From 410b972bc7ac11732df314bd4a0215691091909f Mon Sep 17 00:00:00 2001
From: Anca Vamanu <anca@2600hz.com>
Date: Thu, 5 Sep 2013 00:33:43 +0300
Subject: [PATCH] default.cfg Improved DOS protection

- use permissions module to have the equivalent of a white list, a list
  of IPs that are trusted. This module is used together with db_text and
  the list of IPs and IP ranges will be specified in the address dbtext
  file.
- drop requests that have no To domain or a To domain consisting of an
  IP.
- reply to Options from outside only if the RURI domain is not IP.
---
 kamailio/default.cfg | 38 +++++++++++++++++++++++++++++++++-----
 1 file changed, 33 insertions(+), 5 deletions(-)

diff --git a/kamailio/default.cfg b/kamailio/default.cfg
index 2de85c3..844e41a 100644
--- a/kamailio/default.cfg
+++ b/kamailio/default.cfg
@@ -28,6 +28,8 @@ flags
 #!define FLB_NATSIPPING 2
 #!define FLB_UAC_REDIRECT 3
 
+#!define TRUSTED_ADR_GROUP 1
+
 ####### Global Parameters #########
 fork = yes
 children = 25
@@ -186,6 +188,13 @@ include_file "nat-traversal-role.cfg"
 loadmodule "db_kazoo.so"
 #!endif
 
+loadmodule "db_text.so"
+loadmodule "permissions.so"
+modparam("db_text", "db_mode", 1)
+modparam("permissions", "db_url", "text:///etc/kamailio/dbtext")
+modparam("permissions", "db_mode", 1)
+
+
 ####### Routing Logic ########
 route
 {
@@ -236,7 +245,12 @@ route[SANITY_CHECK]
 {
     if (!mf_process_maxfwd_header("10")) {
         xlog("L_WARN", "$ci|end|Too much hops, not enough barley");
-        sl_send_reply("483", "Too Many Hops");
+        send_reply("483", "Too Many Hops");
+        exit;
+    }
+
+    if ( msg:len > 6144 ) {
+        send_reply("513", "Message too large");
         exit;
     }
 
@@ -252,9 +266,12 @@ route[HANDLE_OPTIONS]
         if (isflagset(FLAG_INTERNALLY_SOURCED)) {
             route(INTERNAL_TO_EXTERNAL_RELAY);
         }
-#        else {
-#            sl_send_reply("200", "Rawr!!");
-#        }
+        else 
+        if ($rd=~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}") {
+            xlog("L_ERR", "Possible attack- Options: to $ru from $fu, UA $ua, IP $si\n");
+        } else {
+            sl_send_reply("200", "Rawr!!");
+        }
         exit;
     }
 }
@@ -381,10 +398,21 @@ route[EXTERNAL_TO_INTERNAL_RELAY]
 
 route[DOS_PREVENTION]
 {
+    if (allow_source_address(TRUSTED_ADR_GROUP)) {
+        xlog("L_DBG", "Request from trusted IP $rm $si\n");
+        return;
+    }
+
+    #  drop requests with no To domain or IP To domain (friendly-scanner)
+    if ($td == $null || $td=~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}") {
+        xlog("L_ERR", "Possible attack- wrong td: $rm to $ru from $fu, UA $ua, IP $si\n");
+        exit;
+    }
+
     if (!isflagset(FLAG_INTERNALLY_SOURCED)) {
         if (!pike_check_req()) {
             if( $rc == -2) {
-                xlog("L_ERR", "DOS detected: $rm to $ru from $fu, UA $ua, IP $si\n");
+                xlog("L_ERR", "DOS attack: $rm to $ru from $fu, UA $ua, IP $si\n");
             }
             exit;
         }