SlideShare ist ein Scribd-Unternehmen logo

Kamailio - SIP Firewall for Carrier Grade Traffic

D
Daniel-Constantin Mierla

Presentation done at Cluecon 2013, Chicago, USA - using Kamailio for securing carrier grade SIP/VoIP platforms.

Technologie
1 von 29
Downloaden Sie, um offline zu lesen
Kamailio SIP Server SIP Firewall For Carrier Grade Traffic Daniel-Constantin Mierla Co-Founder Kamailio www.kamailio.org www.asipto.com
(c) asipto.com 2 Over 10 Years Evolution 2002 Jun 2005 Jul 2008 Aug 2008 Nov 2008 SIP Express Router (SER) OpenSER Kamailio Other Forks... Same application: Kamailio - SER Oct 2009 Jan 2010 v3.0.0 Integration Completed v1.5.0 Oct 2011 v3.1.0 Sep 2001 First Line Of Code Open Source GPL FhG Fokus Institute Berlin rename v3.2.0 Oct 2010 Awarded Best Open Source Networking Software 2009 By InfoWorld 10 Years Jun 2012 v3.3.0 ITSPA UK Award Mar 2013 v4.0.0 Kamailio
Source Structure - 3.x.x - Kamailio vs. SER 3 KamailioDistribution SIPExpressRouterDistribution modules_k/ acc acc_radius alias_db auth_db auth_diameter auth_radius benchmark call_control cfgutils cpl-c db_cluster ... over 80 modules modules/ app_lua app_mono app_python async auth auth_identity avpops blst carrierroute cfg_db cfg_rpc ... over 50 modules modules_s/ acc_db acc_radius acc_syslog auth_db auth_radius avp avp_db avp_radius bdb cpl-c db_ops ... over 40 modules the entire source code tree core sip parser - memory manager config file parser and interpreter locking system - timers config variable frameworks internal libraries DB API v1 - DB APIv2 MI API - JSON - UUID utils - binrpc
Source Structure - 4.x.x- Kamailio 4 KamailioDistribution SIPExpressRouterDistribution modules_k/ modules/ app_lua app_mono app_python async auth auth_identity avpops blst carrierroute cfg_db cfg_rpc ... over 150 modules modules_s/ the entire source code tree core sip parser - memory manager config file parser and interpreter locking system - timers config variable frameworks internal libraries DB API v1 - DB APIv2 MI API - JSON - UUID utils - binrpc
(c) asipto.com 2012 - Highlights 5 Over 10 IMS Extensions Websockets generic database clusteringembedded mono interpreter C#, Python, Java, .... cassandra connector http://www.kamailio.org/wiki/features/new-in-3.3.x http://www.kamailio.org/wiki/features/new-in-4.0.x IPv6 review embedded MSRP Relay time recurrence matching embedded HTTP RPC/Provisioning APIs presence/rls/xcap OMA/RCS enhancements GRUU SIP Outbound SCA
(c) asipto.com 2013 - Highlights 6 app_java sipt tm htable cfgutils siputilssnmpstats usrloc http://www.kamailio.org/wiki/features/new-in-devel dnssec cnxcc (prepaid) stun sctp auth_ephemeral (webrtc) debugger (log pv assignment)
(c) asipto.com 7 Development statistics
(c) asipto.com 8 http://conference.kamailio.com
(c) asipto.com 9
among next cool things
Routing SIP with Kamailio by Daniel-Constantin Mierla Elena-Ramona Modroiu
13 Book Details - http://asipto.com/u/kab  Evolution  started last year for v3.3.x  target: getting started guide and typical use cases  delayed by decision to complete Kamailio-SER integration (then Kamailio Word)  last modules merged, some renamed  significant changes in installation process  Nowadays  existing content  over 280 pages (A4) - apart of ToC  22 chapters  roadmap to full release  3-5 new chapters  check the 3.3 to 4.0 updates  examples enhanced with SIP traces  reviews (both native and non-native English speakers)  Selling  electronic format (e.g., pdf, ebook), later paper format (if such interest)  plans to make it available to purchase before full release  if all goes as expected - as soon as mid of August, 2013
SIP Firewall For Carrier Grade Traffic blocking unwanted traffic
15 Everyone is evil in the world wild sipnet!
16 request_route { drop; } reply_route { drop; } Full Kamailio Config to Deal With
17 Problem completely solved! Thank you, questions?
18 Trying to get friendlier - DoS Attacks • bandwidth • cpu • memory • MONEY
19 Attacks  malicious attacks  for direct attacker benefits  get access to the host and call for free  for damages on target (or fame)  consume resources on target  involuntary attacks  client side  broken clients  server side  misconfigurations (e.g., too low max expire time) ‘Undisclosed’ sources have demonstrated that the root of the issues in computer science resides in between chair and keyboard.
20  Problem  unexpected high volume of SIP traffic from the same IP address  Situations  someone tries to gain access to the server  misconfigured devices  Solution  keep the list of banned IP addresses in memory (hash table via htable module)  items in hash table are automatically deleted if their values are not updated for a while  if source IP of the SIP packet matches a key in hash table, then stop processing  simply drop, no SIP response (save the bandwidth)  sending a 200 OK response makes the attacker believe that it has succeeded  if not, then count the number of packets per configured time interface  if limit exceeded, stop processing and add add the source ip in the hash table  Consideration  skip trusted peers from checking (trunks, PSTN gateways, media servers,...)  do it very early in processing path, at the top of routing logic Flood Detection and Blocking IP Addresses
