[Freeswitch-users] SBC

Kamil Nigmatullin kamil.nigmatullin at gmail.com
Mon Dec 12 10:52:07 MSK 2016


Well, I didn't know about that  traffic monitoring tools. Is it some sort
of software that works via ESL or it is built-in modules? At that moment
when I asked about the problem with sip reffer atack I was asked not to
share this information in open forum. So there were no recomendation on how
to handle that. To disable reffer completly - means not to give clients an
ability to make attxfer. How could I know that limit module may be broken
that way? The only thing I thought of making an aditional handler of
limitaton where SIP refer packets just cannot get. (put second FS or do it
on B-LEG of kamailio/opensips)

2016-12-12 11:21 GMT+06:00 Ken Rice <krice at freeswitch.org>:

> You miss my point entirely…  its not just CDR reporting, but its network
> traffic monitoring in general. There are things in FreeSWITCH specifically
> made to address this sort of attack. Limits can be applied in various ways,
> certain SIP features can be completely disable or handling in ways that
> allow for more stringent checks… for instance, why would you blindly follow
> a refer? That in and of itself is just asking to get owned.
>
>
>
>
>
>
>
> *From:* freeswitch-users-bounces at lists.freeswitch.org [mailto:
> freeswitch-users-bounces at lists.freeswitch.org] *On Behalf Of *Kamil
> Nigmatullin
> *Sent:* Sunday, December 11, 2016 10:49 PM
> *To:* FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
> *Subject:* Re: [Freeswitch-users] SBC
>
>
>
> I understand that. But CDR comes after the call is done. Sometimes one
> minute costs 10$ and I understand this after 20 minutes. I agree that this
> things doest't guarantee anything but it is funcionality of so called SBC.
> And it helps almost in any case except attackers broke sip device and sends
> traffic from this devices where monitoring and various limitations are
> really important. And about REFFER attack it is really very dangerous thing
> that is not fixes yet.
>
>
>
> 2016-12-12 10:00 GMT+06:00 Ken Rice <krice at freeswitch.org>:
>
> You do realize all of these things can be chexked in freeswitch. However
> no amount of checking various things the user is sending will stop such
> fraud. This is where your cdr's and pattern analysis come into play. Theres
> a reason large providers have rooms full of fraud prevention people
>
> Sent from my iPhone
>
>
> On Dec 11, 2016, at 21:43, Kamil Nigmatullin <kamil.nigmatullin at gmail.com>
> wrote:
>
> The first was the problem, where attacker somehow got login and password
> (i think they broke thier ATA) from clinet and used it. But for this client
> there was a limit of one line. I used limit module with local database.
> What attacker actially did, is that they used REFER attack, where they put
> their own number as a referrer, and opened unlimited lines to PSTN. So the,
> solution was - to replace limit functunality to opensips.
>
>
>
> The second - it is not actually the FS issue. It is because Freeswitch is
> not flexible enouph to work at the low level where Kamailio or opensips
> operates. E.g, we programmed opensips to lookup for UserAgent database, we
> add useragent for each client manually. And only using client's  IP and
> user-agent we allow this user to call to PSTN. We watch for blacklists of
> IP adresses, subnets. If it comes from Gaza, Panama, China we block it. And
> a lot of other things. Most of them is not out-of-box in opensips, but it
> is not hard to implement. All this functionality is very important. We lost
> about $10k last time. This is very serious.
>
>
>
> 2016-12-12 8:56 GMT+06:00 Alex Balashov <abalashov at evaristesys.com>:
>
> On Mon, Dec 12, 2016 at 08:17:57AM +0600, Kamil Nigmatullin wrote:
>
> > I love freeswitch, but frankly I would not recomend to set it as SBC. I
> > personally faced two attacks where FS was not good at. And we lost a lot
> of
> > money. It works perfectly as NAT between internal and extenal networks,
> > actually in everything but it is weak as a firewall. Stanislav knows
> that,
> > he helped me to resolve the problem first time when it happend. I cannot
> go
> > into details as this is open forum. You need to put either kamailio or
> > opensips in front of FS.
>
> Strongly agree.
>
> --
> Alex Balashov | Principal | Evariste Systems LLC
>
> Tel: +1-706-510-6800 (direct) / +1-800-250-5920 (toll-free)
> Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
>
>
> --
>
> Kamil Nigmatullin
> Tel: 77272323748
> mob: 7 (707) 2517003 <(707)%20251-7003>
> Skype: kamil.nigmatullin
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
>
>
> --
>
> Kamil Nigmatullin
> Tel: 77272323748
> mob: 7 (707) 2517003 <(707)%20251-7003>
> Skype: kamil.nigmatullin
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>



-- 
Kamil Nigmatullin
Tel: 77272323748
mob: 7 (707) 2517003
Skype: kamil.nigmatullin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20161212/cc64755e/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list