But why don't you implement this feature after your demo at kamailio world? Do you
think it's useless at the end?
And how your script was working with kamailio ?
Thanks for your response
Guillaume
From: oej(a)edvina.net
Date: Wed, 21 Oct 2015 14:15:43 +0200
To: miconda(a)gmail.com
CC: sr-users(a)lists.sip-router.org
Subject: Re: [SR-Users] Implementation of RFC 5393
On 21 Oct 2015, at 14:09, Daniel-Constantin Mierla <miconda(a)gmail.com>
wrote:Hello,checking the IP in the Via headers can be done in config file using a while
loop:$var(i) = 0;while($(hdr(Via)[$var(i)])!=$null) { # use transformations to extract
the IP in $(hdr(Via)[$var(i)]) and test it against $Ri ... $var(i) = $var(i) +
1;}Also, checking the max-breadth should be possible in config file -- iirc, Olle played
with it at one of the SIPit events I attended, maybe he can add more details here. I
haven't read the RFC 5393 to be able to provide an example here.I have a kind-of
working solution in script, that I used in the Dangerous Demos at kamailio world.
If someone wants to add a module to simplify the config, he/she is welcome to do it.:-)
I think it needs to have hooks into tm.
/O
Cheers,DanielOn 21/10/15 10:35, Guillaume wrote:
Hi guys,
What do you think about the RFC 5393 on loop detection and amplification attack
protection?
The RFC is short and still a proposed standard but don't you think it could be useful
to prevent loop and amplification attack? Because even if the max-forward field reduces
the loop to ~70 hosts (in most cases) with some techniques we could fork the message up to
2^70 messages (as described in the RFC) to crash the servers.
Basically the server has to do 2 things:
* check if it is not already in the via of the message
* the previous check is not enough as a B2BUA could have replace the via headers, so the
RFC introduces a new field called max-breadth to limit the forking.
I have not seen a lot of implementation of this RFC on the free SIP software and I think
it could be a good way to improve kamailio making a module for it (the easier way to
implement this feature I think).
In fact I'm in a research internship about VoIP security and I have time to develop
such a module for kamailio if you think it's a good idea (I'm looking for some
security improvements in free software solutions so if you have other idea don't
hesitate to tell me).
Cheers,
Tetram
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda -
http://www.linkedin.com/in/miconda
Book: SIP Routing With Kamailio -
http://www.asipto.com
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users