21 Flood Detection and Blocking IP Addresses if(src_ip!=__TRUSTED__) { if($sht(ipban=>$si)!=$null) { # ip is already blocked xdbg("request from blocked IP - $rm from $fu (IP:$si:$sp)n"); exit; } if (!pike_check_req()) { xlog("L_ALERT","ALERT: pike blocking $rm from $fu (IP:$si:$sp)n"); $sht(ipban=>$si) = 1; exit; } } loadmodule "htable.so" loadmodule "pike.so" # ----- pike params ----- modparam("pike", "sampling_time_unit", 2) modparam("pike", "reqs_density_per_unit", 24) modparam("pike", "remove_latency", 4) # ----- htable params ----- # ip ban htable with autoexpire after 5 minutes modparam("htable", "htable", "ipban=>size=8;autoexpire=300;") the configuration
22  Problem  unexpected number of failed authentication for various users  Situations  someone tries to guess passwords for legit users  misconfigured devices  Solution  keep the list of blocked usernames in memory (again via htable module)  items in hash table are automatically deleted if their values are not updated for a while  along with the username, store the timestamp of the last failed authentication and number of failed authentication in a raw  if the request has auth headers and username is found in hash table, then  if the last failed authentication is older than a predefined interval of time, give the user another chance  otherwise forbids the traffic without any authentication challenge sent back  if not found in hash table, then authenticate  if credentials mismatch, then increase the authentication failure counter and update the last authentication failure timestamp  if authentication failure attempts limit is reached, don’t challenge back  if authentication is ok, reset the counter Dictionary Attack Detection and Blocking Users
23 Dictionary Attack Detection and Blocking Users if(is_present_hf("Authorization") || is_present_hf("Proxy-Authorization")) { if($sht(userban=>$au::auth_count)==3) { $var(exp) = $Ts - 900; if($sht(userban=>$au::last_auth) > $var(exp)) { sl_send_reply("403", "Try later"); exit; } else { $sht(userban=>$au::auth_count) = 0; } } } modparam("htable", "htable", "ipban=>size=8;autoexpire=300;") the configuration
24 # authenticate requests auth_check("$fd", "subscriber", "1"); $var(rc) = $rc; if($var(rc)<0) { switch($var(rc)) { case -1: sl_send_reply("403", "Forbidden"); exit; case -2: $var(auth_count) = $shtinc(userban=>$au::auth_count); if($var(auth_count) == 3) xlog("auth failed 3rd time - src ip: $sin"); $sht(userban=>$au::last_auth) = $Ts; break; } auth_challenge("$fd", "0"); exit; } $sht(userban=>$au::auth_count) = 0; Dictionary Attack Detection and Blocking Users
25  Problem  an attacker could eventually get access in way or another (e.g., social engineering), then limit the damages as much as possible  Situations  lot of active calls from same user, which physically could not do that  Solution  keep a lightweight list of active calls in memory (again via htable module)  items in hash table are automatically deleted if their values are not updated for a while (cope with missing BYE cases)  items are added when the call is initiated  items are removed if no positive answer for INVITE or in case of BYE  carrier grade => lightweight dialog tracking  Call-ID is the key for hash table  the value of items in hash table is caller id (username)  when a new call comes in  count the values in the hash table that matches the caller id  if the limit is not reached, add a new item, otherwise deny the call Limiting the Number of Active Calls Per User
26 request_route { .... if(is_method(“BYE”)) { $sht(acalls=>$ci) = $null; } .... } reply_route { .... if(is_method(“INVITE”) && $rs>=300) { $sht(acalls=>$ci) = $null; } .... } modparam("htable", "htable", "acalls=>size=8;autoexpire=7200;") modparam(“cfgutils”, “lock_set_size”, 8)the configuration Limiting the Number of Active Calls Per User
27 # limit to maximum 3 active calls per user route[ACLIMIT] { if(is_method(“INVITE”) && !has_totag()) { lock(“$fU”); $var(ac) = $shtcv(acalls=>eq$fU); if($var(ac) >= 3) { unlock(“$fU”); send_reply(“403”, “Too many active calls”); exit; } $sht(acalls=>$ci) = $fU; unlock(“$fU”); } } request_route { .... route(ACLIMIT); route(RELAY); } Limiting the Number of Active Calls Per User
28  One of Kamailio laws  If htable module is not used, something might go wrong with your deployment (and business) at a point in time.  The target for solutions were  rely on Kamailio-only  use the lightweight solutions that scale a lot  Alternatives  real time integration with firewall for DoS protection using fail2ban  http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack  active calls tracking  dialog module: store lot of details for each call, but can detect when call is down  OPTIONS keepalives within dialog  it is not a back to back user agent (i.e, cseq numbers of dialog not updated)  in memory SQL tables via sqlops modules  easy to customize make reports and specify what details are store per dialog Remarks
29 Daniel-Constantin Mierla Co-Founder Kamailio http://www.asipto.com daniel@asipto.com Thank you! Questions? twitter: @miconda http://www.linkedin.com/in/miconda

