Yeah this makes the sense, it is possible to spoof the UDP source address, and various SIP tools have this feature (sipcli, sipp) it's useful for example for NAT tests, etc.

Attacker actually may perform a DoS attack by spoofing the source IP with an IP of your DID vendor (for example), so pay attention to jail.conf and set a whitelist. 

Here is how you can try to detect source IP spoof:

if($sel(contact.uri.host) != $si) {
    #do sothing here
}

f($sel(via[0].host) != $si ) {
    #
}

Regards,
Arsen.


Arsen Semionov
cell: +442035198881

On Fri, Sep 29, 2017 at 5:50 PM, Iskren Hadzhinedev <iskren.hadzhinedev@ikiji.com> wrote:

Hi Arsen,
Someone keeps sending INVITEs to my kamailio box with the From: and To: IPs set to the Kamailio box’s public IP.
I have fail2ban that tracks a log file and bans the IP when pike blocks a request 3 times.
However, the IP that pops up in the log file is the server’s own IP address and not the sender’s IP address.
So let’s say my kamailio box is at 1.2.3.4. I get the following in the log:

    ALERT: <script>: Pike block INVITE from sip:7774@1.2.3.4 (IP 1.2.3.4:5080)

Which comes from this snippet from my kamailio.cfg:

    if (!pike_check_req()) {
            xlog("L_ALERT","Pike block $rm from $fu (IP $si:$sp)\n");
            exit;
    }

This rogue INVITE is certainly not coming from my own server. Running tcpdump with header shows the IP of the culprit - 195.154.172.167.
That can also be seen in the Via: header below. I know I can block the sipcli UA, but I’m not comfortable with being unable to log the IP address of the sender in case they spoof the UA.

    INVITE sip:+443331010095@1.2.3.4:5080 SIP/2.0
    To: +443331010095<sip:+443331010095@1.2.3.4>
    From: 7008<sip:7008@1.2.3.4>;tag=7650baf5
    Via: SIP/2.0/UDP 195.154.172.167:5074;branch=z9hG4bK-79da852e8e37dc3f58a5f098a089d5b5;rport
    Call-ID: 79da852e8e37dc3f58a5f098a089d5b5
    CSeq: 1 INVITE
    Contact: <sip:7008@195.154.172.167:5074>
    Max-Forwards: 70
    Allow: INVITE, ACK, CANCEL, BYE
    User-Agent: sipcli/v1.8
    Content-Type: application/sdp
    Content-Length: 286

So I cannot understand why does $si show 1.2.3.4 instead of the culprit’s IP address?
Hope this makes more sense!

Kind regards,
Iskren Hadzhinedev

On 29/09/17 13:38, Arsen wrote:

Hi Iskren,

What do you mean by 'true IP address'? The real IP address of a device which sends a request?

$si and $sp reference to the source IP address and port of the message, "Via" header contains IP address and port of UA and it could be different from $si, for example if UA is behind NAT device. 



Arsen Semionov

On Fri, Sep 29, 2017 at 3:05 PM, Iskren Hadzhinedev <iskren.hadzhinedev@ikiji.com> wrote:

Hi list,

How can I reliably get the sender’s IP address?
$si and $sp are returning the server IP and Port.
I also tried using $Ri and $Rp but it yields the same results.
Inspecting the packet shows the sender’s true IP:Port pair in the Via: header,
but the From: and To: contain the kamailio server’s public IP address.

Kind regards,

--
Iskren Hadzhinedev

_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users




_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users


_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users