[Spce-user] Asterisk client issues

Daniel Grotti dgrotti at sipwise.com
Fri Jan 31 08:26:18 EST 2014


Yes,
see my last email:


Matthew,
the case is here:

/etc/ngcp-config/templates/etc/kamailio/proxy/kamailio.cfg.tt2

Search for "stale".

The second change you have to do in LB is here:

/etc/ngcp-config/templates/etc/kamailio/lb/kamailio.cfg.tt2


#!ifdef ENABLE_AUTHCHECK
    if((status == "401" || status == "407") &&
is_present_hf("P-NGCP-Authorization") && !is_present_hf("P-NGCP-Stale"))


adding the last string "&& !is_present_hf("P-NGCP-Stale")", so count the
number of 407 if and only if it's a non-Stale 407.


Daniel






On 01/31/2014 02:15 PM, Matthew Ogden wrote:
> Hi Daniel,
> 
> Did you manage to check that out in 2.8?
> 
> REgards
> 
>> -----Original Message-----
>> From: Daniel Grotti [mailto:dgrotti at sipwise.com]
>> Sent: 29 January 2014 12:17 PM
>> To: spce-user at lists.sipwise.com
>> Cc: Matthew Ogden
>> Subject: Re: [Spce-user] Asterisk client issues
>>
>> Hi,
>> I briefly checked 3.0 templates.
>> let me check 2.8.
>>
>> Daniel
>>
>>
>>
>>
>> On 01/29/2014 10:16 AM, Matthew Ogden wrote:
>>> I'm not sure where the proxy case statement is supposed to be, on
>>> 2.8.18 templates, in proxy config there is no other case statements.
>>> (LB modification was easy enough to find)
>>>
>>> So not sure which route section it should be in, or what the previous
>>> case statement was checking against.
>>>
>>> Kind Regards
>>>
>>>> -----Original Message-----
>>>> From: Matthew Ogden [mailto:matthew at tenacit.net]
>>>> Sent: 29 January 2014 11:07 AM
>>>> To: 'Daniel Grotti'; 'spce-user at lists.sipwise.com'
>>>> Subject: RE: [Spce-user] Asterisk client issues
>>>>
>>>> Thanks Daniel
>>>>
>>>> Can I just put this in words of what you have explained to make sure
>>>> I understand?
>>>>
>>>> The proxy is what is checking the for the stale nonce.  So we make it
>>> tag it.
>>>> Then we are modifying the authban on the LB to ignore 401 and 407
>>>> requests that have that flag.
>>>>
>>>> I just wanted to also check, what are the risks of ingoring the stale
>>> nonce?
>>>> Since in any event, the DOS attack prevention will still check for
>>> someone
>>>> sending too many requests per second anyway? So additional risks is
> low?
>>>>
>>>> Kind Regards
>>>>
>>>>> -----Original Message-----
>>>>> From: Daniel Grotti [mailto:dgrotti at sipwise.com]
>>>>> Sent: 28 January 2014 04:40 PM
>>>>> To: spce-user at lists.sipwise.com
>>>>> Cc: Matthew Ogden
>>>>> Subject: Re: [Spce-user] Asterisk client issues
>>>>>
>>>>> Of course, sorry, dos...you have the block of the user.
>>>>>
>>>>> You can add a custom header in /proxy/kamailio.cfg.customtt.tt2 in
>>>>> case of stale nonce error, like "NGCP-X: Stale".
>>>>>
>>>>> So when you process the 407 reply on LB kamailio.cfg only if that
>>>>> header is not present.
>>>>>
>>>>> Try to add the following in /proxy/kamailio.cfg.customtt.tt:
>>>>>
>>>>>
>>>>> case -4:
>>>>>       xlog("L_NOTICE", "Authentication failed, stale nonce - [%
>>>>> logreq
>>> -%]\n");
>>>>>       append_to_reply("P-NGCP-Stale: yes\r\n");
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> then in lb/kamailio.cfg.customtt.tt2, you can test if the header
>>> exist:
>>>>>
>>>>>
>>>>> #!ifdef ENABLE_AUTHCHECK
