7 Jan
2009
7 Jan
'09
10:54 a.m.
2009/1/7 Jiri Kuthan <jiri(a)iptel.org>rg>:
there are way too many ways how routing logic can be
confused to bypass
admission control. poisoning user loc, having a DNS name or ENUM entry
to point to a gateway (scripting fails to see it as PSTN target and
may skip PSTN ACLs), etc. a good thing to do is to use onsend_route
and check if someone is trying to use a gateway whilst a call is not
being recognized as to a gateway.
True. I implemented it with OpenSer address blacklists (containing the
gateways IP's). I just dissable this blacklist when a call goes to a
PSTN (I decide it by examinating the RURI). In case a user is
registered with a spoofed Contact like:
Contact: sip:+12345678@FACKED_DOMAIN_POINTING_TO_GW
then a call to this user will be rejected since the resolved
destination IP would match the blacklist.
Regards.
--
Iñaki Baz Castillo
<ibc(a)aliax.net>