[Spce-user] Asterisk client issues

Daniel Grotti dgrotti at sipwise.com
Wed Jan 29 05:17:22 EST 2014 

Hi,
I briefly checked 3.0 templates.
let me check 2.8.

Daniel




On 01/29/2014 10:16 AM, Matthew Ogden wrote:
> I'm not sure where the proxy case statement is supposed to be, on 2.8.18
> templates, in proxy config there is no other case statements. (LB
> modification was easy enough to find)
> 
> So not sure which route section it should be in, or what the previous case
> statement was checking against.
> 
> Kind Regards
> 
>> -----Original Message-----
>> From: Matthew Ogden [mailto:matthew at tenacit.net]
>> Sent: 29 January 2014 11:07 AM
>> To: 'Daniel Grotti'; 'spce-user at lists.sipwise.com'
>> Subject: RE: [Spce-user] Asterisk client issues
>>
>> Thanks Daniel
>>
>> Can I just put this in words of what you have explained to make sure I
>> understand?
>>
>> The proxy is what is checking the for the stale nonce.  So we make it
> tag it.
>> Then we are modifying the authban on the LB to ignore 401 and 407
>> requests that have that flag.
>>
>> I just wanted to also check, what are the risks of ingoring the stale
> nonce?
>> Since in any event, the DOS attack prevention will still check for
> someone
>> sending too many requests per second anyway? So additional risks is low?
>>
>> Kind Regards
>>
>>> -----Original Message-----
>>> From: Daniel Grotti [mailto:dgrotti at sipwise.com]
>>> Sent: 28 January 2014 04:40 PM
>>> To: spce-user at lists.sipwise.com
>>> Cc: Matthew Ogden
>>> Subject: Re: [Spce-user] Asterisk client issues
>>>
>>> Of course, sorry, dos...you have the block of the user.
>>>
>>> You can add a custom header in /proxy/kamailio.cfg.customtt.tt2 in
>>> case of stale nonce error, like "NGCP-X: Stale".
>>>
>>> So when you process the 407 reply on LB kamailio.cfg only if that
>>> header is not present.
>>>
>>> Try to add the following in /proxy/kamailio.cfg.customtt.tt:
>>>
>>>
>>> case -4:
>>>       xlog("L_NOTICE", "Authentication failed, stale nonce - [% logreq
> -%]\n");
>>>       append_to_reply("P-NGCP-Stale: yes\r\n");
>>>
>>>
>>>
>>>
>>> then in lb/kamailio.cfg.customtt.tt2, you can test if the header
> exist:
>>>
>>>
>>> #!ifdef ENABLE_AUTHCHECK
>>>                         if((status == "401" || status == "407") &&
>>> is_present_hf("P-NGCP-Authorization") &&
>>> !is_present_hf("P-NGCP-Stale"))
>>>
>>>
>>>
>>> Daniel
>>>
>>>
>>>
>>>
>>> On 01/28/2014 03:20 PM, Matthew Ogden wrote:
>>>> I don't have many static IP subscribers, though in the case of this
>>>> one, it is already in dos_whitelisted_ips of config.yml, but the
>>>> nonce issue still happens to it.
>>>>
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: spce-user-bounces at lists.sipwise.com [mailto:spce-user-
>>>>> bounces at lists.sipwise.com] On Behalf Of Daniel Grotti
>>>>> Sent: 28 January 2014 04:17 PM
>>>>> To: spce-user at lists.sipwise.com
>>>>> Subject: Re: [Spce-user] Asterisk client issues
>>>>>
>>>>> Hi Matthew,
>>>>> what if you insert your Asterisk's IP in "dos_whitelisted_ips:"
> line ?
>>>>>
>>>>> Daniel
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 01/27/2014 04:35 PM, Matthew Ogden wrote:
>>>>>> Did you guys end up making a decision on this? I still have
>>>>>> Asterisk subscribers causing auth fail with stale nonce
> situations.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Jul 19, 2013 at 4:12 PM, Jon Bonilla <jbonilla at sipwise.com
>>>>>> <mailto:jbonilla at sipwise.com>> wrote:
>>>>>>
>>>>>>     El Fri, 19 Jul 2013 16:11:22 +0200
>>>>>>     Jon Bonilla (Manwe) <jbonilla at sipwise.com
>>>>>>     <mailto:jbonilla at sipwise.com>> escribió:
>>>>>>
>>>>>>     > El Fri, 19 Jul 2013 16:03:54 +0200
>>>>>>     > Matthew Ogden <matthew at tenacit.net
>>>>> <mailto:matthew at tenacit.net>>
>>>>>>     escribió:
>>>>>>     >
>>>>>>     > > Thanks
>>>>>>     > >
>>>>>>     > > What will happen if I disable it, and a outside IP attacks
>>>> using
>>>>>>     this
>>>>>>     > > username?
>>>>>>     > >
>>>>>>     > > Will they be caught by flooding auth packets?
>>>>>>     > >
>>>>>>     >
>>>>>>     >
>>>>>>     > The auth_ban protection check failed auth attepmts from
> multiple
>>>>>>     destinations
>>>>>>     > and protects against ddos attacks bypassing dos protection.
>>>> These
>>>>>>     are quite
>>>>>>     > uncommon. The dos protection bans ip addresses if they send
>> more
>>>>>>     than x
>>>>>>     > requests per second. This is more useful and it's the most
>>>> common
>>>>>>     scenario.
>>>>>>     >
>>>>>>     > If an ip address tries to bruteforce attack your system,
> that ip
>>>>>>     address will
>>>>>>     > be banned.
>>>>>>     >
>>>>>>
>>>>>>
>>>>>>     Anyways, we're discussing internally if the stale_nonce
> situation
>>>>>>     should be
>>>>>>     excluded from the auth_check_ban protection for these
> situations.
>>>> We
>>>>>>     might
>>>>>>     change the ddos protection a little bit in future versions
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Spce-user mailing list
>>>>>> Spce-user at lists.sipwise.com
>>>>>> http://lists.sipwise.com/listinfo/spce-user
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Spce-user mailing list
>>>>> Spce-user at lists.sipwise.com
>>>>> http://lists.sipwise.com/listinfo/spce-user

More information about the Spce-user mailing list