Using Kamailio for Scalability and Security

Fred Posner, VoIP EngineerLOD Communications • The Palner Group

@fredposner

What the what?

• Kah Mah Illie Oh

• Kah Mylie Oh

• Kamailio

Who am I?

• Fred Posner

• @fredposner

• VoIP Engineer

• Florida based

• Kamailio, Asterisk, and other Open Source projects

What is Kamailio?

• Open Source SIP Server

• Thousands of call setups per second

• GPL

What is Kamailio?

• SIP Proxy server

• SIP Registrar server

• SIP Location server

• SIP Application server

• SIP Dispatcher server

• SIP Websocket server

What isn’t Kamailio?

• SIP Phone

•Media Server

• B2BUA

Can you name an open source project that is all of these?

Why Kamailio?

• Fast

• Flexible

• Reliable

Key Features• Modular

• Scalability and Flexible by design

• IPv4, IPv6

• TLS/TCP/UDP

• WebSocket

• NAT Traversal

• JSON, XMLRPC, HTTP APIs

• SQL & NOSQL

• Embedded Interpreters (Lua, Java, Perl, Python, more)

• Load Balancing

• LCR

• Asynchronous processing (TCP / TLS, SIP Routing), external API

• and mucho mucho mas

Modular Design

Most Common Deployment

Scalable Deployment

–Douglas MacArthur

“There is no security on this earth.

Only opportunity.”

The Problem

• Theft of Service

• Denial of Service

• High CPU / Memory / Bandwidth

• Phone Bill

Filter User Agentif (is_method("INVITE|REGISTER")) { if($ua =~ "(friendly-scanner|sipvicious)") { xlog("L_INFO","Script kiddie - bye"); exit; }}

if (is_method("INVITE|REGISTER")) { if($ua =~ "(friendly-scanner|sipvicious)") { xlog("L_INFO","Script kiddie - bye"); sl_send_reply("200","OK"); exit; }}

Core

if ($ua =~ "(friendly-scanner|sipvicious|sipcli)") { xlog("L_INFO","script kiddies from IP:$si:$sp - $ua \n"); exit; }

# - ignore requests with sql injection if($au =~ "(\=)|(\-\-)|(')|(\#)|(\%27)|(\%24)" and $au != $null) { xlog("L_INFO","[R-REQINIT:$ci] sql injection from IP:$si:$sp - $au \n"); exit; }

if (!mf_process_maxfwd_header("10")) { xlog("L_INFO","[R-REQINIT:$ci] Too Many Hops (IP:$si:$sp)\n"); sl_send_reply("483","Too Many Hops RI1"); exit; }

if(is_method("OPTIONS") && uri==myself && $rU==$null) { sl_send_reply(“200”,"Thank you for flying Kamailio”); exit; }

if(!sanity_check("1511", "7")) { xlog("L_INFO","Malformed SIP message from $si:$sp ru = $ru \n"); exit; }

PIKE

loadmodule "pike.so"

...

# ----- PIKE params -----modparam("pike", "sampling_time_unit", 2)modparam("pike", "reqs_density_per_unit", 24)modparam("pike", "remove_latency", 4)

...

# check if flood settings hit (and block)if (!pike_check_req()) { xlog("L_INFO","blocking $rm from $fu (IP:$si:$sp)\n"); $sht(ipban=>$si) = 1; sl_send_reply("200","OK"); exit;}

HTABLE

–@miconda

“If you’re not using HTABLE, you’re doing something wrong.”

HTABLE

• Hash Table Module

• Stored in shared memory

• Custom cache system

• Replication via DMQ

loadmodule "htable.so"

...

# ----- HTABLE params ----- # ip ban htable with autoexpire after 5 minutesmodparam("htable", “htable","ipban=>size=8;autoexpire=300;")modparam("htable", "htable", "regs=>size=8;initval=0;autoexpire=180;")

...

$sht(ipban=>$si) = 1; $sht(regs=>$si) = $sht(regs=>$si) + 1;

HTABLE EXAMPLESif($sht(ipban=>$si)!=$null) { if (!is_method("REGISTER")) { sl_send_reply("200","OK"); } else { sl_send_reply("401","Unauthorized RQ"); } exit;}

...

$sht(regs=>$si) = $sht(regs=>$si) + 1;if($sht(regs=>$si)>5) { xlog("L_INFO","more than 5 regs from $si \n"); if(src_ip!=myself) { $sht(ipban=>$si) = 1; } send_reply(401, "Unauthorized AU"); exit;}

RATELIMIT PIPELIMIT

loadmodule "pipelimit.so"

...

# ----- PIPELIMIT params -----modparam("pipelimit", "reply_code", 503)modparam("pipelimit", "reply_reason", "You are doing too much.")modparam("pipelimit", "timer_interval", PIPESECONDS)

...

