[Spce-user] Asterisk client issues

Matthew Ogden matthew at tenacit.net
Fri Jan 31 08:15:29 EST 2014 

Hi Daniel,

Did you manage to check that out in 2.8?

REgards

> -----Original Message-----
> From: Daniel Grotti [mailto:dgrotti at sipwise.com]
> Sent: 29 January 2014 12:17 PM
> To: spce-user at lists.sipwise.com
> Cc: Matthew Ogden
> Subject: Re: [Spce-user] Asterisk client issues
>
> Hi,
> I briefly checked 3.0 templates.
> let me check 2.8.
>
> Daniel
>
>
>
>
> On 01/29/2014 10:16 AM, Matthew Ogden wrote:
> > I'm not sure where the proxy case statement is supposed to be, on
> > 2.8.18 templates, in proxy config there is no other case statements.
> > (LB modification was easy enough to find)
> >
> > So not sure which route section it should be in, or what the previous
> > case statement was checking against.
> >
> > Kind Regards
> >
> >> -----Original Message-----
> >> From: Matthew Ogden [mailto:matthew at tenacit.net]
> >> Sent: 29 January 2014 11:07 AM
> >> To: 'Daniel Grotti'; 'spce-user at lists.sipwise.com'
> >> Subject: RE: [Spce-user] Asterisk client issues
> >>
> >> Thanks Daniel
> >>
> >> Can I just put this in words of what you have explained to make sure
> >> I understand?
> >>
> >> The proxy is what is checking the for the stale nonce.  So we make it
> > tag it.
> >> Then we are modifying the authban on the LB to ignore 401 and 407
> >> requests that have that flag.
> >>
> >> I just wanted to also check, what are the risks of ingoring the stale
> > nonce?
> >> Since in any event, the DOS attack prevention will still check for
> > someone
> >> sending too many requests per second anyway? So additional risks is
low?
> >>
> >> Kind Regards
> >>
> >>> -----Original Message-----
> >>> From: Daniel Grotti [mailto:dgrotti at sipwise.com]
> >>> Sent: 28 January 2014 04:40 PM
> >>> To: spce-user at lists.sipwise.com
> >>> Cc: Matthew Ogden
> >>> Subject: Re: [Spce-user] Asterisk client issues
> >>>
> >>> Of course, sorry, dos...you have the block of the user.
> >>>
> >>> You can add a custom header in /proxy/kamailio.cfg.customtt.tt2 in
> >>> case of stale nonce error, like "NGCP-X: Stale".
> >>>
> >>> So when you process the 407 reply on LB kamailio.cfg only if that
> >>> header is not present.
> >>>
> >>> Try to add the following in /proxy/kamailio.cfg.customtt.tt:
> >>>
> >>>
> >>> case -4:
> >>>       xlog("L_NOTICE", "Authentication failed, stale nonce - [%
> >>> logreq
> > -%]\n");
> >>>       append_to_reply("P-NGCP-Stale: yes\r\n");
> >>>
> >>>
> >>>
> >>>
> >>> then in lb/kamailio.cfg.customtt.tt2, you can test if the header
> > exist:
> >>>
> >>>
> >>> #!ifdef ENABLE_AUTHCHECK
> >>>                         if((status == "401" || status == "407") &&
> >>> is_present_hf("P-NGCP-Authorization") &&
> >>> !is_present_hf("P-NGCP-Stale"))
> >>>
> >>>
> >>>
> >>> Daniel
> >>>
> >>>
> >>>
> >>>
> >>> On 01/28/2014 03:20 PM, Matthew Ogden wrote:
> >>>> I don't have many static IP subscribers, though in the case of this
> >>>> one, it is already in dos_whitelisted_ips of config.yml, but the
> >>>> nonce issue still happens to it.
> >>>>
> >>>>
> >>>>
> >>>>> -----Original Message-----
> >>>>> From: spce-user-bounces at lists.sipwise.com [mailto:spce-user-
> >>>>> bounces at lists.sipwise.com] On Behalf Of Daniel Grotti
> >>>>> Sent: 28 January 2014 04:17 PM
> >>>>> To: spce-user at lists.sipwise.com
> >>>>> Subject: Re: [Spce-user] Asterisk client issues
> >>>>>
> >>>>> Hi Matthew,
> >>>>> what if you insert your Asterisk's IP in "dos_whitelisted_ips:"
> > line ?
> >>>>>
> >>>>> Daniel
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> On 01/27/2014 04:35 PM, Matthew Ogden wrote:
> >>>>>> Did you guys end up making a decision on this? I still have
> >>>>>> Asterisk subscribers causing auth fail with stale nonce
> > situations.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On Fri, Jul 19, 2013 at 4:12 PM, Jon Bonilla
> >>>>>> <jbonilla at sipwise.com <mailto:jbonilla at sipwise.com>> wrote:
> >>>>>>
> >>>>>>     El Fri, 19 Jul 2013 16:11:22 +0200
> >>>>>>     Jon Bonilla (Manwe) <jbonilla at sipwise.com
> >>>>>>     <mailto:jbonilla at sipwise.com>> escribió:
> >>>>>>
> >>>>>>     > El Fri, 19 Jul 2013 16:03:54 +0200
> >>>>>>     > Matthew Ogden <matthew at tenacit.net
> >>>>> <mailto:matthew at tenacit.net>>
> >>>>>>     escribió:
> >>>>>>     >
> >>>>>>     > > Thanks
> >>>>>>     > >
> >>>>>>     > > What will happen if I disable it, and a outside IP
> >>>>>> attacks
> >>>> using
> >>>>>>     this
> >>>>>>     > > username?
> >>>>>>     > >
> >>>>>>     > > Will they be caught by flooding auth packets?
> >>>>>>     > >
> >>>>>>     >
> >>>>>>     >
> >>>>>>     > The auth_ban protection check failed auth attepmts from
> > multiple
> >>>>>>     destinations
> >>>>>>     > and protects against ddos attacks bypassing dos protection.
> >>>> These
> >>>>>>     are quite
> >>>>>>     > uncommon. The dos protection bans ip addresses if they send
> >> more
> >>>>>>     than x
> >>>>>>     > requests per second. This is more useful and it's the most
> >>>> common
> >>>>>>     scenario.
> >>>>>>     >
> >>>>>>     > If an ip address tries to bruteforce attack your system,
> > that ip
> >>>>>>     address will
> >>>>>>     > be banned.
> >>>>>>     >
> >>>>>>
> >>>>>>
> >>>>>>     Anyways, we're discussing internally if the stale_nonce
> > situation
> >>>>>>     should be
> >>>>>>     excluded from the auth_check_ban protection for these
> > situations.
> >>>> We
> >>>>>>     might
> >>>>>>     change the ddos protection a little bit in future versions
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> Spce-user mailing list
> >>>>>> Spce-user at lists.sipwise.com
> >>>>>> http://lists.sipwise.com/listinfo/spce-user
> >>>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> Spce-user mailing list
> >>>>> Spce-user at lists.sipwise.com
> >>>>> http://lists.sipwise.com/listinfo/spce-user

More information about the Spce-user mailing list