Columbia - Verizon Research Secure SIP: Scalable DoS Prevention Mechanisms for SIP- based VoIP Systems, and Validation Test Tools

Transcription

1 Columbia - Verizon Research Secure SIP: Scalable DoS Prevention Mechanisms for SIP- based VoIP Systems, and Validation Test Tools Sarvesh Nagpal, Eilon Yardeni, Henning Schulzrinne Columbia University Gaston Ormazabal Verizon Laboratories July 7, 2008 Verizon Copyright 2008.

2 Agenda Background &Research Focus Goals Project Overview VoIP DoS Attack Taxonomy DoS Detection and Mitigation Strategy DoS Validation Methodology Conclusions Verizon Copyright

3 Background & Research Focus Verizon needs to solve security problem for VoIP services Protocol-aware application layer gateway for RTP SIP DoS/DDoS detection and prevention for SIP channel Attack targets SIP infrastructure elements (proxy, softswitch, SBC, CSCF- P/I/S) End-points (SIP phones) Supporting services (e.g., DNS, Directory, DHCP, HSS, DIAMETER, Authorization Servers) Need to verify performance & scalability at carrier class rates Security and Performance are a zero sum game Verizon Copyright

4 Goals Study VoIP DoS for SIP Definition define SIP specific threats Detection how do we detect an attack? Mitigation defense strategy and implementation Validation validate our defense strategy Generate requirements for future security network elements and prototypes Share these requirements with vendors Generate the test tools and strategies for their validation Share these tools with vendors Verizon Copyright

5 SIP DoS Attack Taxonomy DoS Implementation flaws Application level Flooding Verizon Copyright

6 Mitigation Strategy Implementation flaws are easier to deal with Systems can be tested before used in production Systems can be patched when a new flaw is discovered Attack signatures can be integrated with a firewall Application level and flooding attacks are harder to defend against SIP infrastructure element defense Commercially available solutions for general UDP/SYN flooding but none for SIP Address application level and flooding attacks specifically for SIP Verizon Copyright

7 Mitigation Solution Overview Untrusted Trusted Filter I DPPM Filter II sipd SIP SIP SIP VoIP Traffic Attack Traffic RTP RTP Verizon Copyright

8 CloudShield CS-2000 System 10/100/ / System Level Port Distribution Application Server Module Pentium 1GHz ASM Backplane Gigabit Ethernet Interconnects DPPM D 0 D 1 P 0 E P 0 E D 0 D 1 DPPM Intel IXP E 2 1 E 2 Intel IXP 2800 F 0 C 3 C 4 F 0 C 3 C 4 Verizon Copyright

9 SIP Detection and Mitigation Filters Authentication Based - Return Routability Check Require SIP built-in digest authentication mechanism Authentication with shared secret Filter out spoofed sources Method Based Rate Limiting Transaction based Thresholding of message rates INVITE Errors State Machine sequencing Filter out-of-state messages Allow in-state messages Dialog based Only useful in BYE and CANCEL messages Verizon Copyright

10 SIP Digest Authentication Statistics Digest authentication accounts for nearly 80% of processing cost of a call for a stateless server 45% of a call for a stateful server* Additional cost 70% for message processing 30% for authentication computation (hashing)* * SIP Security Issues: The SIP Authentication Procedure and its Processing Load, Salsano et al., IEEE Network, November 2002 Verizon Copyright

