Drachtio Server self restarts with specific package

[vitor-vidal]

Hello Dave,

We've been using Drachtio in production for a few weeks and it has been working like a charm.

But last night, something really strange happened.

We've detected on our alarmist that the Drachtio Server restarted 5 times with no apparent reason and, on the last restart, it did not recover.

After analyzing some logs, we've noticed that someone was executing a friendly-scanner on our public IP. Since this user agent is one of the agents configured on Dracthio to be rejected, the server replied with a 603.

<spammers action="reject" tcp-action="discard">
    <header name="User-Agent">
        <value>sip-cli</value>
        <value>sipcli</value>
        <value>friendly-scanner</value>
        <value>pplsip</value>
    </header>
    <header name="To">
        <value>sipvicious</value>
    </header>
</spammers>

There were no errors or reports that justified the restart on the Drachtio log file.

We've copied the INVITE and the ACK that we were receiving from the attacker and we were able to replicate the transaction. With this test, after receiving the ACK, the Drachtio server has restarted.

We think that there should be some kind of bug on the Drachtio-server that is causing this package to crash.

We are currently using the Dracthio Server v0.8.9-rc1.

Since this is sensitive information, I will share it with you through email.

Thank you.

[davehorton]

yes if you could send the drachtio log to daveh at drachtio.org that would be helpful

[davehorton]

ok I see the issue. Fix coming shortly

[davehorton]

could you test with latest on the main branch (v0.8.9-rc2) and let me know if it resolves the issue? I was able to recreate in my environment and believe this fix should correct it.

[vitor-vidal]

Thank you for your quick reply. I will test the new branch and let you know the result.

[vitor-vidal]

We've done some tests on the machine and this ACK is no longer crashing the Drachtio server.

So, the problem seems to be solved.

With this release, we've also noticed that the Drachtio server is now ignoring the ACK received by the attacker to the Decline reply. This causes the Dracthio server to make several retransmissions of the decline package. Is this the expected behavior?

[davehorton]

Yes, this is expected, and is related to the crashing issue. You'll notice that the ACK has a different branch value in the Via header than that from the INVITE. This is actually a violation of the RFC 3261 spec which mandates that the branch on the ACK for a non-success response shall be the same as that on the INVITE (note that for a success response a new branch shall be generated on the ACK). Therefore the ACK does not match to the 603 final response and we continue retransmitting that until sip timer G expires.

This scenario of malformed ACK was causing an unnoticed crashing bug on a log statement, unnoticed till now because it rquired a "broken" client, if you will, to expose this bug

[davehorton]

FYI, depending on your architecture, you may want to use fail2ban to automatically block spammers. You could have a look at my fail2ban configuraton for drachtio as described here

[davehorton]

I also install support for apiban on most of my public-facing servers

[vitor-vidal]

Thanks for your explanation. It makes perfect sense to me.

Regarding the blocking of spammers, I've already read your suggestion about fail2ban and I liked the idea. Although we were not able to implement that solution with our architecture, we are working on a similar solution to integrate with our existing firewalls.

Thank you for your improvement suggestions.