Post on 05-Jun-2018
Using Kamailio for Scalability and Security
Fred Posner, VoIP EngineerLOD Communications • The Palner Group
@fredposner
What the what?
• Kah Mah Illie Oh
• Kah Mylie Oh
• Kamailio
Who am I?
• Fred Posner
• @fredposner
• VoIP Engineer
• Florida based
• Kamailio, Asterisk, and other Open Source projects
What is Kamailio?
• Open Source SIP Server
• Thousands of call setups per second
• GPL
What is Kamailio?
• SIP Proxy server
• SIP Registrar server
• SIP Location server
• SIP Application server
• SIP Dispatcher server
• SIP Websocket server
What isn’t Kamailio?
• SIP Phone
•Media Server
• B2BUA
Can you name an open source project that is all of these?
Why Kamailio?
• Fast
• Flexible
• Reliable
Key Features• Modular
• Scalability and Flexible by design
• IPv4, IPv6
• TLS/TCP/UDP
• WebSocket
• NAT Traversal
• JSON, XMLRPC, HTTP APIs
• SQL & NOSQL
• Embedded Interpreters (Lua, Java, Perl, Python, more)
• Load Balancing
• LCR
• Asynchronous processing (TCP / TLS, SIP Routing), external API
• and mucho mucho mas
Modular Design
Most Common Deployment
Scalable Deployment
–Douglas MacArthur
“There is no security on this earth.
Only opportunity.”
The Problem
• Theft of Service
• Denial of Service
• High CPU / Memory / Bandwidth
• Phone Bill
Filter User Agentif (is_method("INVITE|REGISTER")) { if($ua =~ "(friendly-scanner|sipvicious)") { xlog("L_INFO","Script kiddie - bye"); exit; }}
if (is_method("INVITE|REGISTER")) { if($ua =~ "(friendly-scanner|sipvicious)") { xlog("L_INFO","Script kiddie - bye"); sl_send_reply("200","OK"); exit; }}
Core
if ($ua =~ "(friendly-scanner|sipvicious|sipcli)") { xlog("L_INFO","script kiddies from IP:$si:$sp - $ua \n"); exit; }
# - ignore requests with sql injection if($au =~ "(\=)|(\-\-)|(')|(\#)|(\%27)|(\%24)" and $au != $null) { xlog("L_INFO","[R-REQINIT:$ci] sql injection from IP:$si:$sp - $au \n"); exit; }
if (!mf_process_maxfwd_header("10")) { xlog("L_INFO","[R-REQINIT:$ci] Too Many Hops (IP:$si:$sp)\n"); sl_send_reply("483","Too Many Hops RI1"); exit; }
if(is_method("OPTIONS") && uri==myself && $rU==$null) { sl_send_reply(“200”,"Thank you for flying Kamailio”); exit; }
if(!sanity_check("1511", "7")) { xlog("L_INFO","Malformed SIP message from $si:$sp ru = $ru \n"); exit; }
PIKE
loadmodule "pike.so"
...
# ----- PIKE params -----modparam("pike", "sampling_time_unit", 2)modparam("pike", "reqs_density_per_unit", 24)modparam("pike", "remove_latency", 4)
...
# check if flood settings hit (and block)if (!pike_check_req()) { xlog("L_INFO","blocking $rm from $fu (IP:$si:$sp)\n"); $sht(ipban=>$si) = 1; sl_send_reply("200","OK"); exit;}
HTABLE
–@miconda
“If you’re not using HTABLE, you’re doing something wrong.”
HTABLE
• Hash Table Module
• Stored in shared memory
• Custom cache system
• Replication via DMQ
loadmodule "htable.so"
...
# ----- HTABLE params ----- # ip ban htable with autoexpire after 5 minutesmodparam("htable", “htable","ipban=>size=8;autoexpire=300;")modparam("htable", "htable", "regs=>size=8;initval=0;autoexpire=180;")
...
$sht(ipban=>$si) = 1; $sht(regs=>$si) = $sht(regs=>$si) + 1;
HTABLE EXAMPLESif($sht(ipban=>$si)!=$null) { if (!is_method("REGISTER")) { sl_send_reply("200","OK"); } else { sl_send_reply("401","Unauthorized RQ"); } exit;}
...
$sht(regs=>$si) = $sht(regs=>$si) + 1;if($sht(regs=>$si)>5) { xlog("L_INFO","more than 5 regs from $si \n"); if(src_ip!=myself) { $sht(ipban=>$si) = 1; } send_reply(401, "Unauthorized AU"); exit;}
RATELIMIT PIPELIMIT
loadmodule "pipelimit.so"
...
# ----- PIPELIMIT params -----modparam("pipelimit", "reply_code", 503)modparam("pipelimit", "reply_reason", "You are doing too much.")modparam("pipelimit", "timer_interval", PIPESECONDS)
...