>>>>>                         if((status == "401" || status == "407") &&
>>>>> is_present_hf("P-NGCP-Authorization") &&
>>>>> !is_present_hf("P-NGCP-Stale"))
>>>>>
>>>>>
>>>>>
>>>>> Daniel
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 01/28/2014 03:20 PM, Matthew Ogden wrote:
>>>>>> I don't have many static IP subscribers, though in the case of this
>>>>>> one, it is already in dos_whitelisted_ips of config.yml, but the
>>>>>> nonce issue still happens to it.
>>>>>>
>>>>>>
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: spce-user-bounces at lists.sipwise.com [mailto:spce-user-
>>>>>>> bounces at lists.sipwise.com] On Behalf Of Daniel Grotti
>>>>>>> Sent: 28 January 2014 04:17 PM
>>>>>>> To: spce-user at lists.sipwise.com
>>>>>>> Subject: Re: [Spce-user] Asterisk client issues
>>>>>>>
>>>>>>> Hi Matthew,
>>>>>>> what if you insert your Asterisk's IP in "dos_whitelisted_ips:"
>>> line ?
>>>>>>>
>>>>>>> Daniel
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 01/27/2014 04:35 PM, Matthew Ogden wrote:
>>>>>>>> Did you guys end up making a decision on this? I still have
>>>>>>>> Asterisk subscribers causing auth fail with stale nonce
>>> situations.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Jul 19, 2013 at 4:12 PM, Jon Bonilla
>>>>>>>> <jbonilla at sipwise.com <mailto:jbonilla at sipwise.com>> wrote:
>>>>>>>>
>>>>>>>>     El Fri, 19 Jul 2013 16:11:22 +0200
>>>>>>>>     Jon Bonilla (Manwe) <jbonilla at sipwise.com
>>>>>>>>     <mailto:jbonilla at sipwise.com>> escribió:
>>>>>>>>
>>>>>>>>     > El Fri, 19 Jul 2013 16:03:54 +0200
>>>>>>>>     > Matthew Ogden <matthew at tenacit.net
>>>>>>> <mailto:matthew at tenacit.net>>
>>>>>>>>     escribió:
>>>>>>>>     >
>>>>>>>>     > > Thanks
>>>>>>>>     > >
>>>>>>>>     > > What will happen if I disable it, and a outside IP
>>>>>>>> attacks
>>>>>> using
>>>>>>>>     this
>>>>>>>>     > > username?
>>>>>>>>     > >
>>>>>>>>     > > Will they be caught by flooding auth packets?
>>>>>>>>     > >
>>>>>>>>     >
>>>>>>>>     >
>>>>>>>>     > The auth_ban protection check failed auth attepmts from
>>> multiple
>>>>>>>>     destinations
>>>>>>>>     > and protects against ddos attacks bypassing dos protection.
>>>>>> These
>>>>>>>>     are quite
>>>>>>>>     > uncommon. The dos protection bans ip addresses if they send
>>>> more
>>>>>>>>     than x
>>>>>>>>     > requests per second. This is more useful and it's the most
>>>>>> common
>>>>>>>>     scenario.
>>>>>>>>     >
>>>>>>>>     > If an ip address tries to bruteforce attack your system,
>>> that ip
>>>>>>>>     address will
>>>>>>>>     > be banned.
>>>>>>>>     >
>>>>>>>>
>>>>>>>>
>>>>>>>>     Anyways, we're discussing internally if the stale_nonce
>>> situation
>>>>>>>>     should be
>>>>>>>>     excluded from the auth_check_ban protection for these
>>> situations.
>>>>>> We
>>>>>>>>     might
>>>>>>>>     change the ddos protection a little bit in future versions
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Spce-user mailing list
>>>>>>>> Spce-user at lists.sipwise.com
>>>>>>>> http://lists.sipwise.com/listinfo/spce-user
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Spce-user mailing list
>>>>>>> Spce-user at lists.sipwise.com
>>>>>>> http://lists.sipwise.com/listinfo/spce-user




More information about the Spce-user mailing list