2009/1/7 Jiri Kuthan jiri@iptel.org:
there are way too many ways how routing logic can be confused to bypass admission control. poisoning user loc, having a DNS name or ENUM entry to point to a gateway (scripting fails to see it as PSTN target and may skip PSTN ACLs), etc. a good thing to do is to use onsend_route and check if someone is trying to use a gateway whilst a call is not being recognized as to a gateway.
True. I implemented it with OpenSer address blacklists (containing the gateways IP's). I just dissable this blacklist when a call goes to a PSTN (I decide it by examinating the RURI). In case a user is registered with a spoofed Contact like: Contact: sip:+12345678@FACKED_DOMAIN_POINTING_TO_GW then a call to this user will be rejected since the resolved destination IP would match the blacklist.
Regards.