[Spce-user] Asterisk client issues

Daniel Grotti dgrotti at sipwise.com
Wed Jan 29 05:58:17 EST 2014


Matthew,
the case is here:

/etc/ngcp-config/templates/etc/kamailio/proxy/kamailio.cfg.tt2

Search for "stale".

The second change you have to do in LB is here:

/etc/ngcp-config/templates/etc/kamailio/lb/kamailio.cfg.tt2


#!ifdef ENABLE_AUTHCHECK
    if((status == "401" || status == "407") &&
is_present_hf("P-NGCP-Authorization") && !is_present_hf("P-NGCP-Stale"))


adding the last string "&& !is_present_hf("P-NGCP-Stale")", so count the
number of 407 if and only if it's a non-Stale 407.


Daniel




On 01/29/2014 11:17 AM, Daniel Grotti wrote:
> Hi,
> I briefly checked 3.0 templates.
> let me check 2.8.
> 
> Daniel
> 
> 
> 
> 
> On 01/29/2014 10:16 AM, Matthew Ogden wrote:
>> I'm not sure where the proxy case statement is supposed to be, on 2.8.18
>> templates, in proxy config there is no other case statements. (LB
>> modification was easy enough to find)
>>
>> So not sure which route section it should be in, or what the previous case
>> statement was checking against.
>>
>> Kind Regards
>>
>>> -----Original Message-----
>>> From: Matthew Ogden [mailto:matthew at tenacit.net]
>>> Sent: 29 January 2014 11:07 AM
>>> To: 'Daniel Grotti'; 'spce-user at lists.sipwise.com'
>>> Subject: RE: [Spce-user] Asterisk client issues
>>>
>>> Thanks Daniel
>>>
>>> Can I just put this in words of what you have explained to make sure I
>>> understand?
>>>
>>> The proxy is what is checking the for the stale nonce.  So we make it
>> tag it.
>>> Then we are modifying the authban on the LB to ignore 401 and 407
>>> requests that have that flag.
>>>
>>> I just wanted to also check, what are the risks of ingoring the stale
>> nonce?
>>> Since in any event, the DOS attack prevention will still check for
>> someone
>>> sending too many requests per second anyway? So additional risks is low?
>>>
>>> Kind Regards
>>>
>>>> -----Original Message-----
>>>> From: Daniel Grotti [mailto:dgrotti at sipwise.com]
>>>> Sent: 28 January 2014 04:40 PM
>>>> To: spce-user at lists.sipwise.com
>>>> Cc: Matthew Ogden
>>>> Subject: Re: [Spce-user] Asterisk client issues
>>>>
>>>> Of course, sorry, dos...you have the block of the user.
>>>>
>>>> You can add a custom header in /proxy/kamailio.cfg.customtt.tt2 in
>>>> case of stale nonce error, like "NGCP-X: Stale".
>>>>
>>>> So when you process the 407 reply on LB kamailio.cfg only if that
>>>> header is not present.
>>>>
>>>> Try to add the following in /proxy/kamailio.cfg.customtt.tt:
>>>>
>>>>
>>>> case -4:
>>>>       xlog("L_NOTICE", "Authentication failed, stale nonce - [% logreq
>> -%]\n");
>>>>       append_to_reply("P-NGCP-Stale: yes\r\n");
>>>>
>>>>
>>>>
>>>>
>>>> then in lb/kamailio.cfg.customtt.tt2, you can test if the header
>> exist:
>>>>
>>>>
>>>> #!ifdef ENABLE_AUTHCHECK
>>>>                         if((status == "401" || status == "407") &&
>>>> is_present_hf("P-NGCP-Authorization") &&
>>>> !is_present_hf("P-NGCP-Stale"))
>>>>
>>>>
>>>>
>>>> Daniel
>>>>
>>>>
>>>>
>>>>
>>>> On 01/28/2014 03:20 PM, Matthew Ogden wrote:
>>>>> I don't have many static IP subscribers, though in the case of this
>>>>> one, it is already in dos_whitelisted_ips of config.yml, but the
>>>>> nonce issue still happens to it.
>>>>>
>>>>>
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: spce-user-bounces at lists.sipwise.com [mailto:spce-user-
>>>>>> bounces at lists.sipwise.com] On Behalf Of Daniel Grotti
>>>>>> Sent: 28 January 2014 04:17 PM
>>>>>> To: spce-user at lists.sipwise.com
>>>>>> Subject: Re: [Spce-user] Asterisk client issues
>>>>>>
>>>>>> Hi Matthew,
>>>>>> what if you insert your Asterisk's IP in "dos_whitelisted_ips:"
>> line ?
>>>>>>
>>>>>> Daniel
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 01/27/2014 04:35 PM, Matthew Ogden wrote:
>>>>>>> Did you guys end up making a decision on this? I still have
>>>>>>> Asterisk subscribers causing auth fail with stale nonce
>> situations.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Jul 19, 2013 at 4:12 PM, Jon Bonilla <jbonilla at sipwise.com
>>>>>>> <mailto:jbonilla at sipwise.com>> wrote:
>>>>>>>
>>>>>>>     El Fri, 19 Jul 2013 16:11:22 +0200
>>>>>>>     Jon Bonilla (Manwe) <jbonilla at sipwise.com
>>>>>>>     <mailto:jbonilla at sipwise.com>> escribió:
>>>>>>>
>>>>>>>     > El Fri, 19 Jul 2013 16:03:54 +0200
>>>>>>>     > Matthew Ogden <matthew at tenacit.net
>>>>>> <mailto:matthew at tenacit.net>>
>>>>>>>     escribió:
>>>>>>>     >
>>>>>>>     > > Thanks
>>>>>>>     > >
>>>>>>>     > > What will happen if I disable it, and a outside IP attacks
>>>>> using
>>>>>>>     this
>>>>>>>     > > username?
>>>>>>>     > >
>>>>>>>     > > Will they be caught by flooding auth packets?
>>>>>>>     > >
>>>>>>>     >
>>>>>>>     >
>>>>>>>     > The auth_ban protection check failed auth attepmts from
>> multiple
>>>>>>>     destinations
>>>>>>>     > and protects against ddos attacks bypassing dos protection.
>>>>> These
>>>>>>>     are quite
>>>>>>>     > uncommon. The dos protection bans ip addresses if they send
>>> more
>>>>>>>     than x
>>>>>>>     > requests per second. This is more useful and it's the most
>>>>> common
>>>>>>>     scenario.
>>>>>>>     >
>>>>>>>     > If an ip address tries to bruteforce attack your system,
>> that ip
>>>>>>>     address will
>>>>>>>     > be banned.
>>>>>>>     >
>>>>>>>
>>>>>>>
>>>>>>>     Anyways, we're discussing internally if the stale_nonce
>> situation
>>>>>>>     should be
>>>>>>>     excluded from the auth_check_ban protection for these
>> situations.
>>>>> We
>>>>>>>     might
>>>>>>>     change the ddos protection a little bit in future versions
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Spce-user mailing list
>>>>>>> Spce-user at lists.sipwise.com
>>>>>>> http://lists.sipwise.com/listinfo/spce-user
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Spce-user mailing list
>>>>>> Spce-user at lists.sipwise.com
>>>>>> http://lists.sipwise.com/listinfo/spce-user
> 
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> http://lists.sipwise.com/listinfo/spce-user
> 




More information about the Spce-user mailing list