<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hello,<br>
<br>
checking the IP in the Via headers can be done in config file using
a while loop:<br>
<br>
$var(i) = 0;<br>
<br>
while($(hdr(Via)[$var(i)])!=$null) {<br>
# use transformations to extract the IP in $(hdr(Via)[$var(i)])
and test it against $Ri<br>
...<br>
$var(i) = $var(i) + 1;<br>
}<br>
<br>
Also, checking the max-breadth should be possible in config file --
iirc, Olle played with it at one of the SIPit events I attended,
maybe he can add more details here. I haven't read the RFC 5393 to
be able to provide an example here.<br>
<br>
If someone wants to add a module to simplify the config, he/she is
welcome to do it.<br>
<br>
Cheers,<br>
Daniel<br>
<br>
<div class="moz-cite-prefix">On 21/10/15 10:35, Guillaume wrote:<br>
</div>
<blockquote cite="mid:DUB109-W222029E3716680A07B96EA90380@phx.gbl"
type="cite">
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style>
<div dir="ltr">Hi guys,<br>
<br>
What do you think about the RFC 5393 on loop detection and
amplification attack protection? <br>
<br>
The RFC is short and still a proposed standard but don't you
think it could be useful to prevent loop and amplification
attack? Because even if the max-forward field reduces the loop
to ~70 hosts (in most cases) with some techniques we could fork
the message up to 2^70 messages (as described in the RFC) to
crash the servers.<br>
<br>
Basically the server has to do 2 things:<br>
* check if it is not already in the via of the message<br>
* the previous check is not enough as a B2BUA could have replace
the via headers, so the RFC introduces a new field called
max-breadth to limit the forking.<br>
<br>
I have not seen a lot of implementation of this RFC on the free
SIP software and I think it could be a good way to improve
kamailio making a module for it (the easier way to implement
this feature I think).<br>
<br>
In fact I'm in a research internship about VoIP security and I
have time to develop such a module for kamailio if you think
it's a good idea (I'm looking for some security improvements in
free software solutions so if you have other idea don't hesitate
to tell me).<br>
<br>
Cheers,<br>
<br>
<br>
Tetram<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.sip-router.org">sr-users@lists.sip-router.org</a>
<a class="moz-txt-link-freetext" href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla
<a class="moz-txt-link-freetext" href="http://twitter.com/#!/miconda">http://twitter.com/#!/miconda</a> - <a class="moz-txt-link-freetext" href="http://www.linkedin.com/in/miconda">http://www.linkedin.com/in/miconda</a>
Book: SIP Routing With Kamailio - <a class="moz-txt-link-freetext" href="http://www.asipto.com">http://www.asipto.com</a></pre>
</body>
</html>