23 Dec
2008
23 Dec
'08
11:47 a.m.
2008/12/23 Klaus Darilion <klaus.mailinglists(a)pernau.at>at>:
Juha Heinanen schrieb:
Yes, I think so. Checking $dd would be the appropiate way to know if
the request has other Route.
So steps would be:
a) The proxy receives BYE from a gateway IP, so it must account the
BYE in that moment (regardless of the BYE response).
b) The proxy receives BYE from a non gateway IP (so it could be an
user). It must:
- Check loose routing (as always).
- Check if $dd is set. In that case drop the request since it
shouldn't have more Route header and could be a spoofed BYE.
- If $dd is not set, then check if the RURI host:port matches an
IP:port of a gateway. If not, drop the request.
- Forward the request to the gateway.
- Upon receiving 200 OK from the gateway do the accounting (call end).
Do I miss somehting?
Is it *completely* feasible? or is it vulnerable with a more exotic BYE?
--
Iñaki Baz Castillo
<ibc(a)aliax.net>
Iñaki Baz Castillo writes:
Not sure if this is enough - the attacker could omit the Route header
pointing to the proxy. Maybe the check should use $dd which is set if
another Route header is present. - alice sends this BYE:
in this particular case, you could call to_gw() and find out that
request is going to gw and, if so, drop the request it is has more than
one route header (the one for the proxy itself). BYE sip:PSTN_NUMBER@PSTN_GATEWAY SIP/2.0
Route: <sip:PROXY_IP>
Route: <sip:alice@ALICE_PHONE_IP>