[Spce-user] Asterisk client issues

Matthew Ogden matthew at tenacit.net
Wed Jan 29 04:16:48 EST 2014


I'm not sure where the proxy case statement is supposed to be, on 2.8.18
templates, in proxy config there is no other case statements. (LB
modification was easy enough to find)

So not sure which route section it should be in, or what the previous case
statement was checking against.

Kind Regards

> -----Original Message-----
> From: Matthew Ogden [mailto:matthew at tenacit.net]
> Sent: 29 January 2014 11:07 AM
> To: 'Daniel Grotti'; 'spce-user at lists.sipwise.com'
> Subject: RE: [Spce-user] Asterisk client issues
>
> Thanks Daniel
>
> Can I just put this in words of what you have explained to make sure I
> understand?
>
> The proxy is what is checking the for the stale nonce.  So we make it
tag it.
> Then we are modifying the authban on the LB to ignore 401 and 407
> requests that have that flag.
>
> I just wanted to also check, what are the risks of ingoring the stale
nonce?
> Since in any event, the DOS attack prevention will still check for
someone
> sending too many requests per second anyway? So additional risks is low?
>
> Kind Regards
>
> > -----Original Message-----
> > From: Daniel Grotti [mailto:dgrotti at sipwise.com]
> > Sent: 28 January 2014 04:40 PM
> > To: spce-user at lists.sipwise.com
> > Cc: Matthew Ogden
> > Subject: Re: [Spce-user] Asterisk client issues
> >
> > Of course, sorry, dos...you have the block of the user.
> >
> > You can add a custom header in /proxy/kamailio.cfg.customtt.tt2 in
> > case of stale nonce error, like "NGCP-X: Stale".
> >
> > So when you process the 407 reply on LB kamailio.cfg only if that
> > header is not present.
> >
> > Try to add the following in /proxy/kamailio.cfg.customtt.tt:
> >
> >
> > case -4:
> >       xlog("L_NOTICE", "Authentication failed, stale nonce - [% logreq
-%]\n");
> >       append_to_reply("P-NGCP-Stale: yes\r\n");
> >
> >
> >
> >
> > then in lb/kamailio.cfg.customtt.tt2, you can test if the header
exist:
> >
> >
> > #!ifdef ENABLE_AUTHCHECK
> >                         if((status == "401" || status == "407") &&
> > is_present_hf("P-NGCP-Authorization") &&
> > !is_present_hf("P-NGCP-Stale"))
> >
> >
> >
> > Daniel
> >
> >
> >
> >
> > On 01/28/2014 03:20 PM, Matthew Ogden wrote:
> > > I don't have many static IP subscribers, though in the case of this
> > > one, it is already in dos_whitelisted_ips of config.yml, but the
> > > nonce issue still happens to it.
> > >
> > >
> > >
> > >> -----Original Message-----
> > >> From: spce-user-bounces at lists.sipwise.com [mailto:spce-user-
> > >> bounces at lists.sipwise.com] On Behalf Of Daniel Grotti
> > >> Sent: 28 January 2014 04:17 PM
> > >> To: spce-user at lists.sipwise.com
> > >> Subject: Re: [Spce-user] Asterisk client issues
> > >>
> > >> Hi Matthew,
> > >> what if you insert your Asterisk's IP in "dos_whitelisted_ips:"
line ?
> > >>
> > >> Daniel
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> On 01/27/2014 04:35 PM, Matthew Ogden wrote:
> > >>> Did you guys end up making a decision on this? I still have
> > >>> Asterisk subscribers causing auth fail with stale nonce
situations.
> > >>>
> > >>>
> > >>>
> > >>>
> > >>> On Fri, Jul 19, 2013 at 4:12 PM, Jon Bonilla <jbonilla at sipwise.com
> > >>> <mailto:jbonilla at sipwise.com>> wrote:
> > >>>
> > >>>     El Fri, 19 Jul 2013 16:11:22 +0200
> > >>>     Jon Bonilla (Manwe) <jbonilla at sipwise.com
> > >>>     <mailto:jbonilla at sipwise.com>> escribió:
> > >>>
> > >>>     > El Fri, 19 Jul 2013 16:03:54 +0200
> > >>>     > Matthew Ogden <matthew at tenacit.net
> > >> <mailto:matthew at tenacit.net>>
> > >>>     escribió:
> > >>>     >
> > >>>     > > Thanks
> > >>>     > >
> > >>>     > > What will happen if I disable it, and a outside IP attacks
> > > using
> > >>>     this
> > >>>     > > username?
> > >>>     > >
> > >>>     > > Will they be caught by flooding auth packets?
> > >>>     > >
> > >>>     >
> > >>>     >
> > >>>     > The auth_ban protection check failed auth attepmts from
multiple
> > >>>     destinations
> > >>>     > and protects against ddos attacks bypassing dos protection.
> > > These
> > >>>     are quite
> > >>>     > uncommon. The dos protection bans ip addresses if they send
> more
> > >>>     than x
> > >>>     > requests per second. This is more useful and it's the most
> > > common
> > >>>     scenario.
> > >>>     >
> > >>>     > If an ip address tries to bruteforce attack your system,
that ip
> > >>>     address will
> > >>>     > be banned.
> > >>>     >
> > >>>
> > >>>
> > >>>     Anyways, we're discussing internally if the stale_nonce
situation
> > >>>     should be
> > >>>     excluded from the auth_check_ban protection for these
situations.
> > > We
> > >>>     might
> > >>>     change the ddos protection a little bit in future versions
> > >>>
> > >>>
> > >>>
> > >>>
> > >>> _______________________________________________
> > >>> Spce-user mailing list
> > >>> Spce-user at lists.sipwise.com
> > >>> http://lists.sipwise.com/listinfo/spce-user
> > >>>
> > >>
> > >> _______________________________________________
> > >> Spce-user mailing list
> > >> Spce-user at lists.sipwise.com
> > >> http://lists.sipwise.com/listinfo/spce-user




More information about the Spce-user mailing list