pfSense » pfSense Packages

siproxd is providing a configuration option "hosts_allow_reg" which
implements a positive access control list for hosts allowed
to SIP REGISTER.

If this option is not set, and the SIP port 5060 is wide open at
the firewall, anyone is able to send fake SIP REGISTER requests
to siproxd.

Issues:

1) this may lead to a DoS attack because the size of the list of
registrations is surely bound to some limit. This situation is aggravated
by the fact that registrations remain active even if the upstream SIP
server has rejected the request.

2) specially crafted SIP REGISTER requests might be used to discover
the internal topology of the network behind the firewall.

A packet sent to siproxd over the WAN interface:

-- begin of packet --
REGISTER sip:some.sip-provider.com SIP/2.0
Via: SIP/2.0/UDP 192.168.0.169:5060
...
--- end of packet ---

is causing this error message in siproxd:

22:30:27 ERROR:sock.c:445 sendto() [192.168.0.169:5060 size=730] call failed: Host is down

This means that siproxd is actually trying to connect to 192.168.0.169 (the faked
IP from the Via-Header). This could be misused for various replay attacks as well.

To cut a long story short: we need a (preferably mandatory and preset to the
LAN's network) GUI setting for "hosts_allow_reg".