Hi!
For those who are interested in this attack - I have attached the relevant slides from my SIP security lectures.
regards Klaus
PS: an exploit based on sipp scenario files is available too on request (for educational purposes :-)
Klaus Darilion schrieb:
IIRC to solve this issue completely the UAC should never send credentials to unknown parties - only to its SIP proxy (some clients have a "force outbound proxy" feature which does the same). Then the SIP proxy can remove credentials before forwarding to other parties.
As soon as a client send messages (with credentials) directly to other parties there is nothing you can do on the proxy side.
regards klaus
Victor Pascual Ávila schrieb:
Hi, excuse me if this message is not directly related to Kamailio.
I'm just wondering if folks could share with me if (and how) they have prevented the "SIP Digest Access Authentication RELAY" in their networks (and what worked for them or not). NAT boxes reduce dramatically the scenarios for a successful attack. Otherwise, some might be mitigating the attack by means of forcing UAs to use outbound proxies while others might be reducing the attack incentives by means of message integrity.
Any comment would be appreciated,
Kamailio (OpenSER) - Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users http://lists.openser-project.org/cgi-bin/mailman/listinfo/users