29 Sep
2017
29 Sep
'17
3:05 p.m.
Hi list,
How can I reliably get the sender’s IP address?
|$si| and |$sp| are returning the server IP and Port.
I also tried using |$Ri| and |$Rp| but it yields the same results.
Inspecting the packet shows the sender’s true IP:Port pair in the |Via:|
header,
but the |From:| and |To:| contain the kamailio server’s public IP address.
Kind regards,
--
/Iskren Hadzhinedev/
29 Sep
29 Sep
3:38 p.m.
Hi Iskren,
What do you mean by 'true IP address'? The real IP address of a device
which sends a request?
$si and $sp reference to the source IP address and port of the message,
"Via" header contains IP address and port of UA and it could be different
from $si, for example if UA is behind NAT device.
Arsen Semionov
On Fri, Sep 29, 2017 at 3:05 PM, Iskren Hadzhinedev <
iskren.hadzhinedev(a)ikiji.com> wrote:
Hi list,
How can I reliably get the sender’s IP address?
$si and $sp are returning the server IP and Port.
I also tried using $Ri and $Rp but it yields the same results.
Inspecting the packet shows the sender’s true IP:Port pair in the Via:
header,
but the From: and To: contain the kamailio server’s public IP address.
Kind regards,
--
*Iskren Hadzhinedev*
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
5:50 p.m.
Hi Arsen,
Someone keeps sending INVITEs to my kamailio box with the |From:| and
|To:| IPs set to the Kamailio box’s public IP.
I have |fail2ban| that tracks a log file and bans the IP when pike
blocks a request 3 times.
However, the IP that pops up in the log file is the server’s own IP
address and not the sender’s IP address.
So let’s say my kamailio box is at 1.2.3.4. I get the following in the log:
|ALERT: <script>: Pike block INVITE from sip:7774@1.2.3.4 (IP 1.2.3.4:5080) |
Which comes from this snippet from my kamailio.cfg:
|if (!pike_check_req()) { xlog("L_ALERT","Pike block $rm from $fu (IP
$si:$sp)\n"); exit; } |
This rogue INVITE is certainly not coming from my own server. Running
tcpdump with header shows the IP of the culprit - |195.154.172.167|.
That can also be seen in the Via: header below. I know I can block the
sipcli UA, but I’m not comfortable with being unable to log the IP
address of the sender in case they spoof the UA.
|INVITE sip:+443331010095@1.2.3.4:5080 SIP/2.0 To:
+443331010095<sip:+443331010095@1.2.3.4> From:
7008<sip:7008@1.2.3.4>;tag=7650baf5 Via: SIP/2.0/UDP
195.154.172.167:5074;branch=z9hG4bK-79da852e8e37dc3f58a5f098a089d5b5;rport
Call-ID: 79da852e8e37dc3f58a5f098a089d5b5 CSeq: 1 INVITE Contact:
<sip:7008@195.154.172.167:5074> Max-Forwards: 70 Allow: INVITE, ACK,
CANCEL, BYE User-Agent: sipcli/v1.8 Content-Type: application/sdp
Content-Length: 286 |
So I cannot understand why does $si show 1.2.3.4 instead of the
culprit’s IP address?
Hope this makes more sense!
Kind regards,
Iskren Hadzhinedev
On 29/09/17 13:38, Arsen wrote:
Hi Iskren,
What do you mean by 'true IP address'? The real IP address of a device
which sends a request?
$si and $sp reference to the source IP address and port of the
message, "Via" header contains IP address and port of UA and it could
be different from $si, for example if UA is behind NAT device.
Arsen Semionov
On Fri, Sep 29, 2017 at 3:05 PM, Iskren Hadzhinedev
<iskren.hadzhinedev(a)ikiji.com <mailto:iskren.hadzhinedev@ikiji.com>>
wrote:
Hi list,
How can I reliably get the sender’s IP address?
|$si| and |$sp| are returning the server IP and Port.
