Re: [SR-Users] Implementation of RFC 5393

But why don't you implement this feature after your demo at kamailio world? Do you think it's useless at the end? And how your script was working with kamailio ? Thanks for your response Guillaume From: oej(a)edvina.net Date: Wed, 21 Oct 2015 14:15:43 +0200 To: miconda(a)gmail.com CC: sr-users(a)lists.sip-router.org Subject: Re: [SR-Users] Implementation of RFC 5393 On 21 Oct 2015, at 14:09, Daniel-Constantin Mierla <miconda(a)gmail.com> wrote:Hello,checking the IP in the Via headers can be done in config file using a while loop:$var(i) = 0;while($(hdr(Via)[$var(i)])!=$null) { # use transformations to extract the IP in $(hdr(Via)[$var(i)]) and test it against $Ri ... $var(i) = $var(i) + 1;}Also, checking the max-breadth should be possible in config file -- iirc, Olle played with it at one of the SIPit events I attended, maybe he can add more details here. I haven't read the RFC 5393 to be able to provide an example here.I have a kind-of working solution in script, that I used in the Dangerous Demos at kamailio world. If someone wants to add a module to simplify the config, he/she is welcome to do it.:-) I think it needs to have hooks into tm. /O Cheers,DanielOn 21/10/15 10:35, Guillaume wrote: Hi guys, What do you think about the RFC 5393 on loop detection and amplification attack protection? The RFC is short and still a proposed standard but don't you think it could be useful to prevent loop and amplification attack? Because even if the max-forward field reduces the loop to ~70 hosts (in most cases) with some techniques we could fork the message up to 2^70 messages (as described in the RFC) to crash the servers. Basically the server has to do 2 things: * check if it is not already in the via of the message * the previous check is not enough as a B2BUA could have replace the via headers, so the RFC introduces a new field called max-breadth to limit the forking. I have not seen a lot of implementation of this RFC on the free SIP software and I think it could be a good way to improve kamailio making a module for it (the easier way to implement this feature I think). In fact I'm in a research internship about VoIP security and I have time to develop such a module for kamailio if you think it's a good idea (I'm looking for some security improvements in free software solutions so if you have other idea don't hesitate to tell me). Cheers, Tetram _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users(a)lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users -- Daniel-Constantin Mierla http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda Book: SIP Routing With Kamailio - http://www.asipto.com _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users(a)lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users