[Kamailio-Users] Accounting: How to avoid a fraudulent BYE with lower CSeq?

Iñaki Baz Castillo ibc at aliax.net
Tue Dec 23 10:47:43 CET 2008

2008/12/23 Klaus Darilion <klaus.mailinglists at pernau.at>:
> Juha Heinanen schrieb:
>> Iñaki Baz Castillo writes:
>>  > - alice sends this BYE:
>>  >  >   BYE sip:PSTN_NUMBER at PSTN_GATEWAY SIP/2.0
>>  >   Route: <sip:PROXY_IP>
>>  >   Route: <sip:alice at ALICE_PHONE_IP>
>> in this particular case, you could call to_gw() and find out that
>> request is going to gw and, if so, drop the request it is has more than
>> one route header (the one for the proxy itself).
> Not sure if this is enough - the attacker could omit the Route header
> pointing to the proxy. Maybe the check should use $dd which is set if
> another Route header is present.

Yes, I think so. Checking $dd would be the appropiate way to know if
the request has other Route.
So steps would be:

a) The proxy receives BYE from a gateway IP, so it must account the
BYE in that moment (regardless of the BYE response).

b) The proxy receives BYE from a non gateway IP (so it could be an
user). It must:
- Check loose routing (as always).
- Check if $dd is set. In that case drop the request since it
shouldn't have more Route header and could be a spoofed BYE.
- If $dd is not set, then check if the RURI host:port matches an
IP:port of a gateway. If not, drop the request.
- Forward the request to the gateway.
- Upon receiving 200 OK from the gateway do the accounting (call end).

Do I miss somehting?
Is it *completely* feasible? or is it vulnerable with a more exotic BYE?

Iñaki Baz Castillo
<ibc at aliax.net>

More information about the Users mailing list