[OpenSIPS-Users] opensips-cp CDR correlation

Iñaki Baz Castillo ibc at aliax.net
Thu Apr 30 13:49:39 CEST 2009


2009/4/30 Adrian Georgescu <ag at ag-projects.com>:

> You can use the dialog module to do the same and generate your own correct
> BYEs instead of relaying them, couldn't you?
>
> You have full control over the reply route and can do all you describe in
> the proxy, can't you?
>
> What can a B2BUA detect that the proxy cannot? You can inspect all headers
> and perform acc and send BYE from the proxy too.

No, a proxy is fully vulnerable to a spoofed BYE, why? because the
proxy MUST route the BYE according to RURI, Route headers..., while a
B2BUA doesn't route it, just "eats" it and generate a new one in leg
B.

A spoofed BYE (I already explained it in sip-implementors and this
maillist) could include:
- Spoofed RURI (so it's routed back to the attacker).
- A RURI with username changed (so proxy does acc but GW rejects the BYE).
- A malicious Route header (so it's routed back to the attacker).
- A CSeq not incremented (so proxy does acc but GW rejects the BYE and
doesn't terminate the RTP session).
- Imagine that the proxyA talks with proxyB and this last talsk with
GW. In this case, a extra-Route header is required in the BYE from the
client (attacker), so checking Route headers is not so easy as you
mention.
- And there are more a more easy attacks getting wrong accounting in a proxy.



-- 
Iñaki Baz Castillo
<ibc at aliax.net>



More information about the Users mailing list