Kamailio SIP Server

SIP Firewall For Carrier Grade Traffic

Daniel-Constantin MierlaCo-Founder Kamailio

www.kamailio.orgwww.asipto.com

(c) asipto.com 2

Over 10 Years Evolution

2002 Jun 2005 Jul 2008 Aug 2008 Nov 2008

SIP Express Router (SER)

OpenSER Kamailio

Other Forks...

Same application: Kamailio - SER

Oct 2009 Jan 2010

v3.0.0

IntegrationCompleted

v1.5.0

Oct 2011

v3.1.0

Sep 2001

FirstLineOf

Code

OpenSource

GPL

FhGFokus

Institute

Berlin

rename

v3.2.0

Oct 2010

AwardedBest Open

SourceNetworking

Software2009

By InfoWorld

10Years

Jun 2012

v3.3.0

ITSPAUK

Award

Mar 2013

v4.0.0

Kamailio

Source Structure - 3.x.x - Kamailio vs. SER

3

Kam

ailio Distribution

SIP Express Router D

istribution

modules_k/

accacc_radius

alias_dbauth_db

auth_diameterauth_radiusbenchmarkcall_control

cfgutilscpl-c

db_cluster...

over 80 modules

modules/

app_luaapp_monoapp_python

asyncauth

auth_identityavpops

blstcarrierroute

cfg_dbcfg_rpc

...

over 50 modules

modules_s/

acc_dbacc_radiusacc_syslogauth_db

auth_radiusavp

avp_dbavp_radius

bdbcpl-c

db_ops...

over 40 modules

the entire source code tree

core

sip parser - memory managerconfig file parser and interpreter

locking system - timersconfig variable frameworks

internal libraries

DB API v1 - DB APIv2MI API - JSON - UUID

utils - binrpc

Source Structure - 4.x.x- Kamailio

4

Kam

ailio Distribution

SIP Express Router D

istribution

modules_k/ modules/

app_luaapp_monoapp_python

asyncauth

auth_identityavpops

blstcarrierroute

cfg_dbcfg_rpc

...

over 150 modules

modules_s/

the entire source code tree

core

sip parser - memory managerconfig file parser and interpreter

locking system - timersconfig variable frameworks

internal libraries

DB API v1 - DB APIv2MI API - JSON - UUID

utils - binrpc

(c) asipto.com

2012 - Highlights

5

Over 10 IMS ExtensionsWebsockets

genericdatabaseclusteringembedded mono interpreter

C#, Python, Java, ....

cassandra connector

http://www.kamailio.org/wiki/features/new-in-3.3.xhttp://www.kamailio.org/wiki/features/new-in-4.0.x

IPv6review

embeddedMSRP Relay

time recurrencematching

embedded HTTPRPC/Provisioning

APIs

presence/rls/xcapOMA/RCS

enhancements

GRUUSIP Outbound

SCA

(c) asipto.com

2013 - Highlights

6

app_javasipt

tmhtablecfgutilssiputilssnmpstats

usrloc

http://www.kamailio.org/wiki/features/new-in-devel

dnssec

cnxcc(prepaid)

stun

sctp

auth_ephemeral(webrtc)

debugger(log pv assignment)

(c) asipto.com 7

Development statistics

(c) asipto.com 8

http://conference.kamailio.com

(c) asipto.com 9

among next cool things

Routing SIP with Kamailio

byDaniel-Constantin Mierla

Elena-Ramona Modroiu

13

Book Details - http://asipto.com/u/kab Evolution

started last year for v3.3.x target: getting started guide and typical use cases

delayed by decision to complete Kamailio-SER integration (then Kamailio Word) last modules merged, some renamed significant changes in installation process

Nowadays existing content

over 280 pages (A4) - apart of ToC 22 chapters

roadmap to full release 3-5 new chapters check the 3.3 to 4.0 updates examples enhanced with SIP traces reviews (both native and non-native English speakers)

Selling electronic format (e.g., pdf, ebook), later paper format (if such interest) plans to make it available to purchase before full release

if all goes as expected - as soon as mid of August, 2013

SIP Firewall For Carrier Grade Traffic

blocking unwanted traffic

15

Everyone is evil in the

world wild sipnet!

16

request_route { drop;}

reply_route {drop;

}

Full Kamailio Config to Deal With

17

Problem completely solved!

Thank you, questions?

18

Trying to get friendlier - DoS Attacks

• bandwidth• cpu• memory• MONEY

19

Attacks

malicious attacks for direct attacker benefits

get access to the host and call for free for damages on target (or fame)

consume resources on target

involuntary attacks client side

broken clients server side

misconfigurations (e.g., too low max expire time)

‘Undisclosed’ sources have demonstrated that the root of the issues in computer science resides in between chair and keyboard.