Empfohlen

Kamailio on Docker
Kamailio on DockerKamailio on Docker
Kamailio on Docker
Chien Cheng Wu
 
rtpengine - Media Relaying and Beyond
rtpengine - Media Relaying and Beyondrtpengine - Media Relaying and Beyond
rtpengine - Media Relaying and Beyond
Andreas Granig
 
Scaling Asterisk with Kamailio
Scaling Asterisk with KamailioScaling Asterisk with Kamailio
Scaling Asterisk with Kamailio
Fred Posner
 
SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)
Fred Posner
 
Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.
Olle E Johansson
 
Expanding Asterisk with Kamailio
Expanding Asterisk with KamailioExpanding Asterisk with Kamailio
Expanding Asterisk with Kamailio
Fred Posner
 
Kamailio - Large Unified Communication Platforms
Kamailio - Large Unified Communication PlatformsKamailio - Large Unified Communication Platforms
Kamailio - Large Unified Communication Platforms
Daniel-Constantin Mierla
 
Sipwise rtpengine
Sipwise rtpengineSipwise rtpengine
Sipwise rtpengine
Andreas Granig
 

Empfohlen

Kamailio on Docker
Kamailio on DockerKamailio on Docker
Kamailio on Docker
Chien Cheng Wu
 
rtpengine - Media Relaying and Beyond
rtpengine - Media Relaying and Beyondrtpengine - Media Relaying and Beyond
rtpengine - Media Relaying and Beyond
Andreas Granig
 
Scaling Asterisk with Kamailio
Scaling Asterisk with KamailioScaling Asterisk with Kamailio
Scaling Asterisk with Kamailio
Fred Posner
 
SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)
Fred Posner
 
Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.
Olle E Johansson
 
Expanding Asterisk with Kamailio
Expanding Asterisk with KamailioExpanding Asterisk with Kamailio
Expanding Asterisk with Kamailio
Fred Posner
 
Kamailio - Large Unified Communication Platforms
Kamailio - Large Unified Communication PlatformsKamailio - Large Unified Communication Platforms
Kamailio - Large Unified Communication Platforms
Daniel-Constantin Mierla
 
Sipwise rtpengine
Sipwise rtpengineSipwise rtpengine
Sipwise rtpengine
Andreas Granig
 
Kamailio with Docker and Kubernetes
Kamailio with Docker and KubernetesKamailio with Docker and Kubernetes
Kamailio with Docker and Kubernetes
Paolo Visintin
 
Kamailio - Load Balancing Load Balancers
Kamailio - Load Balancing Load BalancersKamailio - Load Balancing Load Balancers
Kamailio - Load Balancing Load Balancers
Daniel-Constantin Mierla
 
Kamailio, FreeSWITCH, and You
Kamailio, FreeSWITCH, and YouKamailio, FreeSWITCH, and You
Kamailio, FreeSWITCH, and You
Fred Posner
 
Tutorial: Using GoBGP as an IXP connecting router
Tutorial: Using GoBGP as an IXP connecting routerTutorial: Using GoBGP as an IXP connecting router
Tutorial: Using GoBGP as an IXP connecting router
Shu Sugimoto
 
