[Kamailio-Users] Accounting: How to avoid a fraudulent BYE with lower CSeq?

Iñaki Baz Castillo ibc at aliax.net
Sat Dec 20 11:03:05 CET 2008


El Jueves, 18 de Diciembre de 2008, Iñaki Baz Castillo escribió:
> I'm thinking in the following flow in which the caller/attacker would
> get an unlimited call (but a limited CDR duration):
>
> --------------------------------------------------------------------------
> attacker                     Kamailio (Acc)                    gateway
>
> INVITE (CSeq 12)  ------>
> <-------- 407 Proxy Auth
>
> INVITE (CSeq 13)  ------>
>                                              INVITE (CSeq 13)  ------>
>                                              <------------------- 200 Ok
> <------------------- 200 Ok
>                          << Acc START >>
> ACK (CSeq 13) ----------->
>                                              ACK (CSeq 13) ----------->
>
> <******************* RTP ************************>
>
> # Fraudulent BYE !!!
> BYE (CSeq 10) ----------->
>                          << Acc STOP >>
>                                              BYE (CSeq 10) ----------->
>                                              <-- 500 Req Out of Order
> <-- 500 Req Out of Order
> --------------------------------------------------------------------------

There is a solution for this (not perfect):

- The proxy stops the accounting when receives a BYE from the gateway, 
regardless of the BYE reply from the client. This prevents from BYE 
negatively answered by clients.
- The proxy stops the accounting when receives a BYE from the client and the 
200 OK from the gateway. This prevents from the above case in which the 
client sends an out-of-date CSeq in the BYE.


But this is not enough, note the following case:

- The user is in a call with the gateway.
- The user sends a BYE with "Route: proxy" and RURI pointing to *himself*.
- The BYE arrives to the proxy which forwards it back to the user again.
- The user (attacker in fact) replies a 200 OK but doesn't terminate the RTP 
session with the gateway.
- The proxy receives the 200 OK (BYE) from a user, so terminates the 
accounting.
- The gateway knows exactly *nothing* about it, the call continues (but from 
now it's free).

Annoying?


-- 
Iñaki Baz Castillo




More information about the Users mailing list