VoIP Fraud and Misuse

Transcription

1 DFN Tagung VoIP Fraud and Misuse Detection and Mitigation Prof. Dr.-Ing. Erwin P. Rathgeb Dirk Hoffstadt, M.Sc. Networking Technology Group Institute for Experimental Mathematics & Institute for Computer Science & Business Information Systems University of Duisburg-Essen

2 Overview SIP misuse detection for forensic analysis Tools: SIP Trace Recorder and SIP Honeypots Real-time SIP misuse detection and mitigation Security System Central Service (SCS) Detection Scenarios Deployment Live Demo SIP Trace Recorder Security System Page 2

3 SIP misuse detection tools SIP Honeypots for forensic analysis Internet Monitoring Port STR DB No active VoIP components VoIP Server SIP Trace Recorder (STR) Passive SIP monitoring and logging Stateful correlation, e.g. CDR generation Detection of successful attacks Optional privacy preservation Deployment in production networks Focus: Statistical attack analysis Full Interaction SIP Honeypot Extended SIP Server with logging function Full SIP functionality Call handling Media handling Focus: Detailed forensic analysis Full Interaction Full Honeypot Interaction Full Honeypot Interaction Honeypot NEW: Low Interaction SIP Honeypot Script based Low resource utilization High flexibility Limited SIP functionality Focus: Dynamic experiments Evaluation and Presentation Low Interaction Low Honeypot Interaction Low Honeypot Interaction Honeypot Target Network Evaluation and Presentation Consolidation of all attack data Automated data collection Flexible analysis capabilities Various views on data Attack clustering Web-based GUI Page 3

4 Real-time SIP misuse detection Security System Misuse Detection Passive behaviour Different environments PBX, Router, Home Gateways Detection by using attack signatures Dynamically loadable Standalone Low Interaction Honeypot plugin SCS Low Interaction Honeypot plugin Attacker Firewall Central Service (SCS) Aggregation of sensor alerts Based on SCS rules Management s Attack signature management Interface to mitigation components 0900 Callee Page 4

5 Realtime Misuse Detection & Mitigation Security System Mitigation Interface Alert SCS Low Interaction Honeypot plugin Attacker Firewall 0900 Callee Page 5

6 Distributed Security System SCS Interface (SSI) Each sensor is connected to SCS ID, secret, MAC address, location info TLS secured (HTTPS) with server certificate check Status updates and keep-alive messages SIP traffic analysis based on XML signatures Light-weight software component for different hardware and software platforms Different input data (network interface, socket, PCAP-file) Filtering of SIP messages and Analyzing of SIP messages E.g., Timing conditions, IPv4 information, SIP header fields Comparison of different header values (equal, not equal) within received SIP messages Report generator Sends reports to SCS according to sensor signature settings Source IP, destination IP, signature ID, sensor ID, timestamp, source port, destination port, signature version Optional: extended reports Pre-defined SIP header values Auto provisioning which is managed and controlled by SCS Configuration & Signatures Page 6

7 Central Service Architecture / Mode of Operation SCS Interface (SSI) SCS Controller Process (SCP) Store Reports Database Incoming Reports Configuration, Rules, Status, etc. Management Worker Process (WP) SCS Rules SCS Analyse Results Store Notifications SCS Notification Process (NP) Actions SCS Notification Interface (SNI) Mitigation Components erbl-service Page 7

8 Distributed System Scenarios Physically distributed sensors at different sites in the internet Deployment of hardware or installation of software required Different hardware platforms or virtual machines Local management necessary Privileged access to network interfaces required Virtually distributed sensors (NorNet approach) One central only (in Essen, Germany) Distributed nodes to capture input traffic GRE Tunnel(s) between each node and the central Filters TCP/UDP traffic on port 5060 Traffic redirection to the central by using DNAT via GRE tunnels Reverse direction is realized by routing policies Pros No software component on productive systems (no influence) Easy to manage single sensor Cons More bandwidth required in contrast to distributed approach Possible delays Page 8

9 Distributed System Current NorNet setup SCS Virtual Machine Simula I1 I2 Attacker SIP Honeypot NTNU Universitetet i Tromsø I1 I Internet Universitetet i Bergen I University Duisburg- Essen I1 I Page 9

10 SIP Trace Recorder Evaluation & Presentation web interface Filter Options Geolocation analysis SIP messages per day Demo User agent analysis Page 11

11 Real-time SIP misuse detection demo Security System and live attack SIPvicious Attack-Tool VoIP Honeynet Internet Firewall SCS Berlin Demo TDR network Essen Page 12

12 Central Service Management Website (Screenshot) Page 13