Makes sense. Thank you for the clarifications. I suppose a lot of it depends on what the far-end equipment does. In your example with the invalid CSeq, do you suppose most softswitches' and/or SBCs purge the call anyway if they receive a malformed BYE? I would think so. Otherwise there would be no way to terminate a call in case of subtle interop problems.
Iñaki Baz Castillo wrote: > 2009/4/29 Alex Balashov <[email protected]>: >> That is a very good point. >> >> Do you know how the ACC module in Kamailio determines whether to stamp a CDR >> as finished? Is it vulnerable to this attack? > > Kamailio/openSIPS has a "dialog" module, but it remains being a proxy > so, for now, it doesn't check such subjects as correct CSeq value and > so. > So yes, they are vulnerable to this simple attack. > > >> I would have assumed it is tied to the dialog state and that ACC states are >> tethered to dialog module callbacks programmatically. But I am not sure. > > Acc has nothing to do with "dialog" module (at least for now). > > You could configure Kamailio/OpenSIPS to acc the BYE when the 200 OK > arrives (instead of inmediatelly after BYE), but what about if the > gateway is down so an internal 408 is received? > Also, the attacker could send a spoofed BYE with the Route or RURI > pointing to itself, so he *itself* will receive its own BYE and will > reply 200 (acc done in the proxy). Of course the attacker doesn't end > the RTP session with the gateway, which didn't receive this BYE. > > Any required improvement for the "dialog" module in a proxy will get > it becoming a B2BUA, it's the only solution for reliable SIP > accounting. > > -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (678) 237-1775 _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
