Experiments with ZRTP and FreeSwitch

ZRTP is very important project for securing your voice communication. I started playing with Jitsi, Acrobits Softphone and FreeSWITCH.

What I found out after initial configuration of ZRTP for FreeSwitch is that FreeSwitch attempts to negotiate ZRTP keys and act as a trusted man in the middle. I wanted to avoid that and provide end to end encryption. The magic option that would allow direct passthrough of ZRTP to the endpoint is enabling:

<!--Uncomment to set all inbound calls to proxy media mode--> <param name="inbound-proxy-media" value="true"/>

in conf/sip_profiles/internal.xml.

Other funny thing I found out is how many bots are out there trying to abuse my softswitch. This happened a few hours after setting up FreeSwitch on public IP (that was never used as a SIP server before). I have run tcpdump capturing only UDP on 5600:

[root@softswitch ~]# strings output.pcap |wc -l 37235 [root@softswitch ~]# strings output.pcap |grep To: | wc -l 2833 [root@softswitch ~]# strings output.pcap |grep To:| uniq | head -n 5 To: "J" <sip:1001@203.0.113.7> To: "J" <sip:1001@203.0.113.7>;tag=U4SvF45vSBeeN To: "J" <sip:1001@203.0.113.7> To: "J" <sip:1001@203.0.113.7>;tag=vDKNHZp0pm40g To: <sip:1001@203.0.113.7> [root@softswitch ~]# strings output.pcap |grep To:| uniq | tail -n 5 To: 700972597727055 <sip:700972597727055@203.0.113.7>;tag=Uy4Dmj5jN0NHB To: 700972597727055<sip:700972597727055@203.0.113.7> To: 700972597727055 <sip:700972597727055@203.0.113.7> To: 700972597727055 <sip:700972597727055@203.0.113.7>;tag=v7X6NDppj9B4p To: 001972597727055 <sip:001972597727055@203.0.113.7>;tag=jD1e4yDKFgD9j [root@softswitch ~]# strings output.pcap |grep -i nonce| uniq | head -n 10 Proxy-Authorization: Digest username="2010",realm="203.0.113.7",nonce="9613eafe-5920-11e2-84ca-eb9dba96f036",uri="sip:00972592819732@203.0.113.7",response="264f1ab22fa5dacafc01387032228446",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 Proxy-Authorization: Digest username="2010",realm="203.0.113.7",nonce="96dbcfa6-5920-11e2-84cc-eb9dba96f036",uri="sip:000972592819732@203.0.113.7",response="512df72182d278d705a2160ba15f4a0f",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 Proxy-Authorization: Digest username="2010",realm="203.0.113.7",nonce="97630552-5920-11e2-84ce-eb9dba96f036",uri="sip:900972592819732@203.0.113.7",response="a45fc82a1d632a8890f777716b7935f5",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 Proxy-Authorization: Digest username="2012",realm="203.0.113.7",nonce="0b1a9a5a-5926-11e2-84d4-eb9dba96f036",uri="sip:00972592819732@203.0.113.7",response="c5590c623d654384f83ff04da785a197",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 Proxy-Authorization: Digest username="2012",realm="203.0.113.7",nonce="0c7a5b10-5926-11e2-84d6-eb9dba96f036",uri="sip:000972592819732@203.0.113.7",response="f581d146cb370170764fa8f54bd4b360",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 Proxy-Authorization: Digest username="2012",realm="203.0.113.7",nonce="0dc65ae6-5926-11e2-84d8-eb9dba96f036",uri="sip:900972592819732@203.0.113.7",response="d522d9a645bd6b3a47a8d5091b73b0f4",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 Proxy-Authorization: Digest username="2020",realm="203.0.113.7",nonce="811aaa42-592b-11e2-84de-eb9dba96f036",uri="sip:00972592819732@203.0.113.7",response="407a62e3cc1dcadad13e5e672a8cdb88",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 Proxy-Authorization: Digest username="2020",realm="203.0.113.7",nonce="826543b2-592b-11e2-84e2-eb9dba96f036",uri="sip:000972592819732@203.0.113.7",response="f803d9c9687217fc97829bc317933c6e",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 Proxy-Authorization: Digest username="2020",realm="203.0.113.7",nonce="83df2bfe-592b-11e2-84e4-eb9dba96f036",uri="sip:900972592819732@203.0.113.7",response="5e11b2531e86709427c9eea542203cd9",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5 Proxy-Authorization: Digest username="301",realm="203.0.113.7",nonce="2e81b5a4-592c-11e2-84e9-eb9dba96f036",uri="sip:00972597727055@203.0.113.7",response="156ef65fecbe325882b48b555ec92cd4",cnonce="4b41f53e6f00c05",nc=00000001,qop="auth",algorithm=MD5

For those that are not that familiar with UNIX, this basically means, that there are bots (or botnets) out there trying to brute-force your password and call out. That means you need to change your password before running FreeSwitch for the first time.

I used a good (although older) tutorial about starting with FreeSwitch.

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts

Please allow a few minutes for this process to complete.

Report

You have already reported this .