11 Return-Routability Routability Implementation Succeeds SIP UA IP INVITE SIP/2.0 Via: SIP/2.0/UDP :5060 Max-Forwards: 70 From: To: Contact: Subject: sipstone invite test CSeq: 1 INVITE Call-ID: @lagrange.cs.columbia.edu Content-Type: application/sdp Content-Length: 211 v=0 o=user IN IP s=mbone Audio t= i=discussion of Mbone Engineering Issues e=mbone@somewhere.com c=in IP t=0 0 m=audio 3456 RTP/AVP 0 a=rtpmap:0 PCMU/8000 INVITE, 407 Needs Proxy-Authorization Untrusted DPPM sipd Remove Add Filter s=mbone Audio 407 Needs t= Auth 0 NPUINVITE, ( , INVITE Proxy-Auth nonce ) CAM RAM ( , nonce="6ydardp51p8ef9h4iihmuc7ifde=" ) INVITE sip:test1@cs.columbia.edu SIP/2.0 SIP/2.0 Via: SIP/2.0/UDP 407 Proxy :5060 Authentication Required Via: Max-Forwards: SIP/2.0/UDP :7898 From: sip:test5@cs.columbia.edu To: sip:test1@cs.columbia.edu; tag=2cg7xx0dzqvuilbukfywga Contact: sip:test5@ :5060 Call-ID: Subject: sipstone @lagrange.cs.columbia.edu invite test CSeq: 13 INVITE Date: Call-ID: Fri, @lagrange.cs.columbia.edu 14 Apr :51:33 GMT Server: Content-Type: Columbia-SIP-Server/1.24 application/sdp Content-Length: 0211 Proxy-Authenticate: Proxy-Authorization: Digest realm="cs.columbia.edu", username="anonymous", realm="cs.columbia.edu", nonce="6ydardp51p8ef9h4iihmuc7ifde=", Trusted nonce="6ydardp51p8ef9h4iihmuc7ifde=", stale=false, uri="sip:test1@cs.columbia.edu", algorithm=md5, response=" edd6c0b64befc c", qop="auth,auth-int" opaque="", algorithm="md5" v=0 o=user IN IP i=discussion of Mbone Engineering Issues e=mbone@somewhere.com c=in IP t=0 0 m=audio 3456 RTP/AVP 0 a=rtpmap:0 PCMU/8000 INVITE Verizon Copyright

12 Dialogs and Transactions in SIP Caller Individual Messages CALLEE INVITE 180 Ringing Transaction OK ACK Dialog BYE 200 OK Transaction 2 Verizon Copyright

13 Method Specific Filtering This approach involves defense against specific method vulnerabilities INVITE Filter redundant INVITE messages by looking up its Transaction-ID and rejecting if its Transaction-ID already exists in State tables. Responses 100 Trying 180 Ringing 200 OK Errors ( ) Out-of-State Sequence of unexpected messages Verizon Copyright

14 Transaction Filtering For every new SIP request message received, a Transaction-ID (TXNID) is created TXNID is a 32 bit integer calculated by HASH (Top Via: BranchID, CSEQ Method Value) TXNIDs are stored in a different CAM table (from pinholes and nonces) If TXNID is duplicate, drop the packet Ideally only one SIP request message allowed per TXNID Binary switch Retransmission of same request multiple times require a finite retransmissions window 5 packets in current network set up Should be settable for more complex networks Optimization to reduce false positives If TXNID is not duplicate, then go on to next step When new subsequent status messages are received: If status message record is valid, request accepted If status message record is bogus, packet dropped Additional check rate of requests per transaction per second not to exceed a selected finite number (6), else packet dropped Verizon Copyright

15 SIP Transaction State Validation Makes an entry for first Transaction Request and logs subsequent status messages Logs all messages on per transaction basis Use of wild cards in regular expression syntax All permutations of allowed states validated in a single operation Received packet is added to status messages table for original Transaction If received status message fits valid state pattern, it is accepted Messages resulting in invalid state pattern are dropped and also removed from transaction message log e.g.: the sequence INVITE, 100, 180, 200, 180, 200 causes filter to only allow INVITE, 100, 180, 200, and 180/200 is struck out as 180 is out of state Transaction state is rolled back to the last known good state Overlays on top of other filtering mechanisms Verizon Copyright

16 SIP Transaction State Validation Request Message Response Message Response Message Response Message Response Message Transaction ID 0 1 Transaction Message Code Log INVI _100 _180 _180 _200 Regular Expression Engine Regular Expression List INVI(_100)*?(_180)*?_200{0,1}?(\x00){4} Verizon Copyright

