Hello,
checking the IP in the Via headers can be done in config file using a while loop:
$var(i) = 0;
while($(hdr(Via)[$var(i)])!=$null) { # use transformations to extract the IP in $(hdr(Via)[$var(i)]) and test it against $Ri ... $var(i) = $var(i) + 1; }
Also, checking the max-breadth should be possible in config file -- iirc, Olle played with it at one of the SIPit events I attended, maybe he can add more details here. I haven't read the RFC 5393 to be able to provide an example here.
If someone wants to add a module to simplify the config, he/she is welcome to do it.
Cheers, Daniel
On 21/10/15 10:35, Guillaume wrote:
Hi guys,
What do you think about the RFC 5393 on loop detection and amplification attack protection?
The RFC is short and still a proposed standard but don't you think it could be useful to prevent loop and amplification attack? Because even if the max-forward field reduces the loop to ~70 hosts (in most cases) with some techniques we could fork the message up to 2^70 messages (as described in the RFC) to crash the servers.
Basically the server has to do 2 things:
- check if it is not already in the via of the message
- the previous check is not enough as a B2BUA could have replace the
via headers, so the RFC introduces a new field called max-breadth to limit the forking.
I have not seen a lot of implementation of this RFC on the free SIP software and I think it could be a good way to improve kamailio making a module for it (the easier way to implement this feature I think).
In fact I'm in a research internship about VoIP security and I have time to develop such a module for kamailio if you think it's a good idea (I'm looking for some security improvements in free software solutions so if you have other idea don't hesitate to tell me).
Cheers,
Tetram
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users