[OpenSIPS-Users] opensips-cp CDR correlation
Iñaki Baz Castillo
ibc at aliax.net
Thu Apr 30 13:49:39 CEST 2009
2009/4/30 Adrian Georgescu <ag at ag-projects.com>:
> You can use the dialog module to do the same and generate your own correct
> BYEs instead of relaying them, couldn't you?
>
> You have full control over the reply route and can do all you describe in
> the proxy, can't you?
>
> What can a B2BUA detect that the proxy cannot? You can inspect all headers
> and perform acc and send BYE from the proxy too.
No, a proxy is fully vulnerable to a spoofed BYE, why? because the
proxy MUST route the BYE according to RURI, Route headers..., while a
B2BUA doesn't route it, just "eats" it and generate a new one in leg
B.
A spoofed BYE (I already explained it in sip-implementors and this
maillist) could include:
- Spoofed RURI (so it's routed back to the attacker).
- A RURI with username changed (so proxy does acc but GW rejects the BYE).
- A malicious Route header (so it's routed back to the attacker).
- A CSeq not incremented (so proxy does acc but GW rejects the BYE and
doesn't terminate the RTP session).
- Imagine that the proxyA talks with proxyB and this last talsk with
GW. In this case, a extra-Route header is required in the BYE from the
client (attacker), so checking Route headers is not so easy as you
mention.
- And there are more a more easy attacks getting wrong accounting in a proxy.
--
Iñaki Baz Castillo
<ibc at aliax.net>
More information about the Users
mailing list