17 Integrated DDOS and Dynamic Pinhole Filter ASM sipd Linux server FCP/UDP CAM DDOS Table DPPM SIP CAM Static Table SIP DDOS CAM Dynamic Table Inbound Lookup Switch Outbound Drop Verizon Copyright

18 Test Tools SIPp, SIPStone, and SIPUA are benchmarking tools for SIP proxy and redirect servers Establish calls using SIP in Loader/Handler mode A controller software module (securesip) wrapped over SIPp/SIPUA/SIPStone launches legitimate and illegitimate calls at a pre-configured workload SIPp Robust open-source test tool / traffic generator for SIP Customizable XML scenarios for traffic generation 5 inbuilt timers to provide accurate statistics Customized to launch SIP DoS attack traffic scenarios designed to cause proxy to fail SIPStone Continuously launches spoofed calls which the proxy is expected to filter For this project enhanced with: Null Digest Authentication Optional spoofed source IP address SIP requests SIPUA Test Suite Built-in Digest Authentication functionality Sends 160 byte RTP packets every 20ms Settable to shorter interval (10ms) if needed for granularity Starts RTP sequence numbers from zero Dumps call number, sequence number, current timestamp and port numbers to a file Verizon Copyright

19 Method-based SIP DoS Attack Scenarios Flood of Requests Flood of Responses Flood of Out-of-State Verizon Copyright

20 securesip Controller Controller Automated Web-based Control Software run on SUN (Linux) box Connects to the Pair of End Points (Loaders and Handlers) Supplies external traffic generation over Private Channel (6252) Launches attack traffic Changes type of traffic on the fly External stress on SUT SIPp in Array Form supplies traffic from 16 SUN (Linux) boxes in various configurations for SIP DoS experiments SIPUA in Array Form supplies traffic from 16 SUN (Linux) boxes for pinhole experiments Results Analyzer Gathers, analyzes and correlates results Handler/Loaders update results to database in real-time Controller analyzes results from databases and aggregates them to get the number of initiated and torn-down calls and their rates Verizon Copyright

21 Integrated Testing and Analysis Environment Legitimate Loaders SIPUA/SIPp Attack Loaders SIPStone/SIPp Call Handlers SIPUA/SIPp GigE Switch GigE Switch Controller securesip Firewall SIP Proxy Verizon Copyright

22 securesip Test Results for DoS & Pinholes SIP DoS Measurements (showing max supported call rates) Dynamic Pinhole Firewall Filters OFF Firewall Filters ON Traffic Composition Non-Auth Traffic Auth Good Traffic Auth Good Traffic + Spoof Traffic Auth Good Traffic + Flood of Requests Auth Good Traffic + Flood of Responses Auth Good Traffic + Flood of Out-of- State Good Attack CPU Good Attack CPU CPS CPS Load CPS CPS Load Concurrent Call rate Calls (CPS) Delay due to Firewall Pinhole opening ms Pinhole closing ms Verizon Copyright

23 Conclusions Research Results Demonstrated SIP vulnerabilities for VoIP resulting in new DoS susceptibility Work is fully reusable to secure a Presence infrastructure Implemented some carrier-class mitigation strategies Developed generic requirements Removed SIP DoS traffic at carrier class rates Prototype is first of its kind in the world Built a validation testbed to measure performance Developed customized test tools Built a high powered SIP-specific Dos Attack tool in a parallel computing distributed testbed Crashed a SIP Proxy in seconds Built a Theft of Service Architectural Integrity Validation Tool using parallel computing Intellectual Property Research activity resulted in six patent applications Commercialization Socialized new requirements and test tools with vendor community to address rapid field deployment Vendors generally very interested in new opportunities Licensing agreements currently under negotiation Rapid implementation is now expected Verizon Copyright