#limit all IP to registrations of 3 per sec$var(plreglimit) = 3 * PIPESECONDS;if (!pl_check("$si", "TAILDROP", "$var(plreglimit)")) { xlog("L_INFO","regs per sec exceeded $var(plreglimit) \n"); pl_drop(“PIPESECONDS"); exit;}

PERMISSIONS

loadmodule "permissions.so"

...

# ----- PERMISSIONS params ----- modparam("permissions", "db_url", DBURL) modparam("permissions", "db_mode", 1)

...

#only allow group 688 to make OUTbound calls if(!allow_source_address("688")) { #block unauth accessing 2cps or higher $var(plreglimit) = 2 * PIPESECONDS; if (!pl_check("$si", "TAILDROP", "$var(plreglimit)")) { xlog("L_INFO","[R-PSTN:$ci]: Unath outbound exceeded $var(plreglimit) \n"); route(KILL); } sl_send_reply("403","Not relaying PSTN1"); exit;}

TLS

loadmodule "tls.so"

...

# ----- tls params ----- modparam("tls", "config", "/usr/local/etc/kamailio/tls.cfg")

...

[server:default] method = TLSv1 verify_certificate = no require_certificate = no private_key = /usr/local/etc/kamailio/privkey1.pem certificate = /usr/local/etc/kamailio/fullchain1.pem

...

listen=tls:192.168.25.31:5061 advertise PUBLICIP:5061 #-- TLS Socket enable_tls = yes

TOPOHTOPOS

loadmodule "topoh.so"

...

# ----- TOPOH params ----- modparam("topoh", "mask_key", "LetsMakeAPassword")modparam("topoh", "mask_ip", "127.0.0.8") modparam("topoh", “mask_callid", 1) modparam("topoh", "uparam_name", "line") modparam("topoh", "uparam_prefix", "sr-") modparam("topoh", "vparam_name", "branch")modparam("topoh", "vparam_prefix", "z9hG4bKsr-")modparam("topoh", "callid_prefix", "!!:") modparam("topoh", "sanity_checks", 1)

...

SIP Edge Proxy —“SBC”

• Since 2001

• NAT

• RTP Proxy (rtpproxy/rtpengine)

• TOPOH Module(topology hiding)

• Accounting

Scale SIP/RTC

• Load Balancing

• Dispatcher Module

• Various Algorithms

• Node monitoring

• Re-route of failures

Scaled Deployment

Scaled DeploymentVoicemailQueuePSTN

DISPATCHER

loadmodule "dispatcher.so"

...

# ----- dispatcher params -----modparam("dispatcher", "db_url", DBURL)modparam("dispatcher", "table_name", "dispatcher") modparam("dispatcher", "flags", 2)modparam("dispatcher", "dst_avp", "$avp(dsdst)") modparam("dispatcher", "grp_avp", "$avp(dsgrp)") modparam("dispatcher", "cnt_avp", "$avp(dscnt)") modparam("dispatcher", "dstid_avp", "$avp(dsdstid)") modparam("dispatcher", "sock_avp", "$avp(dssocket)") modparam("dispatcher", "attrs_avp", "$avp(dsattrs)") modparam("dispatcher", "ds_hash_size", 3) modparam("dispatcher", "force_dst", 1)modparam("dispatcher", "ds_ping_interval", 20) modparam("dispatcher", "ds_ping_from", “sip:pinger@YOURDOMAIN")modparam("dispatcher", "ds_probing_mode", 2) modparam("dispatcher", "ds_probing_threshold", 2) modparam("dispatcher", "ds_ping_reply_codes", "class=2;code=480;code=404")

...

if(!ds_select_dst("$avp(dispset)", "8")) { xlog("L_INFO","No destination available for set $avp(dispset) - send 404.\n"); send_reply("404", "No destination PSTN2"); exit;}

REGISTRAR

REGISTRAR

• Offload registrations from Asterisk

• MySQL, LDAP, etc.

• Mid-registrar services

Mid-Registrar• since 2010

• https://www.kamailio.org/docs/modules/stable/modules/uac.html

• remote registrar even handles R-URI modifications

if(uac_reg_lookup("$rU", "$ru")) { xlog("request from a remote SIP provider [$ou => $ru]\n");}lookup("location");

API Routing

• http_client / http_async_client

• evapihttp://kamailio.org/docs/modules/stable/modules/evapi.html

• rtjsonhttp://kamailio.org/docs/modules/stable/modules/rtjson.html

• nodejs

It’s About Power• Flexibility in language, protocol,

format, and controllers

• Lua, Python, JavaScript, Perl, Squirrel, etc

• HTTP, RPC, EVAPI, SIP, etc

• XML, JSON, custom

• node+js, SQL, php, Custom apps, etc

• Power to Scale

See you in Berlin!kamailioworld.com

kamailio.org

Ask a good question…

Get a cookie.

Fred Posner@fredposnerqxork.com