[Kamailio-Users] SIP Digest Access Authentication RELAY survey

Daniel-Constantin Mierla miconda at gmail.com
Thu Jan 15 15:21:43 CET 2009 

Hello,

thanks Klaus and Victor for details.

With kamailio 1.5 this can be solved in another way, pretty easy -- 
allow users to call only from registered devices.

Check here the example 2:
http://openser.blogspot.com/2008/10/registrar-enhancements.html

The condition can be extended so that you match the received(source 
ip)/contact in invite with the contact in location record.

So guys, start testing 1.5, it does have lot of cool new features:
http://www.kamailio.org/dokuwiki/doku.php/features:new-in-1.5.x

Cheers,
Daniel

On 01/15/2009 12:00 PM, Klaus Darilion wrote:
> Hi!
>
> For those who are interested in this attack - I have attached the 
> relevant slides from my SIP security lectures.
>
> regards
> Klaus
>
> PS: an exploit based on sipp scenario files is available too on 
> request (for educational purposes :-)
>
>
>
> Klaus Darilion schrieb:
>> IIRC to solve this issue completely the UAC should never send 
>> credentials to unknown parties - only to its SIP proxy (some clients 
>> have a "force outbound proxy" feature which does the same). Then the 
>> SIP proxy can remove credentials before forwarding to other parties.
>>
>> As soon as a client send messages (with credentials) directly to 
>> other parties there is nothing you can do on the proxy side.
>>
>> regards
>> klaus
>>
>> Victor Pascual Ávila schrieb:
>>> Hi,
>>> excuse me if this message is not directly related to Kamailio.
>>>
>>> I'm just wondering if folks could share with me if (and how) they have
>>> prevented the "SIP Digest Access Authentication RELAY" in their
>>> networks (and what worked for them or not).
>>> NAT boxes reduce dramatically the scenarios for a successful attack.
>>> Otherwise, some might be mitigating the attack by means of forcing UAs
>>> to use outbound proxies while others might be reducing the attack
>>> incentives by means of message integrity.
>>>
>>> Any comment would be appreciated,
>>
>> _______________________________________________
>> Kamailio (OpenSER) - Users mailing list
>> Users at lists.kamailio.org
>> http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
>> http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
> ------------------------------------------------------------------------
>
> _______________________________________________
> Kamailio (OpenSER) - Users mailing list
> Users at lists.kamailio.org
> http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
> http://lists.openser-project.org/cgi-bin/mailman/listinfo/users

-- 
Daniel-Constantin Mierla
http://www.asipto.com

More information about the Users mailing list