I also tried using |$Ri| and |$Rp| but it yields the same results.
Inspecting the packet shows the sender’s true IP:Port pair in the
|Via:| header,
but the |From:| and |To:| contain the kamailio server’s public IP
address.
Kind regards,
--
/Iskren Hadzhinedev/
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
<https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
10:51 p.m.
Yeah this makes the sense, it is possible to spoof the UDP source address,
and various SIP tools have this feature (sipcli, sipp) it's useful for
example for NAT tests, etc.
Attacker actually may perform a DoS attack by spoofing the source IP with
an IP of your DID vendor (for example), so pay attention to jail.conf and
set a whitelist.
Here is how you can try to detect source IP spoof:
if($sel(contact.uri.host) != $si) {
#do sothing here
}
f($sel(via[0].host) != $si ) {
#
}
Regards,
Arsen.
Arsen Semionov
www.eurolan.info
cell: +442035198881
On Fri, Sep 29, 2017 at 5:50 PM, Iskren Hadzhinedev <
iskren.hadzhinedev(a)ikiji.com> wrote:
Hi Arsen,
Someone keeps sending INVITEs to my kamailio box with the From: and To:
IPs set to the Kamailio box’s public IP.
I have fail2ban that tracks a log file and bans the IP when pike blocks a
request 3 times.
However, the IP that pops up in the log file is the server’s own IP
address and not the sender’s IP address.
So let’s say my kamailio box is at 1.2.3.4. I get the following in the log:
ALERT: <script>: Pike block INVITE from sip:7774@1.2.3.4 (IP 1.2.3.4:5080)
Which comes from this snippet from my kamailio.cfg:
if (!pike_check_req()) {
xlog("L_ALERT","Pike block $rm from $fu (IP
$si:$sp)\n");
exit;
}
This rogue INVITE is certainly not coming from my own server. Running
tcpdump with header shows the IP of the culprit - 195.154.172.167.
That can also be seen in the Via: header below. I know I can block the
sipcli UA, but I’m not comfortable with being unable to log the IP address
of the sender in case they spoof the UA.
INVITE sip:+443331010095@1.2.3.4:5080 SIP/2.0
To: +443331010095 <+44%20333%20101%200095><sip:+443331010095@1.2.3.4>
From: 7008<sip:7008@1.2.3.4>;tag=7650baf5
Via: SIP/2.0/UDP
195.154.172.167:5074;branch=z9hG4bK-79da852e8e37dc3f58a5f098a089d5b5;rport
Call-ID: 79da852e8e37dc3f58a5f098a089d5b5
CSeq: 1 INVITE
Contact: <sip:7008@195.154.172.167:5074>
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, BYE
User-Agent: sipcli/v1.8
Content-Type: application/sdp
Content-Length: 286
So I cannot understand why does $si show 1.2.3.4 instead of the culprit’s
IP address?
Hope this makes more sense!
Kind regards,
Iskren Hadzhinedev
On 29/09/17 13:38, Arsen wrote:
Hi Iskren,
What do you mean by 'true IP address'? The real IP address of a device
which sends a request?
$si and $sp reference to the source IP address and port of the message,
"Via" header contains IP address and port of UA and it could be different
from $si, for example if UA is behind NAT device.
Arsen Semionov
On Fri, Sep 29, 2017 at 3:05 PM, Iskren Hadzhinedev <
iskren.hadzhinedev(a)ikiji.com> wrote:
Hi list,
How can I reliably get the sender’s IP address?
$si and $sp are returning the server IP and Port.
I also tried using $Ri and $Rp but it yields the same results.
Inspecting the packet shows the sender’s true IP:Port pair in the Via:
header,
but the From: and To: contain the kamailio server’s public IP address.
Kind regards,
--
*Iskren Hadzhinedev*
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing
Listsr-users@lists.kamailio.orghttps://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
2614
days inactive
2614
days old
3 comments
2 participants
participants (2)
-
Arsen -
Iskren Hadzhinedev