2008/12/23 Klaus Darilion klaus.mailinglists@pernau.at:
Juha Heinanen schrieb:
Iñaki Baz Castillo writes:
- alice sends this BYE:
BYE sip:PSTN_NUMBER@PSTN_GATEWAY SIP/2.0
Route: sip:PROXY_IP Route: sip:alice@ALICE_PHONE_IP
in this particular case, you could call to_gw() and find out that request is going to gw and, if so, drop the request it is has more than one route header (the one for the proxy itself).
Not sure if this is enough - the attacker could omit the Route header pointing to the proxy. Maybe the check should use $dd which is set if another Route header is present.
Yes, I think so. Checking $dd would be the appropiate way to know if the request has other Route. So steps would be:
a) The proxy receives BYE from a gateway IP, so it must account the BYE in that moment (regardless of the BYE response).
b) The proxy receives BYE from a non gateway IP (so it could be an user). It must: - Check loose routing (as always). - Check if $dd is set. In that case drop the request since it shouldn't have more Route header and could be a spoofed BYE. - If $dd is not set, then check if the RURI host:port matches an IP:port of a gateway. If not, drop the request. - Forward the request to the gateway. - Upon receiving 200 OK from the gateway do the accounting (call end).
Do I miss somehting? Is it *completely* feasible? or is it vulnerable with a more exotic BYE?