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Fred Posner
 
Kamailio :: A Quick Introduction
Kamailio :: A Quick IntroductionKamailio :: A Quick Introduction
Kamailio :: A Quick Introduction
Olle E Johansson
 
rtpengine and kamailio - or how to simulate calls at scale
rtpengine and kamailio - or how to simulate calls at scalertpengine and kamailio - or how to simulate calls at scale
rtpengine and kamailio - or how to simulate calls at scale
Andreas Granig
 
Using Kamailio for Scalability and Security
Using Kamailio for Scalability and SecurityUsing Kamailio for Scalability and Security
Using Kamailio for Scalability and Security
Fred Posner
 
NETCONF Call Home
NETCONF Call Home NETCONF Call Home
NETCONF Call Home
ADVA
 
Kamailio - Secure Communication
Kamailio - Secure CommunicationKamailio - Secure Communication
Kamailio - Secure Communication
Daniel-Constantin Mierla
 
Continuous Integration and Kamailio
Continuous Integration and KamailioContinuous Integration and Kamailio
Continuous Integration and Kamailio
Giacomo Vacca
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptables
Kernel TLV
 
FreeSWITCH Cluster by K8s
FreeSWITCH Cluster by K8sFreeSWITCH Cluster by K8s
FreeSWITCH Cluster by K8s
Chien Cheng Wu
 
Kamalio and Asterisk: What, Why & How
Kamalio and Asterisk: What, Why & HowKamalio and Asterisk: What, Why & How
Kamalio and Asterisk: What, Why & How
Fred Posner
 
Show Me Kafka Tools That Will Increase My Productivity! (Stephane Maarek, Dat...
Show Me Kafka Tools That Will Increase My Productivity! (Stephane Maarek, Dat...Show Me Kafka Tools That Will Increase My Productivity! (Stephane Maarek, Dat...
Show Me Kafka Tools That Will Increase My Productivity! (Stephane Maarek, Dat...
confluent
 
Asterisk sip channel performance
Asterisk sip channel performanceAsterisk sip channel performance
Asterisk sip channel performance
Flavio Eduardo de Andrade Goncalves
 
SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer world
Olle E Johansson
 
An SFU/MCU integration for heterogeneous environments
An SFU/MCU integration for heterogeneous environmentsAn SFU/MCU integration for heterogeneous environments
An SFU/MCU integration for heterogeneous environments
Giacomo Vacca
 
[MeetUp][2nd] 오리뎅이의_쿠버네티스_네트워킹_v1.2
[MeetUp][2nd] 오리뎅이의_쿠버네티스_네트워킹_v1.2[MeetUp][2nd] 오리뎅이의_쿠버네티스_네트워킹_v1.2
[MeetUp][2nd] 오리뎅이의_쿠버네티스_네트워킹_v1.2
InfraEngineer
 
Introduction to FreeSWITCH
Introduction to FreeSWITCHIntroduction to FreeSWITCH
Introduction to FreeSWITCH
Chien Cheng Wu
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applications
Daniel Garcia (a.k.a cr0hn)
 
Kamailio - Surfing Big Waves Of SIP With Style
Kamailio - Surfing Big Waves Of SIP With StyleKamailio - Surfing Big Waves Of SIP With Style
Kamailio - Surfing Big Waves Of SIP With Style
Daniel-Constantin Mierla
 

Weitere ähnliche Inhalte

Was ist angesagt?

NETCONF Call Home
NETCONF Call Home NETCONF Call Home
NETCONF Call Home
ADVA
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptables
Kernel TLV
 
Asterisk sip channel performance
Asterisk sip channel performanceAsterisk sip channel performance
Asterisk sip channel performance
Flavio Eduardo de Andrade Goncalves
 

Was ist angesagt? (20)

Kamailio with Docker and Kubernetes
Kamailio with Docker and KubernetesKamailio with Docker and Kubernetes
Kamailio with Docker and Kubernetes
 
Kamailio - Load Balancing Load Balancers
Kamailio - Load Balancing Load BalancersKamailio - Load Balancing Load Balancers
Kamailio - Load Balancing Load Balancers
 
Kamailio, FreeSWITCH, and You
Kamailio, FreeSWITCH, and YouKamailio, FreeSWITCH, and You
Kamailio, FreeSWITCH, and You
 
Tutorial: Using GoBGP as an IXP connecting router
Tutorial: Using GoBGP as an IXP connecting routerTutorial: Using GoBGP as an IXP connecting router
Tutorial: Using GoBGP as an IXP connecting router
 
