: What, Why & HowKamalio and Asterisk: What, Why & How
Kamalio and Asterisk: What, Why & How
 
Protect Kamailio Against DoS Attacks With APIBan
Protect Kamailio Against DoS Attacks With APIBanProtect Kamailio Against DoS Attacks With APIBan
Protect Kamailio Against DoS Attacks With APIBan
 
CommCon 2020: Kamailio for RTC Stability, Scaling, and Security
CommCon 2020: Kamailio for RTC Stability, Scaling, and SecurityCommCon 2020: Kamailio for RTC Stability, Scaling, and Security
CommCon 2020: Kamailio for RTC Stability, Scaling, and Security
 
Three Ways Kamailio Can Help Your Asterisk Deployment
Three Ways Kamailio Can Help Your Asterisk DeploymentThree Ways Kamailio Can Help Your Asterisk Deployment
Three Ways Kamailio Can Help Your Asterisk Deployment
 
Advanced SIP: Communicating with Humans (Kamailio World 2019)
Advanced SIP: Communicating with Humans (Kamailio World 2019)Advanced SIP: Communicating with Humans (Kamailio World 2019)
Advanced SIP: Communicating with Humans (Kamailio World 2019)
 

Recently uploaded

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 

Recently uploaded (20)

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 

Using Kamailio for Scalability and Security

  • 1. Using Kamailio for Scalability and Security Fred Posner, VoIP Engineer LOD Communications • The Palner Group @fredposner
  • 2. What the what? • Kah Mah Illie Oh • Kah Mylie Oh • Kamailio
  • 3. Who am I? • Fred Posner • @fredposner • VoIP Engineer • Florida based • Kamailio, Asterisk, and other Open Source projects
  • 4. What is Kamailio? • Open Source SIP Server • Thousands of call setups 
 per second • GPL
  • 5. What is Kamailio? • SIP Proxy server • SIP Registrar server • SIP Location server • SIP Application server • SIP Dispatcher server • SIP Websocket server
  • 6. What isn’t Kamailio? • SIP Phone • Media Server • B2BUA
 Can you name an open source project that is all of these?
  • 7.
  • 8. Why Kamailio? • Fast • Flexible • Reliable
  • 9. Key Features • Modular • Scalability and Flexible by design • IPv4, IPv6 • TLS/TCP/UDP • WebSocket • NAT Traversal • JSON, XMLRPC, HTTP APIs • SQL & NOSQL • Embedded Interpreters (Lua, Java, Perl, Python, more) • Load Balancing • LCR • Asynchronous processing (TCP / TLS, SIP Routing), external API • and mucho mucho mas
  • 13. –Douglas MacArthur “There is no security on this earth. Only opportunity.”
  • 14.
  • 15. The Problem • Theft of Service • Denial of Service • High CPU / Memory / Bandwidth • Phone Bill
  • 16. Filter User Agent if (is_method("INVITE|REGISTER")) {
 if($ua =~ "(friendly-scanner|sipvicious)") {
 xlog("L_INFO","Script kiddie - bye");
 exit;
 }
 } if (is_method("INVITE|REGISTER")) {
 if($ua =~ "(friendly-scanner|sipvicious)") {
 xlog("L_INFO","Script kiddie - bye");
 sl_send_reply("200","OK");
 exit;
 }
 }
  • 17. Core
  • 18. if ($ua =~ "(friendly-scanner|sipvicious|sipcli)") { xlog("L_INFO","script kiddies from IP:$si:$sp - $ua n"); exit; } # - ignore requests with sql injection if($au =~ "(=)|(--)|(')|(#)|(%27)|(%24)" and $au != $null) { xlog("L_INFO","[R-REQINIT:$ci] sql injection from IP:$si:$sp - $au n"); exit; } if (!mf_process_maxfwd_header("10")) { xlog("L_INFO","[R-REQINIT:$ci] Too Many Hops (IP:$si:$sp)n"); sl_send_reply("483","Too Many Hops RI1"); exit; } if(is_method("OPTIONS") && uri==myself && $rU==$null) { sl_send_reply(“200”,"Thank you for flying Kamailio”); exit; } if(!sanity_check("1511", "7")) { xlog("L_INFO","Malformed SIP message from $si:$sp ru = $ru n"); exit; }
  • 19. PIKE
  • 20. loadmodule "pike.so" ... # ----- PIKE params -----
 modparam("pike", "sampling_time_unit", 2)
 modparam("pike", "reqs_density_per_unit", 24)
 modparam("pike", "remove_latency", 4) ... # check if flood settings hit (and block)
 if (!pike_check_req()) {
 xlog("L_INFO","blocking $rm from $fu (IP:$si:$sp)n");
 $sht(ipban=>$si) = 1;
 sl_send_reply("200","OK");
 exit;
 }
  • 22. –@miconda “If you’re not using HTABLE, you’re doing something wrong.”
  • 23. HTABLE • Hash Table Module • Stored in shared memory • Custom cache system • Replication via DMQ
  • 24. loadmodule "htable.so" ... # ----- HTABLE params -----
 # ip ban htable with autoexpire after 5 minutes
 modparam("htable", “htable","ipban=>size=8;autoexpire=300;")
 modparam("htable", "htable", 
 "regs=>size=8;initval=0;autoexpire=180;") ... $sht(ipban=>$si) = 1;
 $sht(regs=>$si) = $sht(regs=>$si) + 1;
  • 25. HTABLE EXAMPLES if($sht(ipban=>$si)!=$null) {
 if (!is_method("REGISTER")) {
 sl_send_reply("200","OK");
 } else {
 sl_send_reply("401","Unauthorized RQ");
 }
 
