SIP Threats Detection System

Transcription

1 SIP Threats Detectio System MIROSLAV VOZNAK, FILIP REZAC Departmet of Telecommuicatios VSB Techical Uiversity of Ostrava 17. listopadu 15, Ostrava Poruba CZECH REPUBLIC Abstract: - The paper deals with detectio of threats i IP telephoy, the authors developed a peetratio testig system that is able to check up the level of protectio from security threats i IP telephoy. The SIP server is a key kompoet of VoIP ifrastructure ad ofte becomes the aim of attacks ad providers have to esure the appropriate level of security. We have developed web-based peetratio system which is able to check the SIP server if ca face to the most commo attacks.the developed applicatio is distributed as a ope-source ad is equipped with four modules. The result is reported to the particular ad iformatio supplemeted to the report should help to improve the overall protectio of the SIP server. The developed applicatio represets effective tool which is able to poit out the weakesses of the tested system. Key-Words: - IP telephoy, SIP server, Peetratio test, Flood attack, SIPViciouos, Vulerability 1 Itroductio System desiged to test ad moitor etworks or other compoets are quite wide-spread these days. Examples of the priciple oes are Nessus [1], Retia [2], Sort [3] ad other. The majority of these systems allows for testig the whole etwork ifrastructures ad protocols used for commuicatio betwee compoets. Noe of these solutios, however, eables a complex testig of VoIP ifrastructure ad SIP servers which are the key ad most vulerable compoet of the etwork. The system we developed, uder a workig title SPT (SIP Peetratio Testig), was desiged as a peetratio tests simulator for SIP servers. Based o the aalysis of itersectios, the perso who iitiated the testig ( the tester ) receives feedback i the form of test results, as well as recommedatios how to mitigate potetial security risks that were discovered. The advatage of this solutio is that the system simulates real attacks from the exteral etwork, i.e. the system does ot eed to be placed i the same etwork as the target compoet DUT (Device uder Test). This is frequetly oe of prerequisites to be able to use other testig tools. The SPT system was implemeted as a web applicatio accessible through a stadard web browser ad therefore idepedet o the operatio system s platform. As the solutio was developed as a part of the research itet of the CESNET associatio, this system will also be icorporated ito its etwork ad will be accessible after sigig i usig the SSO (Sigle Sig-O) service - Shibboleth [4]. This should also prevet the system beig used for other tha testig purposes. Oce siged i, the tester eters the required data ito a web form ad chooses tests to be ru. The output of the applicatio oce the tests have bee completed is a report to the tester. This paper cotais the results of the tests; ad i case some peetratios were successful it also cotais recommedatios ad measures to mitigate such attacks i the future. Figure 1 illustrates the cocept of the SPT system. The followig chapter describes idividual testig methods i detail, their implemetatio, algorithms used ad the impact o the target SIP server. Fig. 1. SIP Peetratio Tests System Scheme. 2 Methods Although the system is primarily desiged for peetratio tests o SIP servers, i reality it ca perform full-scale attacks o a particular compoet ad provide feedback o it to the tester. Thus, it is ecessary to esure that the developed system caot be abused by a third party. The system was desiged as a LAMP (Liux, Apache, MySQL, PHP) server [8] ad its complete admiistratio icludig the istallatio is carried out via ISSN: ISBN:

2 a web iterface. For reasos stated above, the system will be icorporated ito the CESNET s etwork ad will oly be accessible to authorised persos oce they pass through the autheticatio.oce the tester fills i the IP adess or domai ame of the cetral SIP server ad the adess to which the test results will be set to. Usig checkboxes, the tester may defie the rage of the modules offered for testig. Idividual modules are described below i detail. 2.1 Scaig ad Moitorig Module I order to be able to carry out a efficiet ad precise attack o a SIP server, the potetial attacker eeds to fid out the most iformatio about a particular compoet. This is why we first developed a Scaig ad Moitorig ( S&M ) module for the SPT system, which is used to test the security of the cetral agaist attacks aimed at obtaiig iformatio by meas of commo ad available tools (Figure 2). Fig. 2. SPT System S&M Module. These tools iclude for istace Nmap [9] or ever more popular SIPvicious [10]. SPT system also uses these testig tools. By meas of these tools, it is possible to obtai a list of listeig ports or a list of user accouts created o the cetral cocered from a usecured server. Where the server is ot secured sufficietly, they ca obtai eve the most importat, that is passwords to idividual accouts. If the tester ticks the test to be carried out, the Nmap applicatio is used first to establish ope ports. Give the time requiremets of the [s] test, the testig is by default restricted oly to several most frequetly used ports. Usig the web form, the tester ca set the rage of the tested ports. However the total time set for testig usig Nmap is 1800s (30 miutes). The list of available ports is subsequetly icluded i the assessmet report together with recommedatios how to miimise such ports scaig. Aother test which the SPT system ca carry out aims at establishig whether SIP server s security allows for obtaiig a list of user accouts. For this purpose, SIPvicious is used. By sedig out OPTION ad ACK requests, the applicatio detects what accouts are defied o the SIP server. By default, the system tries the rage of accouts. TABLE I UDPFLOOD ATTACK TIME DURATION WITH DIFFERENT BANDWIDTH AND NUMBER OF GENERATED PACKETS Badwidth [Mbps] ad the Attack Number of Packets - TimeT P udp [s] ,12 45,25 22,63 11, ,24 90,50 45,26 22, ,36 135,75 67,89 33, , ,52 45, ,60 226,25 113,15 56, ,72 271,5 135,78 67, ,84 316,75 158,41 79, , ,04 90, ,08 407,25 203,67 101, ,20 452,5 226,3 113,1 Agai, the tester may defie ow rage of tested umbers E or import a text file cotaiig strigs of alpha-umeric characters or words E. Time required to check ad create a list of T e [s] accouts ca be expressed by equatio (1) where is a time costat obtaied by repetitive measuremets o a sample of 1000 potetial accouts o differet target SIP servers [7]. T e = ( E + E ) c (1) Number of accouts E is derived from equatio (2) where E i is the umber of accouts that have bee reviewed by the system but ot defied o the SIP server. E = ( E + E ) Ei (2) Oce the system has tested security of the SIP server agaist detectig accouts, possibility to detect passwords for idividual accouts is tested. Agai, this testig is carried out by SIPvicious. Usig a pre-defied rage of possible umeric passwords P or a imported text file with alpha-umeric characters or words P, it obtais a list of passwords for idividual accouts. Time requiremets o this test are expressed by the followig equatio (3). T p sm [ E P + P ] c = ( ) (3) e p T = T + T + T (4) Now we ca determie the estimated time required to carry out the complete S&M test T (4). Usig the sm ISSN: ISBN:

3 module, we ca verify whether the target SIP server is sufficietly secured agaist such scaig ad moitorig attacks. 2.2 Deial of Service Module Oe of the most frequetly occurrig attacks is DoS (Deial of Service). I reality, it cosists of several attacks with the same characteristic feature to lock up or restrict the availability of the attacked service so that it does ot fuctio properly. Several types of DoSs [11] ca be used to achieve this; our system tests the SIP server usig the most frequetly used oe, Flood DoS. The priciple of the attack is to sed a large volume of adjusted or otherwise deformed packets to the target compoet so that it is uable to provide its core services. As a result of the attack, CPU load icreases ad most of the available badwidth is cosumed, resultig i the SIP server beig uable to service regular calls, or oly a miimum amout of them. To geerate Flood DoS, the SPT system uses two applicatios: udpflood ad iviteflood [12]. Whe usig udpflood, the system geerates UDP packets of 1400 bytes which are directed at SIP default port 5060 of the target SIP server. The tester defies the umber of geerated packets ad the system tests whether the packets arrived at the SIP