#limit all IP to registrations of 3 per sec$var(plreglimit) = 3 * PIPESECONDS;if (!pl_check("$si", "TAILDROP", "$var(plreglimit)")) { xlog("L_INFO","regs per sec exceeded $var(plreglimit) \n"); pl_drop(“PIPESECONDS"); exit;}
PERMISSIONS
loadmodule "permissions.so"
...
# ----- PERMISSIONS params ----- modparam("permissions", "db_url", DBURL) modparam("permissions", "db_mode", 1)
...
#only allow group 688 to make OUTbound calls if(!allow_source_address("688")) { #block unauth accessing 2cps or higher $var(plreglimit) = 2 * PIPESECONDS; if (!pl_check("$si", "TAILDROP", "$var(plreglimit)")) { xlog("L_INFO","[R-PSTN:$ci]: Unath outbound exceeded $var(plreglimit) \n"); route(KILL); } sl_send_reply("403","Not relaying PSTN1"); exit;}
TLS
loadmodule "tls.so"
...
# ----- tls params ----- modparam("tls", "config", "/usr/local/etc/kamailio/tls.cfg")
...
[server:default] method = TLSv1 verify_certificate = no require_certificate = no private_key = /usr/local/etc/kamailio/privkey1.pem certificate = /usr/local/etc/kamailio/fullchain1.pem
...
listen=tls:192.168.25.31:5061 advertise PUBLICIP:5061 #-- TLS Socket enable_tls = yes
TOPOHTOPOS
loadmodule "topoh.so"
...
# ----- TOPOH params ----- modparam("topoh", "mask_key", "LetsMakeAPassword")modparam("topoh", "mask_ip", "127.0.0.8") modparam("topoh", “mask_callid", 1) modparam("topoh", "uparam_name", "line") modparam("topoh", "uparam_prefix", "sr-") modparam("topoh", "vparam_name", "branch")modparam("topoh", "vparam_prefix", "z9hG4bKsr-")modparam("topoh", "callid_prefix", "!!:") modparam("topoh", "sanity_checks", 1)
...
SIP Edge Proxy —“SBC”
• Since 2001
• NAT
• RTP Proxy (rtpproxy/rtpengine)
• TOPOH Module(topology hiding)
• Accounting
Scale SIP/RTC
• Load Balancing
• Dispatcher Module
• Various Algorithms
• Node monitoring
• Re-route of failures
Scaled Deployment
Scaled DeploymentVoicemailQueuePSTN
DISPATCHER
loadmodule "dispatcher.so"
...
# ----- dispatcher params -----modparam("dispatcher", "db_url", DBURL)modparam("dispatcher", "table_name", "dispatcher") modparam("dispatcher", "flags", 2)modparam("dispatcher", "dst_avp", "$avp(dsdst)") modparam("dispatcher", "grp_avp", "$avp(dsgrp)") modparam("dispatcher", "cnt_avp", "$avp(dscnt)") modparam("dispatcher", "dstid_avp", "$avp(dsdstid)") modparam("dispatcher", "sock_avp", "$avp(dssocket)") modparam("dispatcher", "attrs_avp", "$avp(dsattrs)") modparam("dispatcher", "ds_hash_size", 3) modparam("dispatcher", "force_dst", 1)modparam("dispatcher", "ds_ping_interval", 20) modparam("dispatcher", "ds_ping_from", “sip:pinger@YOURDOMAIN")modparam("dispatcher", "ds_probing_mode", 2) modparam("dispatcher", "ds_probing_threshold", 2) modparam("dispatcher", "ds_ping_reply_codes", "class=2;code=480;code=404")
...
if(!ds_select_dst("$avp(dispset)", "8")) { xlog("L_INFO","No destination available for set $avp(dispset) - send 404.\n"); send_reply("404", "No destination PSTN2"); exit;}
REGISTRAR
REGISTRAR
• Offload registrations from Asterisk
• MySQL, LDAP, etc.
• Mid-registrar services
Mid-Registrar• since 2010
• https://www.kamailio.org/docs/modules/stable/modules/uac.html
• remote registrar even handles R-URI modifications
if(uac_reg_lookup("$rU", "$ru")) { xlog("request from a remote SIP provider [$ou => $ru]\n");}lookup("location");
API Routing
• http_client / http_async_client
• evapihttp://kamailio.org/docs/modules/stable/modules/evapi.html
• rtjsonhttp://kamailio.org/docs/modules/stable/modules/rtjson.html
• nodejs
It’s About Power• Flexibility in language, protocol,
format, and controllers
• Lua, Python, JavaScript, Perl, Squirrel, etc
• HTTP, RPC, EVAPI, SIP, etc
• XML, JSON, custom
• node+js, SQL, php, Custom apps, etc
• Power to Scale