24 Thank you Thank you! Questions? Verizon Copyright 2008.

25 Next Steps - Possible New Projects Address Interception/Modification and Eavesdropping Study of SRTP and associated protocols (SDES) Comparison study of IPSec and TLS Study of SPIT prevention as a possible new service offering Filtering of unwanted phone calls Intrusion Detection Large scale call logs data analysis for DoS and ToS SIP DoS Testbed Maintenance and ongoing research New machines (200 +) Verizon Copyright

26 Backup Slides Verizon Copyright

27 Mitigation Prototype Implementation Firewall platform filters media and SIP proxy authentication attempts, and rate-limits messages based on Method specific controls Utilizes wire-speed deep packet inspection Thresholds are kept internal in the DPPM State is only kept in Firewall in CAM tables Firewall controlling proxy model for media filtering and the authentication filter Columbia's SIP Proxy sipd controls the Firewall Deep Packet Inspection Server Utilize the Firewall Control Protocol to establish/insert filters in CAM table in real time SIP UAs being authentication challenged (IP, nonce) Media ports Verizon Copyright

28 Dynamic Pinhole Filtering SIPUA User2 SIPUA User1 INVITE From: c=in IP m=audio RTP/AVP :43564 CAM Table :56432 SIP/ OK From: <sip:user1@handler> c=in IP m=audio RTP/AVP 0 Verizon Copyright

29 Pinhole Problem Definition Problem parameterized along two independent vectors Call Rate (calls/sec) Related to performance of SIP Proxy in Pentium Concurrent Calls Related to performance of table lookup in IXP 2800 Data Collected in Excel spreadsheet format {Number of concurrent calls, calls/sec, Opening delay, Closing delay, device} SIP Proxy SIP RAVE Opening delay data provided in units of 20 ms packets Closing delay data provided in units of 10 ms packets Verizon Copyright

30 Pinhole Data Results Concurrent calls Calls/Sec SIP Proxy SIP RAVE Open delay Close delay Open delay Close delay 10K K K K K K Verizon Copyright

31 Intellectual Property - Patent Applications Fine Granularity Scalability and Performance of SIP Aware Border Gateways: Methodology and Architecture for Measurements Inventors: Henning Schulzrinne, Kundan Singh, Eilon Yardeni (Columbia), Gaston Ormazabal (Verizon) Architectural Design of a High Performance SIP-aware Application Layer Gateway Inventors: Henning Schulzrinne, Jonathan Lennox, Eilon Yardeni (Columbia), Gaston Ormazabal (Verizon) Architectural Design of a High Performance SIP-aware DOS Detection and Mitigation System Inventors: Henning Schulzrinne, Eilon Yardeni, Somdutt Patnaik (Columbia), Gaston Ormazabal (Verizon) Architectural Design of a High Performance SIP-aware DOS Detection and Mitigation System - Rate Limiting Thresholds Inventors: Henning Schulzrinne, Somdutt Patnaik (Columbia), Gaston Ormazabal (Verizon) System and Method for Testing Network Firewall for Denial of Service (DoS) Detection and Prevention in Signaling Channel Inventors: Henning Schulzrinne, Eilon Yardeni, Sarvesh Nagpal (Columbia), Gaston Ormazabal (Verizon) Theft of Service Architectural Integrity Validation Tools for Session Initiation Protocol (SIP) Based Systems Inventors: Henning Schulzrinne, Sarvesh Nagpal (Columbia), Gaston Ormazabal (Verizon) Verizon Copyright

