Hello,
thanks Klaus and Victor for details.
With kamailio 1.5 this can be solved in another way, pretty easy --
allow users to call only from registered devices.
Check here the example 2:
http://openser.blogspot.com/2008/10/registrar-enhancements.html
The condition can be extended so that you match the received(source
ip)/contact in invite with the contact in location record.
So guys, start testing 1.5, it does have lot of cool new features:
http://www.kamailio.org/dokuwiki/doku.php/features:new-in-1.5.x
Cheers,
Daniel
On 01/15/2009 12:00 PM, Klaus Darilion wrote:
Hi!
For those who are interested in this attack - I have attached the
relevant slides from my SIP security lectures.
regards
Klaus
PS: an exploit based on sipp scenario files is available too on
request (for educational purposes :-)
Klaus Darilion schrieb:
IIRC to solve this issue completely the UAC
should never send
credentials to unknown parties - only to its SIP proxy (some clients
have a "force outbound proxy" feature which does the same). Then the
SIP proxy can remove credentials before forwarding to other parties.
As soon as a client send messages (with credentials) directly to
other parties there is nothing you can do on the proxy side.
regards
klaus
Victor Pascual Ávila schrieb:
Hi,
excuse me if this message is not directly related to Kamailio.
I'm just wondering if folks could share with me if (and how) they have
prevented the "SIP Digest Access Authentication RELAY" in their
networks (and what worked for them or not).
NAT boxes reduce dramatically the scenarios for a successful attack.
Otherwise, some might be mitigating the attack by means of forcing UAs
to use outbound proxies while others might be reducing the attack
incentives by means of message integrity.
Any comment would be appreciated,
_______________________________________________
Kamailio (OpenSER) - Users mailing list
Users(a)lists.kamailio.org
http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
------------------------------------------------------------------------
_______________________________________________
Kamailio (OpenSER) - Users mailing list
Users(a)lists.kamailio.org
http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
--
Daniel-Constantin Mierla
http://www.asipto.com