server ad whether they cause some restrictio of the service availability, see Figure 3. Sice we kow the packet s size ad therefore also the size of the Etheret framework Fs, we ca, based o the umber of geerated packets P ad the badwidth provided B, determie time T udp [s] required to carry w out the test (5). udp of today s SIP servers require a autheticatio for INVITE requests. As the INVITE requests geerated by our system do ot cotai ay autheticatio strig, the SIP server returs SIP aswer 407 Proxy Autheticatio Required. With the large volume of icomig requests, the load of SIP server s CPU icreases. The tester ca set the value of a accout i the system maually, or it ca be radomly selected from the previously obtaied list of accouts E. As i the previous case, we ca, based o the umber of geerated packets P ad the badwidth provided B, determie time T [s] required to carry out the test (6). ivite T = ( Fs P ) / B (6) ivite ivite w Figure 4 illustrates the impact of the chage i badwidth o CPU load whe simulatig a udpflood attack. The chart also clearly shows resistace of the two popular ope-source SIP servers, Asterisk PBX [5] ad OpeSIPS [6], to UDP Flood DoS attacks. Both cetrals have bee istalled o the same HW of Dell PowerEdge R510 server to elimiate ay potetial differece i computatioal performace. To chage badwidths, we used HW emulator of the Simea etworks. CPU load o idividual cetrals was measured by meas of dstat [13]. The chart shows that OpeSIPS is may times more resistat to UDP DoS attaks tha Asterisk. Total time required to carry out DoS tests T dos is determied as follows (7). T = T + T (7) dos udp ivite Results ad success rate of DoS tests carried out are icluded i the report for the tester. w Fig. 3. SPT System - DoS Module. T = ( Fs P ) / B (5) udp udp w Table 1 provides a overview of time required for differet umbers of geerated packets P ad differet badwidth B w. Whe the other applicatio, iviteflood, is used for testig, the system geerates INVITE requests at the SIP server which are directed at a existig accout. This method is very successful as most Fig. 4. Impact of chage i badwidth o CPU load i case of udpflood attack. ISSN: ISBN:

4 2.3 Registratio Maipulatio Module Oce the potetial perpetrator obtais iformatio about existig accouts, he ca maipulate these accouts quite easily. The SPT system we developed ca also test SIP servers security, i.e. measures agaist maipulatig the registratio, see Figure 5. Fig. 6. SPT System - SPIT Module. Fig. 5. SPT System - RM Module. To carry out this test, the system uses reghijacker [12] which substitutes the legitimate accout registratio with a fake, o-existig oe. This type of attack ca easily be expaded to a so called MITM, Ma-i-the-Middle [11]. I this attack, a o-existet user is substituted by a SIP registratio ad all icomig sigallig ad media to the legitimate registratio will be re-directed to the ewly created registratio. I this case, the tester eeds to defie the value of the SIP accout which is to be stole i the system ad where autheticatio of REGISTER request is allowed, also a password to this accout. Where the tester fails to defie these values, the system automatically assigs a accout ad its password from the list created while scaig ad moitorig the cetral. Time required to carry out the test is isigificat compared to operatioal times of other modules. 2.4 SPIT Module Today, oe of the most popular attacks o the Iteret is spam. It is estimated that spams accout for 80-90% of total attacks o the Iteret. Security experts predict that Spam over Iteret Telephoy (SPIT) will be a major threat i the future. The level of aoyace is eve greater tha with classical spam. Out team i CESNET had developed SPITFILE [14] which served as a testig tool while developig security agaist such type of attacks. The SPT system uses the core of this applicatio, together with Sipp [14], to simulate a SPIT attack o the target SIP server (Figure 6). I the form, the tester defies the value of a SIP accout the called party to which the SPIT call will be directed ad the the value ad password to a SIP accout the caller through which the call will be iitiated. Where the tester fails to defie these values, the system automatically assigs a