From arsen.semionov@gmail.com Fri Sep 29 21:51:37 2017 From: Arsen To: sr-users@lists.kamailio.org Subject: Re: [SR-Users] Retrieve remote IP and port Date: Fri, 29 Sep 2017 22:51:28 +0300 Message-ID: In-Reply-To: <0967f265-5b3a-fe82-0572-93814ab93b43@ikiji.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1113597114==" --===============1113597114== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Yeah this makes the sense, it is possible to spoof the UDP source address, and various SIP tools have this feature (sipcli, sipp) it's useful for example for NAT tests, etc. Attacker actually may perform a DoS attack by spoofing the source IP with an IP of your DID vendor (for example), so pay attention to jail.conf and set a whitelist. Here is how you can try to detect source IP spoof: if($sel(contact.uri.host) !=3D $si) { #do sothing here } f($sel(via[0].host) !=3D $si ) { # } Regards, Arsen. Arsen Semionov www.eurolan.info cell: +442035198881 On Fri, Sep 29, 2017 at 5:50 PM, Iskren Hadzhinedev < iskren.hadzhinedev(a)ikiji.com> wrote: > Hi Arsen, > Someone keeps sending INVITEs to my kamailio box with the From: and To: > IPs set to the Kamailio box=E2=80=99s public IP. > I have fail2ban that tracks a log file and bans the IP when pike blocks a > request 3 times. > However, the IP that pops up in the log file is the server=E2=80=99s own IP > address and not the sender=E2=80=99s IP address. > So let=E2=80=99s say my kamailio box is at 1.2.3.4. I get the following in = the log: > > ALERT: