[OpenSIPS-Users] tcpconn_add_alias port hijack attempt log message using TLS in 1.11.5

[Carlos Oliva]

Hi list:

Working with TLS (with client certificate validation) in Version
1.11.5 I started to see in the log those messages:

ERROR:core:tcpconn_add_alias: possible port hijack attempt
ERROR:core:tcpconn_add_alias: alias already present and points to
another connection (199 : 5062 and 219 : 5062)
ERROR:core:receive_msg: tcp alias failed

Those mesages appear after an non-existent users tries to register in the proxy.

I've some UACs (that I can not control) after the same public IP
trying to register with an invalid user but with a valid TLS client
certificate each 10 seconds.
As far I can see after two of the UACs tries to register, this message
start to appear after each try.

In the messages I see the number 199 and 219 changes but 5062 is persistent.

The contact header of one of the UACs is
sips:USER1 at 192.168.1.201:5062;transport=tls but it is received from
PUBLIC_CLIENT_IP:24609
The contact header of the other UAC is
sips:USER2 at 192.168.1.207:16577;transport=tls and is received from
PUBLIC_CLIENT_IP:40993

Listing tcp connections 199 and 219 exists look right:

Connection::  ID=199 Type=tls State=0 Source=PUBLIC_CLIENT_IP:42081
Destination=MY_IP:5061 Timeout=2015-07-30 09:24:54 Pending lifetime=0
Connection::  ID=219 Type=tls State=0 Source=PUBLIC_CLIENT_IP:24609
Destination=MY_IP:5061 Timeout=2015-07-30 09:47:44 Pending lifetime=0

I'm not using TCP async mode, not using force_tcp_alias() and
tcp_persistent_flag is not set beacuse auth was not succcesful.

Maybe is an error in my NAT detection route? in TCP/TLS cases I'm
always using nat_traversal module and doing:

modparam("registrar", "received_avp", "$avp(received_uri)")
modparam("registrar", "tcp_persistent_flag", "TCP_PERSISTENT")

setbflag(NAT);
force_rport();
$avp(received_uri) = $source_uri;


Any hints?

Thanks and regards,

Carlos Oliva