El Lunes, 22 de Diciembre de 2008 14:33, Iñaki Baz Castillo escribió:
Well, except in the case of BYE sent by the gateway (since the attacker could reply non-200 to the BYE and mantain the session open). But anyway, I imagine this exotica case:
alice (attacker) speaking with the PSTN gateway.
alice sends this BYE:
BYE sip:PSTN_NUMBER@PSTN_GATEWAY SIP/2.0 Route: sip:PROXY_IP Route: sip:alice@ALICE_PHONE_IP
The proxy could check the RURI to know that the destination in the gateway, so to account a BYE the gateway must reply 200 OK to the BYE. The first route is the proxy, so there is loose routing (as expected and required). But there is other Route pointing to alice again, so the BYE would be sent to alice who will reply 200 OK to this spoofed BYE. The proxy would trigger STOP action but the call session remains.
In all the thread I wonder why you allow users to speak with your GW's ... in our systems users only may speak with our proxies, and our gateway only speak with our proxies. We know that this config overload the proxies, but powerfull machines are cheaper that aspirine truks ;-)
If you route all your traffic throught you proxies (SIP signaling, I mean) and you do your accounting based on your GW's information and not based on your proxies information, you will be safe.
Best regards -- Raúl Alexis Betancor Santana