Hi, I was going through some old company tickets that I am assigned to and found a case when possibly an attacker flooded our kamailio server with invalid sip messages like this:
2019-04-27T20:14:05.533554+09:00 IPX051 /usr/local/src/git/sip-router/kamailio[1732]: ERROR: <core> [parser/msg_parser.c:714]: ERROR: parse_msg: message=<[F#016sD#026Z<8D>97<F8><B5>;<A9><E7>-<D2>(<E2><F6> v;/#021k<CC>8<B1>λ<F4>#004M<B6><BE><EC>#035#003<94><E1>=<A0><FF><E3><AF>Kwzr<8B>A#036B<D7>#027#023cu<82>Y<D4>#037<FB><AC>S_<C4>Qg<AB><DE>F<88>I#006<8C><FA><F4>~#y3G<C7>H<80>b<BC><AD>#035<89>#002<DB><C8>#001U<9E>#007<CB><F9>nT<E5><EE><8E><F1>#0144>
At that time we manually banned the IP. But it would be helpful to have this done automatically by fail2ban. So I was thinking this log should include the src IP address. I looked at the latest kamailio commit and core/parser/msg_parser.c does this log the same way so I was thinking in opening an issue for this. But maybe this should be dealt with differently. Any ideas?
Hi !
you might want to check this APIBAN - Block Bad SIP Traffic https://apiban.org/
Fred Posner is the one to blame for this fantastic tool :)
Atenciosamente / Kind Regards / Cordialement / Un saludo,
*Sérgio Charrua*
On Thu, Oct 24, 2024 at 3:49 AM mayamatakeshi via sr-users < sr-users@lists.kamailio.org> wrote:
Hi, I was going through some old company tickets that I am assigned to and found a case when possibly an attacker flooded our kamailio server with invalid sip messages like this:
2019-04-27T20:14:05.533554+09:00 IPX051 /usr/local/src/git/sip-router/kamailio[1732]: ERROR: <core> [parser/msg_parser.c:714]: ERROR: parse_msg: message=<[F#016sD#026Z<8D>97<F8><B5>;<A9><E7>-<D2>(<E2><F6>
v;/#021k<CC>8<B1>λ<F4>#004M<B6><BE><EC>#035#003<94><E1>=<A0><FF><E3><AF>Kwzr<8B>A#036B<D7>#027#023cu<82>Y<D4>#037<FB><AC>S_<C4>Qg<AB><DE>F<88>I#006<8C><FA><F4>~#y3G<C7>H<80>b<BC><AD>#035<89>#002<DB><C8>#001U<9E>#007<CB><F9>nT<E5><EE><8E><F1>#0144>
At that time we manually banned the IP. But it would be helpful to have this done automatically by fail2ban. So I was thinking this log should include the src IP address. I looked at the latest kamailio commit and core/parser/msg_parser.c does this log the same way so I was thinking in opening an issue for this. But maybe this should be dealt with differently. Any ideas?
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
+1 for APIBAN- its so good for this exact use case.
In the short term you can use something like pike module with some logic to look for any special characters and block them in a htable and just drop the traffic whilst you figure APIBAN out though.
Thanks,
John.
On Thu, 24 Oct 2024 at 10:44, Sergio Charrua via sr-users < sr-users@lists.kamailio.org> wrote:
Hi !
you might want to check this APIBAN - Block Bad SIP Traffic https://apiban.org/
Fred Posner is the one to blame for this fantastic tool :)
Atenciosamente / Kind Regards / Cordialement / Un saludo,
*Sérgio Charrua*
On Thu, Oct 24, 2024 at 3:49 AM mayamatakeshi via sr-users < sr-users@lists.kamailio.org> wrote:
Hi, I was going through some old company tickets that I am assigned to and found a case when possibly an attacker flooded our kamailio server with invalid sip messages like this:
2019-04-27T20:14:05.533554+09:00 IPX051 /usr/local/src/git/sip-router/kamailio[1732]: ERROR: <core> [parser/msg_parser.c:714]: ERROR: parse_msg: message=<[F#016sD#026Z<8D>97<F8><B5>;<A9><E7>-<D2>(<E2><F6>
v;/#021k<CC>8<B1>λ<F4>#004M<B6><BE><EC>#035#003<94><E1>=<A0><FF><E3><AF>Kwzr<8B>A#036B<D7>#027#023cu<82>Y<D4>#037<FB><AC>S_<C4>Qg<AB><DE>F<88>I#006<8C><FA><F4>~#y3G<C7>H<80>b<BC><AD>#035<89>#002<DB><C8>#001U<9E>#007<CB><F9>nT<E5><EE><8E><F1>#0144>
At that time we manually banned the IP. But it would be helpful to have this done automatically by fail2ban. So I was thinking this log should include the src IP address. I looked at the latest kamailio commit and core/parser/msg_parser.c does this log the same way so I was thinking in opening an issue for this. But maybe this should be dealt with differently. Any ideas?
