[SR-Users] bad cseq attack

Daniel-Constantin Mierla miconda at gmail.com
Thu Aug 22 00:21:44 CEST 2013


The problem is that in some cases, it doesn't get to execute the config 
file at all. The core does some basic parsing to detect the type of 
message (request or reply) and looks for mandatory headers (CSeq is one 
of them). When its a failure in this process, the config file is not 
executed, because the message is invalid and the afferent internal 
structure cannot be filled properly.

Cheers,
Daniel

On 8/22/13 12:18 AM, Sergey Okhapkin wrote:
> Actually nothing needs to be done in kamailio core. I's a simple scripting
> logic.
>
>          if(!sanity_check("whatever_you wan't_check")) {
>                  xlog("L_INFO","Malformed message from $proto:$si:$sp\n$mb\n");
>                  break;
>          }
>
> On Thursday 22 August 2013 00:07:56 Daniel-Constantin Mierla wrote:
>> On 8/21/13 12:53 PM, Juha Heinanen wrote:
>>> i have noticed lots of these kind of attacks in my syslog:
>>>
>>> /var/log/syslog.1:Aug 21 04:23:46 host /usr/sbin/sip-proxy[13490]: ERROR:
>>> <core> [parser/parse_cseq.c:95]: parse_cseq(): ERROR: CSeq EoL expected
>>> /var/log/syslog.1:Aug 21 04:23:46 host /usr/sbin/sip-proxy[13490]: ERROR:
>>> <core> [parser/parse_cseq.c:98]: parse_cseq(): ERROR: parse_cseq: bad
>>> cseq /var/log/syslog.1:Aug 21 04:23:46 host /usr/sbin/sip-proxy[13490]:
>>> ERROR: <core> [parser/msg_parser.c:161]: get_hdr_field(): ERROR:
>>> get_hdr_field: bad cseq
>>>
>>> in order to be able to fail2ban the attacker, source ip address should
>>> appear in syslog message.
>>>
>>> is there a way to catch sip request syntax errors in config file so that
>>> appropriate syslog message could be generated?
>> We can add an event_route for it as well as print the src ip in the log
>> message for quick fix (this one can be backported easy).
>>
>> Cheers,
>> Daniel

-- 
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda




More information about the sr-users mailing list