<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd"><html><head><meta name="qrichtext" content="1" /><style type="text/css">p, li { white-space: pre-wrap; }</style></head><body style=" font-family:'Lucida Console'; font-size:9pt; font-weight:400; font-style:normal;">On Wednesday 29 April 2009, Iņaki Baz Castillo wrote:<br>
> Always I hear "billing in a proxy" I must to show an example attack:<br>
><br>
> Phone1 Proxy Phone2<br>
><br>
> INVITE CSeq:1 -----> ---------------><br>
> <------------------- <-------- 200 OK<br>
> ACK CSeq:1 --------> ---------------><br>
><br>
> <################ RTP ##############><br>
><br>
> BYE CSeq:1 --------> ---------------><br>
> [ ACC DONE ]<br>
> <------------------- <-- 400 Bad CSeq<br>
><br>
> ( audio remains )<br>
><br>
><br>
><br>
> For "fixing" this issue, the proxy could generate the accounting just<br>
> after receiving the 200 OK for a BYE. But then we can also play with an<br>
> infinite possibility of spoofed "Route"/"RURI" headers so the BYE is<br>
> send and received by the attacker itself, who replies 200 for the BYE<br>
> (but it mantains the RTP session with Phone2/Gateway.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>You can always put a media relay in the media path, which means that when a BYE is received the media path is interrupted, making any Route/RURI scheme pointless.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>-- <br>
Dan</p></body></html>