[sr-dev] LCR: defunct_gw() is dangerous

[Iñaki Baz Castillo]

Hi, I would like to share some experience using LCR under Kamailio 3.X
in which there is no longer OPTIONS-based gateways monitorization.

Now, the way to dissable a gateway is by calling defunct_gw() in a
failure_route block (i.e. when there is no response for a request and
fr_timer fires). So it's based on a single request processing. This is
dangerous and I will put a real example:

An ugly client sends us a request with a malformed P-Asserted-Identity
as follows:

  P-Asserted-Identity(sip at domain.com

Note that it's an *invalid* header. But Kamailio "allows" it and the
request arrives to the GW. But the GW drops the request due to the
malformed header so it sends NO reply at all. Then timeout occurs in
the client transaction and failure_route block is called in which I
call to defunct_gw().

Conclusion: an attacker could dissable my gws just by sending a simple
malformed request. I strongly miss the monitorization feature in the
old LCR module. And ever worse, I could make my own monitorization
client by sending OPTIONS to all the gateways, but LCR module does not
include a simple MI command to enable/dissable a gw so, what should I
do? re-populate all the LCR tables and invoke LCR reload() MI command
every time I detect a gw is offline/online?

Regards.

-- 
Iñaki Baz Castillo
<ibc at aliax.net>