> On 21 Oct 2015, at 14:09, Daniel-Constantin Mierla <mico...@gmail.com> wrote:
>
> Hello,
>
> checking the IP in the Via headers can be done in config file using a while
> loop:
>
> $var(i) = 0;
>
> while($(hdr(Via)[$var(i)])!=$null) {
> # use transformations to extract the IP in $(hdr(Via)[$var(i)]) and test
> it against $Ri
> ...
> $var(i) = $var(i) + 1;
> }
>
> Also, checking the max-breadth should be possible in config file -- iirc,
> Olle played with it at one of the SIPit events I attended, maybe he can add
> more details here. I haven't read the RFC 5393 to be able to provide an
> example here.
I have a kind-of working solution in script, that I used in the Dangerous Demos
at kamailio world.
>
> If someone wants to add a module to simplify the config, he/she is welcome to
> do it.
:-)
I think it needs to have hooks into tm.
/O
>
> Cheers,
> Daniel
>
> On 21/10/15 10:35, Guillaume wrote:
>> Hi guys,
>>
>> What do you think about the RFC 5393 on loop detection and amplification
>> attack protection?
>>
>> The RFC is short and still a proposed standard but don't you think it could
>> be useful to prevent loop and amplification attack? Because even if the
>> max-forward field reduces the loop to ~70 hosts (in most cases) with some
>> techniques we could fork the message up to 2^70 messages (as described in
>> the RFC) to crash the servers.
>>
>> Basically the server has to do 2 things:
>> * check if it is not already in the via of the message
>> * the previous check is not enough as a B2BUA could have replace the via
>> headers, so the RFC introduces a new field called max-breadth to limit the
>> forking.
>>
>> I have not seen a lot of implementation of this RFC on the free SIP software
>> and I think it could be a good way to improve kamailio making a module for
>> it (the easier way to implement this feature I think).
>>
>> In fact I'm in a research internship about VoIP security and I have time to
>> develop such a module for kamailio if you think it's a good idea (I'm
>> looking for some security improvements in free software solutions so if you
>> have other idea don't hesitate to tell me).
>>
>> Cheers,
>>
>>
>> Tetram
>>
>>
>> _______________________________________________
>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>> sr-users@lists.sip-router.org <mailto:sr-users@lists.sip-router.org>
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>> <http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users>
>
> --
> Daniel-Constantin Mierla
> http://twitter.com/#!/miconda <http://twitter.com/#!/miconda> -
> http://www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
> Book: SIP Routing With Kamailio - http://www.asipto.com
> <http://www.asipto.com/>
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
