[Kamailio-Users] Accounting: How to avoid a fraudulent BYE with lower CSeq?
Iñaki Baz Castillo
ibc at aliax.net
Sat Dec 20 11:03:05 CET 2008
El Jueves, 18 de Diciembre de 2008, Iñaki Baz Castillo escribió:
> I'm thinking in the following flow in which the caller/attacker would
> get an unlimited call (but a limited CDR duration):
>
> --------------------------------------------------------------------------
> attacker Kamailio (Acc) gateway
>
> INVITE (CSeq 12) ------>
> <-------- 407 Proxy Auth
>
> INVITE (CSeq 13) ------>
> INVITE (CSeq 13) ------>
> <------------------- 200 Ok
> <------------------- 200 Ok
> << Acc START >>
> ACK (CSeq 13) ----------->
> ACK (CSeq 13) ----------->
>
> <******************* RTP ************************>
>
> # Fraudulent BYE !!!
> BYE (CSeq 10) ----------->
> << Acc STOP >>
> BYE (CSeq 10) ----------->
> <-- 500 Req Out of Order
> <-- 500 Req Out of Order
> --------------------------------------------------------------------------
There is a solution for this (not perfect):
- The proxy stops the accounting when receives a BYE from the gateway,
regardless of the BYE reply from the client. This prevents from BYE
negatively answered by clients.
- The proxy stops the accounting when receives a BYE from the client and the
200 OK from the gateway. This prevents from the above case in which the
client sends an out-of-date CSeq in the BYE.
But this is not enough, note the following case:
- The user is in a call with the gateway.
- The user sends a BYE with "Route: proxy" and RURI pointing to *himself*.
- The BYE arrives to the proxy which forwards it back to the user again.
- The user (attacker in fact) replies a 200 OK but doesn't terminate the RTP
session with the gateway.
- The proxy receives the 200 OK (BYE) from a user, so terminates the
accounting.
- The gateway knows exactly *nothing* about it, the call continues (but from
now it's free).
Annoying?
--
Iñaki Baz Castillo
More information about the Users
mailing list