El Jueves, 18 de Diciembre de 2008, Iñaki Baz Castillo escribió:
I'm thinking in the following flow in which the caller/attacker would get an unlimited call (but a limited CDR duration):
attacker Kamailio (Acc) gateway
INVITE (CSeq 12) ------> <-------- 407 Proxy Auth
INVITE (CSeq 13) ------> INVITE (CSeq 13) ------> <------------------- 200 Ok <------------------- 200 Ok << Acc START >> ACK (CSeq 13) -----------> ACK (CSeq 13) ----------->
<******************* RTP ************************>
# Fraudulent BYE !!! BYE (CSeq 10) -----------> << Acc STOP >> BYE (CSeq 10) -----------> <-- 500 Req Out of Order
<-- 500 Req Out of Order
There is a solution for this (not perfect):
- The proxy stops the accounting when receives a BYE from the gateway, regardless of the BYE reply from the client. This prevents from BYE negatively answered by clients. - The proxy stops the accounting when receives a BYE from the client and the 200 OK from the gateway. This prevents from the above case in which the client sends an out-of-date CSeq in the BYE.
But this is not enough, note the following case:
- The user is in a call with the gateway. - The user sends a BYE with "Route: proxy" and RURI pointing to *himself*. - The BYE arrives to the proxy which forwards it back to the user again. - The user (attacker in fact) replies a 200 OK but doesn't terminate the RTP session with the gateway. - The proxy receives the 200 OK (BYE) from a user, so terminates the accounting. - The gateway knows exactly *nothing* about it, the call continues (but from now it's free).
Annoying?