20

Problem unexpected high volume of SIP traffic from the same IP address

Situations someone tries to gain access to the server misconfigured devices

Solution keep the list of banned IP addresses in memory (hash table via htable module)

items in hash table are automatically deleted if their values are not updated for a while if source IP of the SIP packet matches a key in hash table, then stop processing

simply drop, no SIP response (save the bandwidth) sending a 200 OK response makes the attacker believe that it has succeeded

if not, then count the number of packets per configured time interface if limit exceeded, stop processing and add add the source ip in the hash table

Consideration skip trusted peers from checking (trunks, PSTN gateways, media servers,...) do it very early in processing path, at the top of routing logic

Flood Detection and Blocking IP Addresses

21

Flood Detection and Blocking IP Addresses

if(src_ip!=__TRUSTED__) { if($sht(ipban=>$si)!=$null) { # ip is already blocked xdbg("request from blocked IP - $rm from $fu (IP:$si:$sp)\n"); exit; } if (!pike_check_req()) { xlog("L_ALERT","ALERT: pike blocking $rm from $fu (IP:$si:$sp)\n"); $sht(ipban=>$si) = 1; exit; } }

loadmodule "htable.so"loadmodule "pike.so"# ----- pike params -----modparam("pike", "sampling_time_unit", 2)modparam("pike", "reqs_density_per_unit", 24)modparam("pike", "remove_latency", 4)# ----- htable params -----# ip ban htable with autoexpire after 5 minutesmodparam("htable", "htable", "ipban=>size=8;autoexpire=300;")

the configuration

22

Problem unexpected number of failed authentication for various users

Situations someone tries to guess passwords for legit users misconfigured devices

Solution keep the list of blocked usernames in memory (again via htable module)

items in hash table are automatically deleted if their values are not updated for a while along with the username, store the timestamp of the last failed authentication and

number of failed authentication in a raw if the request has auth headers and username is found in hash table, then

if the last failed authentication is older than a predefined interval of time, give the user another chance

otherwise forbids the traffic without any authentication challenge sent back if not found in hash table, then authenticate

if credentials mismatch, then increase the authentication failure counter and update the last authentication failure timestamp

if authentication failure attempts limit is reached, don’t challenge back if authentication is ok, reset the counter

Dictionary Attack Detection and Blocking Users

23

Dictionary Attack Detection and Blocking Users

if(is_present_hf("Authorization") || is_present_hf("Proxy-Authorization")) { if($sht(userban=>$au::auth_count)==3) { $var(exp) = $Ts - 900; if($sht(userban=>$au::last_auth) > $var(exp)) { sl_send_reply("403", "Try later"); exit; } else { $sht(userban=>$au::auth_count) = 0; } } }

modparam("htable", "htable", "ipban=>size=8;autoexpire=300;")

the configuration

24

# authenticate requests auth_check("$fd", "subscriber", "1"); $var(rc) = $rc; if($var(rc)<0) { switch($var(rc)) { case -1: sl_send_reply("403", "Forbidden"); exit; case -2: $var(auth_count) = $shtinc(userban=>$au::auth_count); if($var(auth_count) == 3) xlog("auth failed 3rd time - src ip: $si\n"); $sht(userban=>$au::last_auth) = $Ts; break; } auth_challenge("$fd", "0"); exit; } $sht(userban=>$au::auth_count) = 0;

Dictionary Attack Detection and Blocking Users

25

Problem an attacker could eventually get access in way or another (e.g., social

engineering), then limit the damages as much as possible Situations

lot of active calls from same user, which physically could not do that Solution

keep a lightweight list of active calls in memory (again via htable module) items in hash table are automatically deleted if their values are not updated for a while

(cope with missing BYE cases) items are added when the call is initiated items are removed if no positive answer for INVITE or in case of BYE

carrier grade => lightweight dialog tracking Call-ID is the key for hash table the value of items in hash table is caller id (username)

when a new call comes in count the values in the hash table that matches the caller id if the limit is not reached, add a new item, otherwise deny the call

Limiting the Number of Active Calls Per User

26

request_route {....if(is_method(“BYE”)) {

$sht(acalls=>$ci) = $null;}....

}

reply_route { ....

if(is_method(“INVITE”) && $rs>=300) {$sht(acalls=>$ci) = $null;

}....

}

modparam("htable", "htable", "acalls=>size=8;autoexpire=7200;")modparam(“cfgutils”, “lock_set_size”, 8)the configuration

Limiting the Number of Active Calls Per User

27

# limit to maximum 3 active calls per userroute[ACLIMIT] {

if(is_method(“INVITE”) && !has_totag()) {lock(“$fU”);$var(ac) = $shtcv(acalls=>eq$fU);if($var(ac) >= 3) {

unlock(“$fU”);send_reply(“403”, “Too many active calls”);exit;

}$sht(acalls=>$ci) = $fU;unlock(“$fU”);

}}

request_route { ....

route(ACLIMIT);route(RELAY);

}

Limiting the Number of Active Calls Per User

28

One of Kamailio laws If htable module is not used, something might go wrong with your deployment

(and business) at a point in time.

The target for solutions were rely on Kamailio-only use the lightweight solutions that scale a lot

Alternatives real time integration with firewall for DoS protection using fail2ban

http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack active calls tracking

dialog module: store lot of details for each call, but can detect when call is down OPTIONS keepalives within dialog it is not a back to back user agent (i.e, cseq numbers of dialog not updated)

in memory SQL tables via sqlops modules easy to customize make reports and specify what details are store per dialog

Remarks

29

Daniel-Constantin MierlaCo-Founder Kamailio

http://www.asipto.comdaniel@asipto.com

Thank you!Questions?

twitter: @micondahttp://www.linkedin.com/in/miconda