El Lunes, 22 de Diciembre de 2008 14:33, Iñaki Baz Castillo escribió:
Well, except in the case of BYE sent by the gateway
(since the
attacker could reply non-200 to the BYE and mantain the session open).
But anyway, I imagine this exotica case:
- alice (attacker) speaking with the PSTN gateway.
- alice sends this BYE:
BYE sip:PSTN_NUMBER@PSTN_GATEWAY SIP/2.0
Route: <sip:PROXY_IP>
Route: <sip:alice@ALICE_PHONE_IP>
The proxy could check the RURI to know that the destination in the
gateway, so to account a BYE the gateway must reply 200 OK to the BYE.
The first route is the proxy, so there is loose routing (as expected
and required).
But there is other Route pointing to alice again, so the BYE would be
sent to alice who will reply 200 OK to this spoofed BYE.
The proxy would trigger STOP action but the call session remains.
In all the thread I wonder why you allow users to speak with your GW's ... in
our systems users only may speak with our proxies, and our gateway only speak
with our proxies.
We know that this config overload the proxies, but powerfull machines are
cheaper that aspirine truks ;-)
If you route all your traffic throught you proxies (SIP signaling, I mean) and
you do your accounting based on your GW's information and not based on your
proxies information, you will be safe.
Best regards
--
Raúl Alexis Betancor Santana