[Spce-user] Asterisk client issues

Daniel Grotti dgrotti at sipwise.com
Wed Jan 29 05:16:44 EST 2014 

Hi Matthew,
there is no risk to exclude stale nonce from DDOS check, cause stale
nonce error appears only for registered subscriber trying to update
their registration.
The DOS attack will continue to work as usual.

Daniel




On 01/29/2014 10:07 AM, Matthew Ogden wrote:
> Thanks Daniel
> 
> Can I just put this in words of what you have explained to make sure I
> understand?
> 
> The proxy is what is checking the for the stale nonce.  So we make it tag
> it. Then we are modifying the authban on the LB to ignore 401 and 407
> requests that have that flag.
> 
> I just wanted to also check, what are the risks of ingoring the stale
> nonce? Since in any event, the DOS attack prevention will still check for
> someone sending too many requests per second anyway? So additional risks
> is low?
> 
> Kind Regards
> 
>> -----Original Message-----
>> From: Daniel Grotti [mailto:dgrotti at sipwise.com]
>> Sent: 28 January 2014 04:40 PM
>> To: spce-user at lists.sipwise.com
>> Cc: Matthew Ogden
>> Subject: Re: [Spce-user] Asterisk client issues
>>
>> Of course, sorry, dos...you have the block of the user.
>>
>> You can add a custom header in /proxy/kamailio.cfg.customtt.tt2 in case
> of
>> stale nonce error, like "NGCP-X: Stale".
>>
>> So when you process the 407 reply on LB kamailio.cfg only if that header
> is
>> not present.
>>
>> Try to add the following in /proxy/kamailio.cfg.customtt.tt:
>>
>>
>> case -4:
>>       xlog("L_NOTICE", "Authentication failed, stale nonce - [% logreq
> -%]\n");
>>       append_to_reply("P-NGCP-Stale: yes\r\n");
>>
>>
>>
>>
>> then in lb/kamailio.cfg.customtt.tt2, you can test if the header exist:
>>
>>
>> #!ifdef ENABLE_AUTHCHECK
>>                         if((status == "401" || status == "407") &&
>> is_present_hf("P-NGCP-Authorization") && !is_present_hf("P-NGCP-Stale"))
>>
>>
>>
>> Daniel
>>
>>
>>
>>
>> On 01/28/2014 03:20 PM, Matthew Ogden wrote:
>>> I don't have many static IP subscribers, though in the case of this
>>> one, it is already in dos_whitelisted_ips of config.yml, but the nonce
>>> issue still happens to it.
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: spce-user-bounces at lists.sipwise.com [mailto:spce-user-
>>>> bounces at lists.sipwise.com] On Behalf Of Daniel Grotti
>>>> Sent: 28 January 2014 04:17 PM
>>>> To: spce-user at lists.sipwise.com
>>>> Subject: Re: [Spce-user] Asterisk client issues
>>>>
>>>> Hi Matthew,
>>>> what if you insert your Asterisk's IP in "dos_whitelisted_ips:" line
> ?
>>>>
>>>> Daniel
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 01/27/2014 04:35 PM, Matthew Ogden wrote:
>>>>> Did you guys end up making a decision on this? I still have Asterisk
>>>>> subscribers causing auth fail with stale nonce situations.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Jul 19, 2013 at 4:12 PM, Jon Bonilla <jbonilla at sipwise.com
>>>>> <mailto:jbonilla at sipwise.com>> wrote:
>>>>>
>>>>>     El Fri, 19 Jul 2013 16:11:22 +0200
>>>>>     Jon Bonilla (Manwe) <jbonilla at sipwise.com
>>>>>     <mailto:jbonilla at sipwise.com>> escribió:
>>>>>
>>>>>     > El Fri, 19 Jul 2013 16:03:54 +0200
>>>>>     > Matthew Ogden <matthew at tenacit.net
>>>> <mailto:matthew at tenacit.net>>
>>>>>     escribió:
>>>>>     >
>>>>>     > > Thanks
>>>>>     > >
>>>>>     > > What will happen if I disable it, and a outside IP attacks
>>> using
>>>>>     this
>>>>>     > > username?
>>>>>     > >
>>>>>     > > Will they be caught by flooding auth packets?
>>>>>     > >
>>>>>     >
>>>>>     >
>>>>>     > The auth_ban protection check failed auth attepmts from
> multiple
>>>>>     destinations
>>>>>     > and protects against ddos attacks bypassing dos protection.
>>> These
>>>>>     are quite
>>>>>     > uncommon. The dos protection bans ip addresses if they send
> more
>>>>>     than x
>>>>>     > requests per second. This is more useful and it's the most
>>> common
>>>>>     scenario.
>>>>>     >
>>>>>     > If an ip address tries to bruteforce attack your system, that
> ip
>>>>>     address will
>>>>>     > be banned.
>>>>>     >
>>>>>
>>>>>
>>>>>     Anyways, we're discussing internally if the stale_nonce
> situation
>>>>>     should be
>>>>>     excluded from the auth_check_ban protection for these
> situations.
>>> We
>>>>>     might
>>>>>     change the ddos protection a little bit in future versions
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Spce-user mailing list
>>>>> Spce-user at lists.sipwise.com
>>>>> http://lists.sipwise.com/listinfo/spce-user
>>>>>
>>>>
>>>> _______________________________________________
>>>> Spce-user mailing list
>>>> Spce-user at lists.sipwise.com
>>>> http://lists.sipwise.com/listinfo/spce-user

More information about the Spce-user mailing list