Best Authentication Method? Username/Password vs IP Authentication

[pbz]

For the best security when setting up a Gateway, am I correct to assume IP Authentication is more secure than Username/Password?

 

[DigitalDaz]

Far from it, it is much less secure. You can use both though. Have a search around the forum.

 

[markjcrane]

I would say IP authentication is more dependable in FreeSWITCH. Gateways with authentication false is the way to go. Sometimes FreeSWITCH gateway registration will say fail wait. Most VoIP providers use IP authentication.

 

[DigitalDaz]

I would say IP authentication is more dependable in FreeSWITCH. Gateways with authentication false is the way to go. Sometimes FreeSWITCH gateway registration will say fail wait.

Someone correct me if I am wrong here but following that above advice gives you a big gaping hole protected by nothing other than security through obscurity...

Lets assume a premium rate number, here in the UK maybe £3 per minute.

So if we know the sip endpoint for the above gateway eg carrier.xyz we then use a simple tool like SIPP to spoof the IP of the PBX and send and INVITE packet to carrier.xyz with the premium rate number in the RURI

carrier.xyz will see our IP is authed and connect the call it will then send us maybe a 100 TRYING, 180 RINGING and a 200OK.

The three packets above will never reach us because we spoofed the IP. We do not care because the call is up.

carrier.xyz is now waiting for an ACK to their 200OK. Most carriers will wait 32 seconds for that ACK before they drop that call, sending repeated 200OK's in the meantime.

After 32 seconds, the call is dropped.

Mr Bad Guy is happy, he just banked at least £1.50

The above is repeated until either your carriers anti fraud blocks you, your prepaid balance is exhausted or your credit limit with carrier is exceeded.

 

[DigitalDaz]

Black and whitelist are fine for normal scenarios, ie there is going to be two way traffic, the above is an example of an edge case that does not require two way traffic.

This also only works the way I describe above with UDP, TCP would fail as it needs the three way handshake. I know many, many users are still using UDP to the carrier.

 

[markjcrane]

I think you proved that SIP UDP is not as safe as SIP with TCP. Better protection for anti IP spoof with TCP because of its design.

Lots of resources for anti IP address spoofing.

Firewall — Ingress Filtering | pfSense Documentation

docs.netgate.com

Iptables rules to prevent IP Spoofing

We had following below iptables rules that exist in our web front-end boxes to prevent IP Spoofing: -A INPUT -s 255.0.0.0/8 -j LOG --log-prefix "Spoofed source IP" -A INPUT -s 255.0.0.0/8 -j

security.stackexchange.com

Prevent IP spoofing with the Cisco IOS | TechRepublic

In a typical IP address spoofing attempt, the attacker fakes the source of packets in order to appear as part of an internal network. David Davis tells you three ways you can make an attacker's life more difficult—and prevent IP address spoofing.

www.techrepublic.com

and many more….