[OpenSIPS-Users] Accounting: How to avoid a fraudulent BYE with lower CSeq?

Iñaki Baz Castillo ibc at aliax.net
Wed Jan 7 12:35:33 CET 2009


2009/1/7 Dan Pascu <dan at ag-projects.com>:

> But then I can send one with the proper ruri, but a different route set
> that puts me in the front of the gateway, so when I receive the BYE,
> instead of forwarding it to the gateway as the route set requests, I
> reply myself with a 200 OK making it look like it came from the gateway.

This could be avoiding by examinating the $dd value. If it's set it
means that a Route header exists, so we could reject the BYE. But this
would break a complex scenario with varios sequential proxies doing
loose-routing.


> In the end it means, the proxy will have to verify everything (dialog
> identification elements, cseq, ruri, route set) to avoid fraud and also
> wait for a 200 OK, which makes it look more like a b2bua after all

So the conclusion is: a secure CDR system can be only achieved in a
B2BUA between the proxy and the gateway. Is it?


-- 
Iñaki Baz Castillo
<ibc at aliax.net>


More information about the Users mailing list