32 Publications, Presentations, Recognition Presentation at NANOG 38 Oct (HS/GO) Securing SIP: Scalable Mechanisms for Protecting SIP-Based VoIP Systems Authors: Henning Schulzrinne, Eilon Yardeni, Somdutt Patnaik (Columbia), Gaston Ormazabal (Verizon) Paper approved for publication in NANOG Proceedings Made a headline in VON Magazine on October 11, 2006: Presentation to at Global 3G Evolution Forum Tokyo, Japan, Jan (GO) Presentation at IPTComm 2007 New York City, July, 2007 (GO) Presentation at OSS/BSS Summit Tucson, AZ, September, 2007 (GO) Paper for current work submitted to IPTComm 2008 Secure SIP: A scalable prevention mechanism for DoS attacks on SIP based VoIP systems Authors: Henning Schulzrinne, Eilon Yardeni, Sarvesh Nagpal (Columbia), Gaston Ormazabal (Verizon) Work incorporated in a new Masters level course on VoIP Security taught at Columbia in Fall 2006 COMS : Special Topics in Computer : VoIP Security (HS) CATT Technological Impact Award Verizon Copyright

33 VoIP Threat Taxonomy Scope of our research Scope of our research *- VoIP Security and Privacy Threat Taxonomy, VoIP Security Alliance Report, October, 2005 ( Verizon Copyright

34 SIP Digest Authentication User Agent Client (UAC) INVITE Proxy Server Compute response = F(nonce, username, password, realm) 407 Proxy Authentication Required (nonce, realm..) ACK Generate the nonce value nonce a uniquely generated string used for one challenge only and has a life time of 60 seconds INVITE (nonce, response ) Authentication: compute F(nonce, username, password, realm) and compare with response Verizon Copyright

35 Dialog Filtering Filtering based on Dialog parameters Broader brushstroke than Transaction level Only useful with floods of CANCEL or BYE requests Identify a BYE message by its Dialog-ID Maintain a database of INVITE sources (Contacts) Verify and accept a BYE message only from legitimate source addresses Reject it if it is not a part of an existing dialog Verizon Copyright

36 Value to Verizon Enhanced VoIP security via standards and vendor involvement Columbia requirements valid for VoIP, Presence and Multimedia architectures Rolled the requirements and lessons learned into the Verizon security architecture and new element requirements database for procurement Working with Verizon vendors to mitigate exposures Setup one-of-its-kind laboratory facilities for VoIP security evaluations and product development At Columbia, prototype rapid development incubator At Verizon, Columbia/Verizon collaborative test tools set up for a more realistic complex IP-routed laboratory environment Intellectual Property with Six Patent Applications Taken research quickly into marketplace with rapid commercialization Licensing Agreement with equipment manufacturers Several vendors interested Exclusive vs. Non-exclusive Verizon Intellectual Property contact: Gwen Thaxter (gwen.thaxter@verizon.com, ) Verizon Copyright

37 Verizon Business Impact SIP DoS work Global Network Engineering & Planning Organization Support Technology organization to define new security architecture for VoIP Services Network & Information Security Organization Better Security Reviews of Advantage VoIP Service Global Customer Service & Provisioning Organization Sales Engineering Premier Accounts Team Briefing SIP ToS work Office of Chief Financial Officer Credit&Collections Verizon Copyright

38 Recommended Next Steps for Verizon Conversion of research into a product that Verizon can use Need to determine optimal architectural placement of DoS prevention functionality for VoIP and Presence Security Security vs. Performance Hardware vs. Software Implementation Proxy/Softswitch (SW) SBC or New network element (HW/SW), Router? Use internally (protect VZ Network) Use externally (sell new security services to large customers) Continue relationship with Columbia Research in related areas Proposal to study SRTP Maintain the testbeds for further research and to assist in product development during product testing cycle Feedback loop of research and product cycle Get other companies interested to synergize resources and share results What can we see doing to make the working relationship even more productive? Verizon Copyright

39 SIP Session Analysis SIP sessions/calls can be broken down to 4 levels of granularity A call contains one or more Dialogs A Dialog contains one or more Transactions Request/response Typically 2 in case of an INVITE-200 OK & BYE-OK type of session Transactions are of two types Client INVITE Transactions Non-INVITE Transactions Server INVITE Transactions Non-INVITE Transactions Verizon Copyright