accout ad a appropriate password from the list created while scaig ad moitorig the cetral. If the attack was successful, a SIP call is iitiated from the caller s accout, ad the ed device with the registered accout of the called party starts rigig. Oce the call is aswered, a pre-recorded message is played ad the call termiated. Time required to carry out the test T is determied by the legth of the pre-recorded spit message. The fial report o peetratio tests which the tester receives via , will, besides iformatio o all previous tests, also cotai a aalysis ad success rate of the SPIT module s test. Fig. 7. Divisio of the SPT system ito idividual modules. Figure 7 illustrates the divisio of the SPT system ito idividual modules ad shows time itervals ecessary to carry out idividual tests i respective modules. Time requiremets of the whole SPT system ca be expressed by equatio (8). Its value depeds o may factors ad ca radically chage i accordace with the type of tests requested by the tester. Its value is for referece oly. T = T + T + T + T (8) spt sm dos rm spit 3 Results Although the SPT system is still i the phase of itesive testig ad developmet, basic operatioal tests of all available modules were carried out. Each test is accompaied by a short descriptio of coutermeasure s priciples ad methods [12] which should limit or completely mitigate potetial security gaps that were revealed durig SIP servers testig. ISSN: ISBN:

5 Fig. 8. SIP Peetratio Tests System Testbed. Figure 8 describes the basic testig topology. The system is deoted as SPT ad Asterisk as VoIP PBX. Asterisk was istalled at Dell PowerEdge R510 server. 3.1 Scaig ad Moitorig The first step was to record SIP server s IP adess ad the adess to sed the fial report to. Next, the S&M module ad subsequetly Nmap ad SIPvicious applicatios were lauched. Values for Nmap were set by default, value of E for SIPvicious was set to rage betwee The device foud all three registered accouts E ad listed ope TCP ad UDP ports at Asterisk. Oce P was set to ad a text file P cotaiig test ad 7003ab strig, the test to obtai passwords to idividual accouts was also successful. Total time icurred o testig module Tsm 235s. If we had to protect ad prevet SIP server from scaig ad moitorig, the a implemetatio of firewall is the effective solutio or a itrusio detectio system that is able to distiguish scaig ad moitorig. The ext effective solutio is to divide the etwork logical ifrastructure ito VLANs ad decompose the provided services ito more physical servers (TFTP, HTTP servery). The prevetio of accouts ad passwords detectio is difficult, moreover, the tools for detectio apply the stadard SIP methods ad is ot trivial to distiguish legitiamte behaviour from a attack. I this case, there is recommeded to divide the ifrastructure ito iidividual VLANs so that the detectio for itruder was as difficult as possible. 3.2 Deial of Service Usig udpflood, the tester set UDP packets directly to port Badwidth was set to 100Mbps, Asterisk processed 90% calls. Oce the test was completed, Asterisk recovered to a full operatio mode. To be able to compare, we substituted Asterisk by OpeSIPS i this test. Call processig uder the same attack was etirely error-free. Whe testig usig iviteflood o the accout 7001, we foud out that this attack is much more destructive i terms of computatioal power. As early as at INVITE request whe Tivite 9s, CPU load for both Asterisk ad OpeSIPS reached 100% ad failed to process a sigle icomig or outgoig call. Oce the test was completed, both cetrals recovered to a full operatio mode. The possibilities, how to protect from Flood DoS attacks, are the followig: to divide the etowrk ifrastructure ito separate VLANs, to have i use solely TLS, to implemet L2 etwork elemets with DoS detectio or to apply SIP firewall that ca detect DoS attacks ad miimalize their impact. 3.3 Registratio Maipulatio Whe testig possibility for registratio maipulatio, we etered values of accout 7003 ad its password 7003ab maually ito the system. Oce the test was completed, we established whether the attack was successful. The aim of the attack was to de-register accout 7003 ad to direct all icomig calls to a fake accout which does ot exist. Thus, calls were termiated as ucoected. The call to 7003 was ot put through. The TCP protocol is recommeded at trasport level to prevet a registratio hijackig because the maipulatio with TCP requires higher complexity. Next optio, how to miimalize this threat, is to use REGISTER message autheticatio. We could decrease the registratio iterval, as well, it is quite simple but effective. 