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
 
Kamailio :: A Quick Introduction
Kamailio :: A Quick IntroductionKamailio :: A Quick Introduction
Kamailio :: A Quick Introduction
 
rtpengine and kamailio - or how to simulate calls at scale
rtpengine and kamailio - or how to simulate calls at scalertpengine and kamailio - or how to simulate calls at scale
rtpengine and kamailio - or how to simulate calls at scale
 
Using Kamailio for Scalability and Security
Using Kamailio for Scalability and SecurityUsing Kamailio for Scalability and Security
Using Kamailio for Scalability and Security
 
NETCONF Call Home
NETCONF Call Home NETCONF Call Home
NETCONF Call Home
 
Kamailio - Secure Communication
Kamailio - Secure CommunicationKamailio - Secure Communication
Kamailio - Secure Communication
 
Continuous Integration and Kamailio
Continuous Integration and KamailioContinuous Integration and Kamailio
Continuous Integration and Kamailio
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptables
 
FreeSWITCH Cluster by K8s
FreeSWITCH Cluster by K8sFreeSWITCH Cluster by K8s
FreeSWITCH Cluster by K8s
 
Kamalio and Asterisk: What, Why & How
Kamalio and Asterisk: What, Why & HowKamalio and Asterisk: What, Why & How
Kamalio and Asterisk: What, Why & How
 
Show Me Kafka Tools That Will Increase My Productivity! (Stephane Maarek, Dat...
Show Me Kafka Tools That Will Increase My Productivity! (Stephane Maarek, Dat...Show Me Kafka Tools That Will Increase My Productivity! (Stephane Maarek, Dat...
Show Me Kafka Tools That Will Increase My Productivity! (Stephane Maarek, Dat...
 
Asterisk sip channel performance
Asterisk sip channel performanceAsterisk sip channel performance
Asterisk sip channel performance
 
SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer world
 
An SFU/MCU integration for heterogeneous environments
An SFU/MCU integration for heterogeneous environmentsAn SFU/MCU integration for heterogeneous environments
An SFU/MCU integration for heterogeneous environments
 
[MeetUp][2nd] 오리뎅이의_쿠버네티스_네트워킹_v1.2
[MeetUp][2nd] 오리뎅이의_쿠버네티스_네트워킹_v1.2[MeetUp][2nd] 오리뎅이의_쿠버네티스_네트워킹_v1.2
[MeetUp][2nd] 오리뎅이의_쿠버네티스_네트워킹_v1.2
 
Introduction to FreeSWITCH
Introduction to FreeSWITCHIntroduction to FreeSWITCH
Introduction to FreeSWITCH
 

Ähnlich wie Kamailio - SIP Firewall for Carrier Grade Traffic

Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
Slawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programming
Ante Gulam
 
Webinar elastic stack {on telecom} english webinar part (1)
Webinar elastic stack {on telecom} english webinar part (1)Webinar elastic stack {on telecom} english webinar part (1)
Webinar elastic stack {on telecom} english webinar part (1)
Yassine, LASRI
 
Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠
Integris Security LLC
 

Ähnlich wie Kamailio - SIP Firewall for Carrier Grade Traffic (20)

Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applications
 
Kamailio - Surfing Big Waves Of SIP With Style
Kamailio - Surfing Big Waves Of SIP With StyleKamailio - Surfing Big Waves Of SIP With Style
Kamailio - Surfing Big Waves Of SIP With Style
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Swift distributed tracing method and tools v2
Swift distributed tracing method and tools v2Swift distributed tracing method and tools v2
Swift distributed tracing method and tools v2
 
112 portfpres.pdf
112 portfpres.pdf112 portfpres.pdf
112 portfpres.pdf
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019
 
Strata Presentation: One Billion Objects in 2GB: Big Data Analytics on Small ...
Strata Presentation: One Billion Objects in 2GB: Big Data Analytics on Small ...Strata Presentation: One Billion Objects in 2GB: Big Data Analytics on Small ...
Strata Presentation: One Billion Objects in 2GB: Big Data Analytics on Small ...
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programming
 
Presto anatomy
Presto anatomyPresto anatomy
Presto anatomy
 
Monitoring with Prometheus
Monitoring with PrometheusMonitoring with Prometheus
Monitoring with Prometheus
 
Secure Programming
Secure ProgrammingSecure Programming
Secure Programming
 
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
 
Webinar elastic stack {on telecom} english webinar part (1)
Webinar elastic stack {on telecom} english webinar part (1)Webinar elastic stack {on telecom} english webinar part (1)
Webinar elastic stack {on telecom} english webinar part (1)
 
Streaming Way to Webscale: How We Scale Bitly via Streaming
Streaming Way to Webscale: How We Scale Bitly via StreamingStreaming Way to Webscale: How We Scale Bitly via Streaming
Streaming Way to Webscale: How We Scale Bitly via Streaming
 
Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠
 
Kamailio and VoIP Wild World
Kamailio and VoIP Wild WorldKamailio and VoIP Wild World
Kamailio and VoIP Wild World
 
Kamailio and VoIP Wild World
Kamailio and VoIP Wild WorldKamailio and VoIP Wild World
Kamailio and VoIP Wild World
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJS
 

Mehr von Daniel-Constantin Mierla

Mehr von Daniel-Constantin Mierla (17)

FOSDEM 2017 - RTC Services With Lua and Kamailio
FOSDEM 2017 - RTC Services With Lua and KamailioFOSDEM 2017 - RTC Services With Lua and Kamailio
FOSDEM 2017 - RTC Services With Lua and Kamailio
 
TAD Summit 2016 - The Mobile World Up Side Down
TAD Summit 2016 - The Mobile World Up Side DownTAD Summit 2016 - The Mobile World Up Side Down
TAD Summit 2016 - The Mobile World Up Side Down
 
Snappy Kamailio
Snappy KamailioSnappy Kamailio
Snappy Kamailio
 
Kamailio Updates - VUC 588
Kamailio Updates - VUC 588Kamailio Updates - VUC 588
Kamailio Updates - VUC 588
 
Designing High Performance RTC Signaling Servers
Designing High Performance RTC Signaling ServersDesigning High Performance RTC Signaling Servers
Designing High Performance RTC Signaling Servers
 
SIP Server Optimizations for Mobile Networks
SIP Server Optimizations for Mobile NetworksSIP Server Optimizations for Mobile Networks
SIP Server Optimizations for Mobile Networks
 
Kamailio - API Based SIP Routing
Kamailio - API Based SIP RoutingKamailio - API Based SIP Routing
Kamailio - API Based SIP Routing
 
Kamailio - SIP Routing in Lua
Kamailio - SIP Routing in LuaKamailio - SIP Routing in Lua
Kamailio - SIP Routing in Lua
 
10 Years SER - Awards
10 Years SER - Awards10 Years SER - Awards
10 Years SER - Awards
 
Sculpturing SIP World
Sculpturing SIP WorldSculpturing SIP World
Sculpturing SIP World
 
CPDL - Charging Plan Definition Language
CPDL - Charging Plan Definition LanguageCPDL - Charging Plan Definition Language
CPDL - Charging Plan Definition Language
 
SER - SIP Express Router
SER - SIP Express RouterSER - SIP Express Router
SER - SIP Express Router
 
SIP Router Project
SIP Router ProjectSIP Router Project
SIP Router Project
 
Kamailio - Unifying SIP and Web Worlds with Lua
Kamailio - Unifying SIP and Web Worlds with LuaKamailio - Unifying SIP and Web Worlds with Lua
Kamailio - Unifying SIP and Web Worlds with Lua
 
Kamailio - SIP Servers Everywhere
Kamailio - SIP Servers EverywhereKamailio - SIP Servers Everywhere
Kamailio - SIP Servers Everywhere
 
Kamailio - The Story for Asterisk
Kamailio - The Story for AsteriskKamailio - The Story for Asterisk
Kamailio - The Story for Asterisk
 
Aynchronous Processing in Kamailio Configuration File
Aynchronous Processing in Kamailio Configuration FileAynchronous Processing in Kamailio Configuration File
Aynchronous Processing in Kamailio Configuration File
 

Kürzlich hochgeladen

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Kürzlich hochgeladen (20)