40 securesip Control Architecture Verizon Copyright

41 Strategy Focus VULNERABILITY : Most security problems are due to: flexible grammar syntax-based attacks Plain text interception and modification SIP over UDP ability to spoof SIP requests Registration/Call Hijacking Modification of Media sessions SIP Method vulnerabilities Session teardown Request flooding Error Message flooding RTP flooding Flooding Application Level STRATEGY: Two DoS detection and mitigation filters and ToS tools SIP: Two types of rule-based detection and mitigation filters Media: SIP-aware dynamic pinhole filtering Verizon Copyright

42 Return-Routability Routability Implementation Fails Untrusted Trusted SIP UA INVITE X DPPM NPU 407 INVITE Add Needs Filter Auth ( , nonce ) sipd IP Needs Auth CAM RAM ( , nonce="6ydardp51p8ef9h4iihmuc7ifde=" ) Verizon Copyright

43 SIP Message Relationships CAM database has very low latency lookups Aged lookup tables implemented to track dialog and transaction relationships Message lookup tables Dialog-ID Table Transaction-ID Table Messages Identified by Type and Code Type: Request or Response Code: Request Method or Response Status Code Dialog ID Transaction ID Verizon Copyright

44 Validation Strategy Methodology for Anti Spoofing Use the SIPp and SIPStone testing tools in a distributed environment to generate legitimate and attack SIP traffic respectively Generate both legitimate and spoofed source address requests Measure the following calls/sec throughput values: Legitimate requests, without authentication (C apacity ) Legitimate requests, with authentication (N ormal ) Legitimate (N ormal ) and spoofed requests (SA ttacknof ), without filters Legitimate (N ormal ) and spoofed requests (SA ttackf ), with filters (D efense ) Identify the impact of spoofed addresses floods on the calls/sec rate of legitimate requests Expect to see SA ttackf << SA ttacknof, and ideally, D = N Calculate False Positive and False Negative rates from measurements: FP= (N ormal - D efense )/N ormal FN= SA ttackf / SA ttacknof Verizon Copyright

45 Validation Strategy Methodology for Rate Limiting Use the SIPp and SIPStone testing tools in a distributed environment to generate legitimate and attack SIP traffic respectively Generate both legitimate and spoofed source address requests Measure the following calls/sec throughput values: Legitimate requests, without authentication (C apacity ) Legitimate requests, with authentication (N ormal ) Legitimate (N ormal ) and Method requests/response/oos (MA ttacknof ), without filters Legitimate (N ormal ) and Method requests/response/oos (MA ttackf ), with filters (D efense ) Identify the impact of spoofed addresses floods on the calls/sec rate of legitimate requests Expect to see MA ttackf << MA ttacknof, and ideally, D = N Calculate False Positive and False Negative rates from measurements: FP= (N ormal - D efense )/N ormal FN= MA ttackf / MA ttacknof Verizon Copyright

46 Firewall Components Static Filtering Filtering of pre-defined ports (e.g., SIP, ssh, 6252) Dynamic Filtering Filtering of dynamically opened RTP ports Filtering of nonce and method redundancy Switching Layer Perform switching between the input ports Firewall Control Module Intercept SIP call setup messages Get nonce from 407 Need Auth Get RTP ports from the SDP Maintain call state Firewall Control Protocol The way the Firewall Control Module talks with the firewall Push filter for SIP UA authentication challenge (with nonce) and media ports Push dynamic table updates to the data plane May be used by multiple SIP Proxies that control one or more firewalls Firewall Data Plane Execution Part of SIP-proxy Executed in the Linux Control Plane Verizon Copyright

47 The Bigger Picture - Columbia VoIP Testbed Columbia VoIP test bed is collection of various open-source, commercial and home-grown SIP components provides a unique platform for validating research Columbia-Verizon Research partnership has addressed major security problems signalling, media and social threats Researched DoS solutions verified against powerful test setup at very high traffic rates ToS successfully validated integrity of different setups of test bed Verizon Copyright