3.4 Spam over Iteret Telephoy As stated above, we used SPITFILE applicatio, developed by this paper s authors, to test the cetral s vulerability to SPIT attacks. The tester etered maually ito the system the value of a accout 7002 o which a SPIT attack was to be iitiated, as well as the value of a accout 7003 ad password to it (7003ab) which was supposed to iitiate the SPIT call. Oce the test was lauched, SPITFILE registered o the participat 7003 ad the started to geerate a call to accout The ed device registered o 7002 bega rigig, ad oce the call was aswered, a recordig with a advertisemet was played. A few methods exist how to restrict the SPIT propagatio, which are more or less efficiet, but their combiatio brig quit strog protectio agaist the type of attack. Amog these methods the utilizatio of the various automatically or maually editable lists belog, o their base the call is permitted or prohibited, evetually a iteractio with voice meu ca be the effective protectio agaist call ISSN: ISBN:

6 bots. Authors developed ow solutio ANTISPIT [14] that exploits the specific huma behaviour ad automatically modifies the Blacklist table without participatio of called party, the approach is based o the statistical Blacklist. 4 Coclusio The aim of the authors was to develop a tool to carry out peetratio tests o SIP servers. The system that was desiged ad implemeted cosists of several modules that are able to geerate selected types of attacks which the authors deem most popular. The system the aalyses to what extet is the target compoet secured, afts assessmets cotaiig tests results ad proposes factual recommedatios to esure security agaist the threat cocered. The assessmet report is set as a text documet to a . The system is curretly uder itesive testig. It is plaed that i the future, it will be exteded to iclude other testig modules ad fuctios such as for istace testig of the whole VoIP ifrastructure ad heavy testig of idividual compoets. [9] G.F. Lyo, Nmap Network Scaig: The Official Nmap Project Guide to Network Discovery ad Security Scaig. Nmap Project, [10] M. Vozak ad J. Rozho, SIP Ifrastructure Performace Testig, I 9th Iteratioal Coferece o Telecommuicatios a Iformatics, Cataia, Italy, 2010, pp [11] F. Rezac, M. Vozak ad J. Ruzicka, "Security Risks i IP Telephoy", I CESNET Coferece 2008, 2008, Prague, pp [12] D. Edler ad M. Collier, Hackig Exposed VoIP: VoIP Security Secrets ad Solutios. McGraw-Hill Compaies, [13] I. Pravda ad J. Voazka, Voice quality plaig for NGN icludig mobile etworks, 12th Iteratioal Coferece o Persoal Wireless Commuicatios (PWC 2007), 2007, Prague. [14] M. Vozak ad F. Rezac, The implemetatio of SPAM over Iteret telephoy ad defece agaist this attack, preseted at TSP 2009: 32d Iteratioal Coferece o Telecommuicatios ad Sigal Processig, Duakiliti, HUNGARY, Aug 26-27, 2009, pp Ackowledgemet The research leadig to these results has received fudig from the Europea Commuity's Seveth Framework Programme (FP7/ ) uder grat agreemet o Refereces: [1] R. Rogers, Nessus Network Auditig. Sygress, 2d editio, [2] R. Chocheliski ad I. Baroak, "Private Telecommuicatio Network Based o NGN", I 32 d Iteratioal Coferece o Telecommuicatios ad Sigal Processig, 2009, Duakiliti, HUNGARY, pp [3] J. Bates, C. Gallo, M. Bocci, S. Walker ad T. Taylor, "Coverged Multimedia Networks", Wiley, 364 p., [4] M. Vozak, Voice over IP. VSB-Techical Uiversity of Ostrava: College Textbook, 1st. ed., Ostrava, [5] S. Witermezer ad S. Bosch, Practical Asterisk 1.4 ad 1.6: From Begier to Expert. Addiso-Wesley Professioal; 1 editio, [6] F. Gocalves, "Buildig Telephoy Systems with OpeSIPS 1.6", Packt Publishig, 274p., [7] D. Sisalem, J. Floroiu, J. Kutha, U. Abed ad H. Schulzrie, SIP Security, Wiley, 350p., [8] J. Lee ad B. Ware, Ope Source Developmet with LAMP: Usig Liux, Apache, MySQL, Perl, ad PHP, Addiso-Wesley Professioal, ISSN: ISBN: