[SR-Users] Implementation of RFC 5393

Olle E. Johansson oej at edvina.net
Wed Oct 21 14:15:43 CEST 2015


> On 21 Oct 2015, at 14:09, Daniel-Constantin Mierla <miconda at gmail.com> wrote:
> 
> Hello,
> 
> checking the IP in the Via headers can be done in config file using a while loop:
> 
> $var(i) = 0;
> 
> while($(hdr(Via)[$var(i)])!=$null) {
>    # use transformations to extract the IP in $(hdr(Via)[$var(i)]) and test it against $Ri
>    ...
>    $var(i) = $var(i)  + 1;
> }
> 
> Also, checking the max-breadth should be possible in config file -- iirc, Olle played with it at one of the SIPit events I attended, maybe he can add more details here. I haven't read the RFC 5393 to be able to provide an example here.
I have a kind-of working solution in script, that I used in the Dangerous Demos at kamailio world.

> 
> If someone wants to add a module to simplify the config, he/she is welcome to do it.
:-)

I think it needs to have hooks into tm.

/O
> 
> Cheers,
> Daniel
> 
> On 21/10/15 10:35, Guillaume wrote:
>> Hi guys,
>> 
>> What do you think about the RFC 5393 on loop detection and amplification attack protection? 
>> 
>> The RFC is short and still a proposed standard but don't you think it could be useful to prevent loop and amplification attack? Because even if the max-forward field reduces the loop to ~70 hosts (in most cases) with some techniques we could fork the message up to 2^70 messages (as described in the RFC) to crash the servers.
>> 
>> Basically the server has to do 2 things:
>> * check if it is not already in the via of the message
>> * the previous check is not enough as a B2BUA could have replace the via headers, so the RFC introduces a new field called max-breadth to limit the forking.
>> 
>> I have not seen a lot of implementation of this RFC on the free SIP software and I think it could be a good way to improve kamailio making a module for it (the easier way to implement this feature I think).
>> 
>> In fact I'm in a research internship about VoIP security and I have time to develop such a module for kamailio if you think it's a good idea (I'm looking for some security improvements in free software solutions so if you have other idea don't hesitate to tell me).
>> 
>> Cheers,
>> 
>> 
>> Tetram
>> 
>> 
>> _______________________________________________
>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>> sr-users at lists.sip-router.org <mailto:sr-users at lists.sip-router.org>
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users <http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users>
> 
> -- 
> Daniel-Constantin Mierla
> http://twitter.com/#!/miconda <http://twitter.com/#!/miconda> - http://www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
> Book: SIP Routing With Kamailio - http://www.asipto.com <http://www.asipto.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20151021/639e30c1/attachment.html>


More information about the sr-users mailing list