From c9c62c8bd267d7b2ca84b993c563812d11aa9fcc Mon Sep 17 00:00:00 2001 From: Anca Vamanu Date: Thu, 5 Sep 2013 01:51:27 +0300 Subject: [PATCH] default.cfg Changes in DOS Prevention - drop only REGITSER, SUBSCRIBE or OPTIONS that has an IP as a To domain or no to domain - for Invites, drop the ones that have an IP as an auth_realm. --- kamailio/default.cfg | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/kamailio/default.cfg b/kamailio/default.cfg index 844e41a..fef2497 100644 --- a/kamailio/default.cfg +++ b/kamailio/default.cfg @@ -398,24 +398,32 @@ route[EXTERNAL_TO_INTERNAL_RELAY] route[DOS_PREVENTION] { - if (allow_source_address(TRUSTED_ADR_GROUP)) { + # allow request from internal network or from whitelist + if (isflagset(FLAG_INTERNALLY_SOURCED) || allow_source_address(TRUSTED_ADR_GROUP)) { xlog("L_DBG", "Request from trusted IP $rm $si\n"); return; } # drop requests with no To domain or IP To domain (friendly-scanner) - if ($td == $null || $td=~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}") { + if (is_method("REGISTER|SUBSCRIBE|OPTIONS") && + ($td == $null || $td=~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}")) { xlog("L_ERR", "Possible attack- wrong td: $rm to $ru from $fu, UA $ua, IP $si\n"); exit; } - if (!isflagset(FLAG_INTERNALLY_SOURCED)) { - if (!pike_check_req()) { - if( $rc == -2) { - xlog("L_ERR", "DOS attack: $rm to $ru from $fu, UA $ua, IP $si\n"); - } - exit; + # drop Invite with IP auth realm + if (is_method("INVITE") && is_present_hf("Proxy-Authorization") && + $ar =~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}" ) { + xlog("L_ERR", "Possible attack- Invite realm $ar: to $ru from $fu, UA $ua, IP $si\n"); + exit; + } + + # use pike check for the others + if (!pike_check_req()) { + if( $rc == -2) { + xlog("L_ERR", "DOS attack: $rm to $ru from $fu, UA $ua, IP $si\n"); } + exit; } }