[SR-Users] Retrieve remote IP and port
Arsen
arsen.semionov at gmail.com
Fri Sep 29 21:51:28 CEST 2017
Yeah this makes the sense, it is possible to spoof the UDP source address,
and various SIP tools have this feature (sipcli, sipp) it's useful for
example for NAT tests, etc.
Attacker actually may perform a DoS attack by spoofing the source IP with
an IP of your DID vendor (for example), so pay attention to jail.conf and
set a whitelist.
Here is how you can try to detect source IP spoof:
if($sel(contact.uri.host) != $si) {
#do sothing here
}
f($sel(via[0].host) != $si ) {
#
}
Regards,
Arsen.
Arsen Semionov
www.eurolan.info
cell: +442035198881
On Fri, Sep 29, 2017 at 5:50 PM, Iskren Hadzhinedev <
iskren.hadzhinedev at ikiji.com> wrote:
> Hi Arsen,
> Someone keeps sending INVITEs to my kamailio box with the From: and To:
> IPs set to the Kamailio box’s public IP.
> I have fail2ban that tracks a log file and bans the IP when pike blocks a
> request 3 times.
> However, the IP that pops up in the log file is the server’s own IP
> address and not the sender’s IP address.
> So let’s say my kamailio box is at 1.2.3.4. I get the following in the log:
>
> ALERT: <script>: Pike block INVITE from sip:7774 at 1.2.3.4 (IP 1.2.3.4:5080)
>
> Which comes from this snippet from my kamailio.cfg:
>
> if (!pike_check_req()) {
> xlog("L_ALERT","Pike block $rm from $fu (IP $si:$sp)\n");
> exit;
> }
>
> This rogue INVITE is certainly not coming from my own server. Running
> tcpdump with header shows the IP of the culprit - 195.154.172.167.
> That can also be seen in the Via: header below. I know I can block the
> sipcli UA, but I’m not comfortable with being unable to log the IP address
> of the sender in case they spoof the UA.
>
> INVITE sip:+443331010095 at 1.2.3.4:5080 SIP/2.0
> To: +443331010095 <+44%20333%20101%200095><sip:+443331010095 at 1.2.3.4>
> From: 7008<sip:7008 at 1.2.3.4>;tag=7650baf5
> Via: SIP/2.0/UDP 195.154.172.167:5074;branch=z9hG4bK-79da852e8e37dc3f58a5f098a089d5b5;rport
> Call-ID: 79da852e8e37dc3f58a5f098a089d5b5
> CSeq: 1 INVITE
> Contact: <sip:7008 at 195.154.172.167:5074>
> Max-Forwards: 70
> Allow: INVITE, ACK, CANCEL, BYE
> User-Agent: sipcli/v1.8
> Content-Type: application/sdp
> Content-Length: 286
>
> So I cannot understand why does $si show 1.2.3.4 instead of the culprit’s
> IP address?
> Hope this makes more sense!
>
> Kind regards,
> Iskren Hadzhinedev
>
> On 29/09/17 13:38, Arsen wrote:
>
> Hi Iskren,
>
> What do you mean by 'true IP address'? The real IP address of a device
> which sends a request?
>
> $si and $sp reference to the source IP address and port of the message,
> "Via" header contains IP address and port of UA and it could be different
> from $si, for example if UA is behind NAT device.
>
>
>
> Arsen Semionov
>
> On Fri, Sep 29, 2017 at 3:05 PM, Iskren Hadzhinedev <
> iskren.hadzhinedev at ikiji.com> wrote:
>
>> Hi list,
>>
>> How can I reliably get the sender’s IP address?
>> $si and $sp are returning the server IP and Port.
>> I also tried using $Ri and $Rp but it yields the same results.
>> Inspecting the packet shows the sender’s true IP:Port pair in the Via:
>> header,
>> but the From: and To: contain the kamailio server’s public IP address.
>>
>> Kind regards,
>>
>> --
>> *Iskren Hadzhinedev*
>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users at lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing Listsr-users at lists.kamailio.orghttps://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20170929/c2346540/attachment.html>
More information about the sr-users
mailing list