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Indeed, core:receive-parse-error combined with sanity_check is what I needed. Thank you.
On Sat, Oct 26, 2024 at 12:56 PM Fred Posner via sr-users < sr-users@lists.kamailio.org> wrote:
Thanks for mentioning APIBAN. You may also want to consider the core receive parse error route. I wrote about it here:
[image: kamailio.png]
Handling Non-SIP Attacks With Kamailio https://www.fredposner.com/handling-non-sip-kamailio/ fredposner.com https://www.fredposner.com/handling-non-sip-kamailio/ https://www.fredposner.com/handling-non-sip-kamailio/
—fred
Fred Posner Contact info via https://fredoso.com
On Oct 24, 2024, at 6:21 AM, Who AmI via sr-users < sr-users@lists.kamailio.org> wrote:
+1 for APIBAN- its so good for this exact use case.
In the short term you can use something like pike module with some logic to look for any special characters and block them in a htable and just drop the traffic whilst you figure APIBAN out though.
Thanks,
John.
On Thu, 24 Oct 2024 at 10:44, Sergio Charrua via sr-users < sr-users@lists.kamailio.org> wrote:
Hi !
you might want to check this APIBAN - Block Bad SIP Traffic https://apiban.org/
Fred Posner is the one to blame for this fantastic tool :)
Atenciosamente / Kind Regards / Cordialement / Un saludo,
*Sérgio Charrua*
On Thu, Oct 24, 2024 at 3:49 AM mayamatakeshi via sr-users < sr-users@lists.kamailio.org> wrote:
Hi, I was going through some old company tickets that I am assigned to and found a case when possibly an attacker flooded our kamailio server with invalid sip messages like this:
2019-04-27T20:14:05.533554+09:00 IPX051 /usr/local/src/git/sip-router/kamailio[1732]: ERROR: <core> [parser/msg_parser.c:714]: ERROR: parse_msg: message=<[F#016sD#026Z<8D>97<F8><B5>;<A9><E7>-<D2>(<E2><F6>
v;/#021k<CC>8<B1>λ<F4>#004M<B6><BE><EC>#035#003<94><E1>=<A0><FF><E3><AF>Kwzr<8B>A#036B<D7>#027#023cu<82>Y<D4>#037<FB><AC>S_<C4>Qg<AB><DE>F<88>I#006<8C><FA><F4>~#y3G<C7>H<80>b<BC><AD>#035<89>#002<DB><C8>#001U<9E>#007<CB><F9>nT<E5><EE><8E><F1>#0144>
At that time we manually banned the IP. But it would be helpful to have this done automatically by fail2ban. So I was thinking this log should include the src IP address. I looked at the latest kamailio commit and core/parser/msg_parser.c does this log the same way so I was thinking in opening an issue for this. But maybe this should be dealt with differently. Any ideas?
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
All, thanks for the suggestions. APIBAN looks fine but still there is the risk of packets from an unknown IP to hit the server. So I was thinking in patching the parser code to log the src IP in case of error but when I tested sending an invalid message against latest kamailio I got this in the logs:
2024-10-25T07:30:56.968878+09:00 lab225012 /usr/local/src/git/kamailio-5.8/kamailio[1404214]: ERROR: <core> [core/parser/msg_parser.c:791]: parse_msg(): ERROR: parse_msg: message=<NOTIFY sip:305@172.23.112.144 SIP/2.0#012#012Via: SIP/2.0/UDP 172.23.3.5:5060;branch=z9hG4bK7b359876#012From: "no_callerid" < sip:no_callerid@172.23.3.5>;tag=as78a85cfe#012To: sip:305@172.23.112.144#012Contact: sip:no_callerid@172.23.3.5#012Call-ID: 015118886c22a1a45cb8833b41abf969@172.23.3.5#012CSeq: 102 NOTIFY#012User-Agent: Asterisk PBX#012Max-Forwards: 70#012Event: check-sync#012Content-Length: 0#012>
2024-10-25T07:30:56.970881+09:00 lab225012 /usr/local/src/git/kamailio-5.8/kamailio[1404214]: ERROR: <core> [core/receive.c:378]: receive_msg(): core parsing of SIP message failed ( 10.0.0.1:57005/1)
So the function parse_msg itself will not log the src IP but the subsequent ERROR log line from function receive_msg will have it (ip 10.0.0.1) and will also include the port (57005).
So nothing needs to be done as fail2ban can get the ip with the proper filter definition.
However there is at least one other scenario. I removed the header Call-ID from a valid SIP message and when I sent it I got just this:
2024-10-25T07:41:16.825827+09:00 lab225012 /usr/local/src/git/kamailio-5.8/kamailio[1404217]: ERROR: <core> [core/receive.c:450]: receive_msg(): required headers not found in request
So I could not get the src IP. So am thinking in patching this. However, meanwhile it seems I can handle this kind of situation generically by using: https://www.kamailio.org/docs/modules/devel/modules/nosip.html
-
Fred Posner -
mayamatakeshi -
Sergio Charrua -
Who AmI