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

Kamailio - SIP Firewall for Carrier Grade Traffic

  • 1. Kamailio SIP Server SIP Firewall For Carrier Grade Traffic Daniel-Constantin Mierla Co-Founder Kamailio www.kamailio.org www.asipto.com
  • 2. (c) asipto.com 2 Over 10 Years Evolution 2002 Jun 2005 Jul 2008 Aug 2008 Nov 2008 SIP Express Router (SER) OpenSER Kamailio Other Forks... Same application: Kamailio - SER Oct 2009 Jan 2010 v3.0.0 Integration Completed v1.5.0 Oct 2011 v3.1.0 Sep 2001 First Line Of Code Open Source GPL FhG Fokus Institute Berlin rename v3.2.0 Oct 2010 Awarded Best Open Source Networking Software 2009 By InfoWorld 10 Years Jun 2012 v3.3.0 ITSPA UK Award Mar 2013 v4.0.0 Kamailio
  • 3. Source Structure - 3.x.x - Kamailio vs. SER 3 KamailioDistribution SIPExpressRouterDistribution modules_k/ acc acc_radius alias_db auth_db auth_diameter auth_radius benchmark call_control cfgutils cpl-c db_cluster ... over 80 modules modules/ app_lua app_mono app_python async auth auth_identity avpops blst carrierroute cfg_db cfg_rpc ... over 50 modules modules_s/ acc_db acc_radius acc_syslog auth_db auth_radius avp avp_db avp_radius bdb cpl-c db_ops ... over 40 modules the entire source code tree core sip parser - memory manager config file parser and interpreter locking system - timers config variable frameworks internal libraries DB API v1 - DB APIv2 MI API - JSON - UUID utils - binrpc
  • 4. Source Structure - 4.x.x- Kamailio 4 KamailioDistribution SIPExpressRouterDistribution modules_k/ modules/ app_lua app_mono app_python async auth auth_identity avpops blst carrierroute cfg_db cfg_rpc ... over 150 modules modules_s/ the entire source code tree core sip parser - memory manager config file parser and interpreter locking system - timers config variable frameworks internal libraries DB API v1 - DB APIv2 MI API - JSON - UUID utils - binrpc
  • 5. (c) asipto.com 2012 - Highlights 5 Over 10 IMS Extensions Websockets generic database clusteringembedded mono interpreter C#, Python, Java, .... cassandra connector http://www.kamailio.org/wiki/features/new-in-3.3.x http://www.kamailio.org/wiki/features/new-in-4.0.x IPv6 review embedded MSRP Relay time recurrence matching embedded HTTP RPC/Provisioning APIs presence/rls/xcap OMA/RCS enhancements GRUU SIP Outbound SCA
  • 6. (c) asipto.com 2013 - Highlights 6 app_java sipt tm htable cfgutils siputilssnmpstats usrloc http://www.kamailio.org/wiki/features/new-in-devel dnssec cnxcc (prepaid) stun sctp auth_ephemeral (webrtc) debugger (log pv assignment)
  • 10. among next cool things
  • 11.
  • 12. Routing SIP with Kamailio by Daniel-Constantin Mierla Elena-Ramona Modroiu
  • 13. 13 Book Details - http://asipto.com/u/kab  Evolution  started last year for v3.3.x  target: getting started guide and typical use cases  delayed by decision to complete Kamailio-SER integration (then Kamailio Word)  last modules merged, some renamed  significant changes in installation process  Nowadays  existing content  over 280 pages (A4) - apart of ToC  22 chapters  roadmap to full release  3-5 new chapters  check the 3.3 to 4.0 updates  examples enhanced with SIP traces  reviews (both native and non-native English speakers)  Selling  electronic format (e.g., pdf, ebook), later paper format (if such interest)  plans to make it available to purchase before full release  if all goes as expected - as soon as mid of August, 2013
  • 14. SIP Firewall For Carrier Grade Traffic blocking unwanted traffic
  • 15. 15 Everyone is evil in the world wild sipnet!
  • 18. 18 Trying to get friendlier - DoS Attacks • bandwidth • cpu • memory • MONEY
  • 19. 19 Attacks  malicious attacks  for direct attacker benefits  get access to the host and call for free  for damages on target (or fame)  consume resources on target  involuntary attacks  client side  broken clients  server side  misconfigurations (e.g., too low max expire time) ‘Undisclosed’ sources have demonstrated that the root of the issues in computer science resides in between chair and keyboard.
  • 20. 20  Problem  unexpected high volume of SIP traffic from the same IP address  Situations  someone tries to gain access to the server  misconfigured devices  Solution  keep the list of banned IP addresses in memory (hash table via htable module)  items in hash table are automatically deleted if their values are not updated for a while  if source IP of the SIP packet matches a key in hash table, then stop processing  simply drop, no SIP response (save the bandwidth)  sending a 200 OK response makes the attacker believe that it has succeeded  if not, then count the number of packets per configured time interface  if limit exceeded, stop processing and add add the source ip in the hash table  Consideration  skip trusted peers from checking (trunks, PSTN gateways, media servers,...)  do it very early in processing path, at the top of routing logic Flood Detection and Blocking IP Addresses
