<html><head/><body><html><head></head><body>What gives you that idea? Most likely, they spoofed an IP.<br><br><div class="gmail_quote">Paul Belanger <paul.belanger@polybeacon.com> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<pre style="white-space: pre-wrap; word-wrap:break-word; font-family: sans-serif; margin-top: 0px">On Thu, Mar 7, 2013 at 5:24 PM, Alex Balashov <abalashov@evaristesys.com> wrote:<br /><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;">Because digest authentication is a far from self-evident or universal<br />use-case for Kamailio.<br /><br /><br />Paul Belanger <paul.belanger@polybeacon.com> wrote:<br /><br /><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #ad7fa8; padding-left: 1ex;">Greeting,<br /><br />Hopefully, I'm understanding the following default kamailio.cfg[1]<br />file. Over the weekend, I was attached by SipVicious. Following<br />along with the example Daniel[2] create with kamailio and asterisk, I<br />have almost the same setup. Rather then storing my SIP profiles in<br />Asterisk database, I have then in Kamailio.<br /><br />To my point, the
attacker was actually able to by pass any sort of<br />authentication, but simply sending an INIVTE message:<br /><br />./<a href="http://svmap.py">svmap.py</a> -e 18885551234 <a href="http://kamailio.example.org">kamailio.example.org</a> -m INVITE<br /><br />Which kamailio, forwarded to Asterisk and because there is no<br />additional auth within asterisk, was able to hit the asterisk context<br />for getting processed (they did not get out to the real world).<br />However, my question is.... why do we not<br />authenticate INVITE<br />messages? If my understanding is correct, if would require something<br />like the following:<br /><br />if (is_method("INVITE")) {<br />if (!proxy_authorize("$fd", "subscriber")) {<br />proxy_challenge("$fd", "0");<br />exit;<br />}<br />}<br /><br />If so, why not also do it in the default configuration file?<br /><br />[1]<br /><a
href="http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blob_plain;f=etc/kamailio.cfg;hb=HEAD">http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blob_plain;f=etc/kamailio.cfg;hb=HEAD</a><br />[2]<br /><a href="http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb">http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb</a></blockquote><br /></blockquote>So that is what confuses me. Why do we authenticate only when the<br />user requests it?<br /></pre></blockquote></div><br>
--<br>
Sent from my Nexus 10, with all the figments of autocorrect that might imply.<br>
<br>
Alex Balashov - Principal<br>
Evariste Systems LLC<br>
235 E Ponce de Leon Ave<br>
Suite 106<br>
Decatur, GA 30030<br>
United States<br>
Tel: +1-678-954-0670<br>
Web: <a href="http://www.evaristesys.com">http://www.evaristesys.com</a>/, <a href="http://www.alexbalashov.com/">http://www.alexbalashov.com/</a></body></html></body></html>