[Spce-user] Asterisk client issues

Tue Jan 28 09:40:02 EST 2014

Of course, sorry, dos...you have the block of the user.

You can add a custom header in /proxy/kamailio.cfg.customtt.tt2 in case
of stale nonce error, like "NGCP-X: Stale".

So when you process the 407 reply on LB kamailio.cfg only if that header
is not present.

Try to add the following in /proxy/kamailio.cfg.customtt.tt:

case -4:
      xlog("L_NOTICE", "Authentication failed, stale nonce - [% logreq
-%]\n");
      append_to_reply("P-NGCP-Stale: yes\r\n");

then in lb/kamailio.cfg.customtt.tt2, you can test if the header exist:

#!ifdef ENABLE_AUTHCHECK
                        if((status == "401" || status == "407") &&
is_present_hf("P-NGCP-Authorization") && !is_present_hf("P-NGCP-Stale"))

Daniel

On 01/28/2014 03:20 PM, Matthew Ogden wrote:
> I don't have many static IP subscribers, though in the case of this one,
> it is already in dos_whitelisted_ips of config.yml, but the nonce issue
> still happens to it.
> 
> 
> 
>> -----Original Message-----
>> From: spce-user-bounces at lists.sipwise.com [mailto:spce-user-
>> bounces at lists.sipwise.com] On Behalf Of Daniel Grotti
>> Sent: 28 January 2014 04:17 PM
>> To: spce-user at lists.sipwise.com
>> Subject: Re: [Spce-user] Asterisk client issues
>>
>> Hi Matthew,
>> what if you insert your Asterisk's IP in "dos_whitelisted_ips:" line ?
>>
>> Daniel
>>
>>
>>
>>
>>
>>
>> On 01/27/2014 04:35 PM, Matthew Ogden wrote:
>>> Did you guys end up making a decision on this? I still have Asterisk
>>> subscribers causing auth fail with stale nonce situations.
>>>
>>>
>>>
>>>
>>> On Fri, Jul 19, 2013 at 4:12 PM, Jon Bonilla <jbonilla at sipwise.com
>>> <mailto:jbonilla at sipwise.com>> wrote:
>>>
>>>     El Fri, 19 Jul 2013 16:11:22 +0200
>>>     Jon Bonilla (Manwe) <jbonilla at sipwise.com
>>>     <mailto:jbonilla at sipwise.com>> escribió:
>>>
>>>     > El Fri, 19 Jul 2013 16:03:54 +0200
>>>     > Matthew Ogden <matthew at tenacit.net
>> <mailto:matthew at tenacit.net>>
>>>     escribió:
>>>     >
>>>     > > Thanks
>>>     > >
>>>     > > What will happen if I disable it, and a outside IP attacks
> using
>>>     this
>>>     > > username?
>>>     > >
>>>     > > Will they be caught by flooding auth packets?
>>>     > >
>>>     >
>>>     >
>>>     > The auth_ban protection check failed auth attepmts from multiple
>>>     destinations
>>>     > and protects against ddos attacks bypassing dos protection.
> These
>>>     are quite
>>>     > uncommon. The dos protection bans ip addresses if they send more
>>>     than x
>>>     > requests per second. This is more useful and it's the most
> common
>>>     scenario.
>>>     >
>>>     > If an ip address tries to bruteforce attack your system, that ip
>>>     address will
>>>     > be banned.
>>>     >
>>>
>>>
>>>     Anyways, we're discussing internally if the stale_nonce situation
>>>     should be
>>>     excluded from the auth_check_ban protection for these situations.
> We
>>>     might
>>>     change the ddos protection a little bit in future versions
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Spce-user mailing list
>>> Spce-user at lists.sipwise.com
>>> http://lists.sipwise.com/listinfo/spce-user
>>>
>>
>> _______________________________________________
>> Spce-user mailing list
>> Spce-user at lists.sipwise.com
>> http://lists.sipwise.com/listinfo/spce-user