  • 21. 21 Flood Detection and Blocking IP Addresses if(src_ip!=__TRUSTED__) { if($sht(ipban=>$si)!=$null) { # ip is already blocked xdbg("request from blocked IP - $rm from $fu (IP:$si:$sp)n"); exit; } if (!pike_check_req()) { xlog("L_ALERT","ALERT: pike blocking $rm from $fu (IP:$si:$sp)n"); $sht(ipban=>$si) = 1; exit; } } loadmodule "htable.so" loadmodule "pike.so" # ----- pike params ----- modparam("pike", "sampling_time_unit", 2) modparam("pike", "reqs_density_per_unit", 24) modparam("pike", "remove_latency", 4) # ----- htable params ----- # ip ban htable with autoexpire after 5 minutes modparam("htable", "htable", "ipban=>size=8;autoexpire=300;") the configuration
  • 22. 22  Problem  unexpected number of failed authentication for various users  Situations  someone tries to guess passwords for legit users  misconfigured devices  Solution  keep the list of blocked usernames in memory (again via htable module)  items in hash table are automatically deleted if their values are not updated for a while  along with the username, store the timestamp of the last failed authentication and number of failed authentication in a raw  if the request has auth headers and username is found in hash table, then  if the last failed authentication is older than a predefined interval of time, give the user another chance  otherwise forbids the traffic without any authentication challenge sent back  if not found in hash table, then authenticate  if credentials mismatch, then increase the authentication failure counter and update the last authentication failure timestamp  if authentication failure attempts limit is reached, don’t challenge back  if authentication is ok, reset the counter Dictionary Attack Detection and Blocking Users
  • 23. 23 Dictionary Attack Detection and Blocking Users if(is_present_hf("Authorization") || is_present_hf("Proxy-Authorization")) { if($sht(userban=>$au::auth_count)==3) { $var(exp) = $Ts - 900; if($sht(userban=>$au::last_auth) > $var(exp)) { sl_send_reply("403", "Try later"); exit; } else { $sht(userban=>$au::auth_count) = 0; } } } modparam("htable", "htable", "ipban=>size=8;autoexpire=300;") the configuration
  • 24. 24 # authenticate requests auth_check("$fd", "subscriber", "1"); $var(rc) = $rc; if($var(rc)<0) { switch($var(rc)) { case -1: sl_send_reply("403", "Forbidden"); exit; case -2: $var(auth_count) = $shtinc(userban=>$au::auth_count); if($var(auth_count) == 3) xlog("auth failed 3rd time - src ip: $sin"); $sht(userban=>$au::last_auth) = $Ts; break; } auth_challenge("$fd", "0"); exit; } $sht(userban=>$au::auth_count) = 0; Dictionary Attack Detection and Blocking Users
  • 25. 25  Problem  an attacker could eventually get access in way or another (e.g., social engineering), then limit the damages as much as possible  Situations  lot of active calls from same user, which physically could not do that  Solution  keep a lightweight list of active calls in memory (again via htable module)  items in hash table are automatically deleted if their values are not updated for a while (cope with missing BYE cases)  items are added when the call is initiated  items are removed if no positive answer for INVITE or in case of BYE  carrier grade => lightweight dialog tracking  Call-ID is the key for hash table  the value of items in hash table is caller id (username)  when a new call comes in  count the values in the hash table that matches the caller id  if the limit is not reached, add a new item, otherwise deny the call Limiting the Number of Active Calls Per User
  • 26. 26 request_route { .... if(is_method(“BYE”)) { $sht(acalls=>$ci) = $null; } .... } reply_route { .... if(is_method(“INVITE”) && $rs>=300) { $sht(acalls=>$ci) = $null; } .... } modparam("htable", "htable", "acalls=>size=8;autoexpire=7200;") modparam(“cfgutils”, “lock_set_size”, 8)the configuration Limiting the Number of Active Calls Per User
  • 27. 27 # limit to maximum 3 active calls per user route[ACLIMIT] { if(is_method(“INVITE”) && !has_totag()) { lock(“$fU”); $var(ac) = $shtcv(acalls=>eq$fU); if($var(ac) >= 3) { unlock(“$fU”); send_reply(“403”, “Too many active calls”); exit; } $sht(acalls=>$ci) = $fU; unlock(“$fU”); } } request_route { .... route(ACLIMIT); route(RELAY); } Limiting the Number of Active Calls Per User
  • 28. 28  One of Kamailio laws  If htable module is not used, something might go wrong with your deployment (and business) at a point in time.  The target for solutions were  rely on Kamailio-only  use the lightweight solutions that scale a lot  Alternatives  real time integration with firewall for DoS protection using fail2ban  http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack  active calls tracking  dialog module: store lot of details for each call, but can detect when call is down  OPTIONS keepalives within dialog  it is not a back to back user agent (i.e, cseq numbers of dialog not updated)  in memory SQL tables via sqlops modules  easy to customize make reports and specify what details are store per dialog Remarks
  • 29. 29 Daniel-Constantin Mierla Co-Founder Kamailio http://www.asipto.com daniel@asipto.com Thank you! Questions? twitter: @miconda http://www.linkedin.com/in/miconda