 exit;
 } ... $sht(regs=>$si) = $sht(regs=>$si) + 1;
 if($sht(regs=>$si)>5) {
 xlog("L_INFO","more than 5 regs from $si n");
 if(src_ip!=myself) {
 $sht(ipban=>$si) = 1;
 }
 
 send_reply(401, "Unauthorized AU");
 exit;
 }
  • 27. loadmodule "pipelimit.so" ... # ----- PIPELIMIT params -----
 modparam("pipelimit", "reply_code", 503)
 modparam("pipelimit", "reply_reason", "You are doing too much.")
 modparam("pipelimit", "timer_interval", PIPESECONDS) ... #limit all IP to registrations of 3 per sec
 $var(plreglimit) = 3 * PIPESECONDS;
 if (!pl_check("$si", "TAILDROP", "$var(plreglimit)")) {
 xlog("L_INFO","regs per sec exceeded $var(plreglimit) n");
 pl_drop(“PIPESECONDS");
 exit;
 }
  • 29. loadmodule "permissions.so" ... # ----- PERMISSIONS params -----
 modparam("permissions", "db_url", DBURL)
 modparam("permissions", "db_mode", 1) ... #only allow group 688 to make OUTbound calls
 if(!allow_source_address("688")) {
 
 #block unauth accessing 2cps or higher
 $var(plreglimit) = 2 * PIPESECONDS;
 
 if (!pl_check("$si", "TAILDROP", "$var(plreglimit)")) {
 xlog("L_INFO","[R-PSTN:$ci]: Unath outbound exceeded $var(plreglimit) n");
 route(KILL);
 }
 
 sl_send_reply("403","Not relaying PSTN1");
 exit;
 }

  • 30. TLS
  • 31. loadmodule "tls.so" ... # ----- tls params -----
 modparam("tls", "config", "/usr/local/etc/kamailio/tls.cfg") ... [server:default]
 method = TLSv1
 verify_certificate = no
 require_certificate = no
 private_key = /usr/local/etc/kamailio/privkey1.pem
 certificate = /usr/local/etc/kamailio/fullchain1.pem ... listen=tls:192.168.25.31:5061 advertise PUBLICIP:5061 #-- TLS Socket
 enable_tls = yes
  • 33. loadmodule "topoh.so" ... # ----- TOPOH params -----
 modparam("topoh", "mask_key", "LetsMakeAPassword")
 modparam("topoh", "mask_ip", "127.0.0.8")
 modparam("topoh", “mask_callid", 1)
 modparam("topoh", "uparam_name", "line")
 modparam("topoh", "uparam_prefix", "sr-")
 modparam("topoh", "vparam_name", "branch")
 modparam("topoh", "vparam_prefix", "z9hG4bKsr-")
 modparam("topoh", "callid_prefix", "!!:")
 modparam("topoh", "sanity_checks", 1) ...
  • 34. SIP Edge Proxy —“SBC” • Since 2001 • NAT • RTP Proxy 
 (rtpproxy/rtpengine) • TOPOH Module
 (topology hiding) • Accounting
  • 35. Scale SIP/RTC • Load Balancing • Dispatcher Module • Various Algorithms • Node monitoring • Re-route of failures
  • 39. loadmodule "dispatcher.so" ... # ----- dispatcher params -----
 modparam("dispatcher", "db_url", DBURL)
 modparam("dispatcher", "table_name", "dispatcher")
 modparam("dispatcher", "flags", 2)
 modparam("dispatcher", "dst_avp", "$avp(dsdst)")
 modparam("dispatcher", "grp_avp", "$avp(dsgrp)")
 modparam("dispatcher", "cnt_avp", "$avp(dscnt)")
 modparam("dispatcher", "dstid_avp", "$avp(dsdstid)")
 modparam("dispatcher", "sock_avp", "$avp(dssocket)")
 modparam("dispatcher", "attrs_avp", "$avp(dsattrs)")
 modparam("dispatcher", "ds_hash_size", 3)
 modparam("dispatcher", "force_dst", 1)
 modparam("dispatcher", "ds_ping_interval", 20)
 modparam("dispatcher", "ds_ping_from", “sip:pinger@YOURDOMAIN")
 modparam("dispatcher", "ds_probing_mode", 2)
 modparam("dispatcher", "ds_probing_threshold", 2)
 modparam("dispatcher", "ds_ping_reply_codes", "class=2;code=480;code=404") ... if(!ds_select_dst("$avp(dispset)", "8")) {
 xlog("L_INFO","No destination available for set $avp(dispset) - send 404.n");
 send_reply("404", "No destination PSTN2");
 exit;
 }
  • 41. REGISTRAR • Offload registrations from Asterisk • MySQL, LDAP, etc. • Mid-registrar services
  • 42. Mid-Registrar • since 2010 • https://www.kamailio.org/ docs/modules/stable/ modules/uac.html • remote registrar even handles R-URI modifications if(uac_reg_lookup("$rU", "$ru")) {
 xlog("request from a remote SIP provider [$ou => $ru]n");
 }
 lookup("location");
  • 43. API Routing • http_client / http_async_client • evapi
 http://kamailio.org/docs/modules/ stable/modules/evapi.html • rtjson
 http://kamailio.org/docs/modules/ stable/modules/rtjson.html • nodejs
  • 44. It’s About Power • Flexibility in language, protocol, format, and controllers • Lua, Python, JavaScript, Perl, Squirrel, etc • HTTP, RPC, EVAPI, SIP, etc • XML, JSON, custom • node+js, SQL, php, Custom apps, etc • Power to Scale
  • 45. See you in Berlin! kamailioworld.com kamailio.org
  • 46. Ask a good question… 
 Get a cookie. Fred Posner
 @fredposner
 qxork.com