there are way too many ways how routing logic can be confused to bypass admission control. poisoning user loc, having a DNS name or ENUM entry to point to a gateway (scripting fails to see it as PSTN target and may skip PSTN ACLs), etc. a good thing to do is to use onsend_route and check if someone is trying to use a gateway whilst a call is not being recognized as to a gateway.
-jiri
Klaus Darilion wrote:
Juha Heinanen schrieb:
IƱaki Baz Castillo writes:
alice sends this BYE:
BYE sip:PSTN_NUMBER@PSTN_GATEWAY SIP/2.0 Route: sip:PROXY_IP Route: sip:alice@ALICE_PHONE_IP
in this particular case, you could call to_gw() and find out that request is going to gw and, if so, drop the request it is has more than one route header (the one for the proxy itself).
Not sure if this is enough - the attacker could omit the Route header pointing to the proxy. Maybe the check should use $dd which is set if another Route header is present.
regard klaus
Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users