Multimedia Communication in the Internet. SIP Security Threads. Dorgham Sisalem, Sven Ehlert Mobile Integrated Services FhG FOKUS 1

Size: px

Start display at page:

Download "Multimedia Communication in the Internet. SIP Security Threads. Dorgham Sisalem, Sven Ehlert Mobile Integrated Services FhG FOKUS 1"

Marjory Reed
8 years ago
Views:

1 Multimedia Communication in the Internet SIP Security Threads Dorgham Sisalem, Sven Ehlert Mobile Integrated Services FhG FOKUS 1

2 Denial of Service Prevent service availability Software vulnerabilities Sasser, Ping of Death Resource depletion Smurf, SYN Flood Distributed Denial of Service Attacks Tools Trinoo, Stacheldraht, TFN2K, Phatbot Annoyance AND financial consequences E.g. Yahoo attack in hours offline, estimated $ loss 2

of Service Attacks Tools Trinoo, Stacheldraht, TFN2K, Phatbot Annoyance AND

3 Attack Points SIP Proxy SIP Helper Services AAA, STUN, RTPproxy, DNS/ENUM, PSTN Network Protocols TCP, UDP, RTP, TLS 3

4 SIP Proxy Exploitation Memory: SIP is memory hungry Save messages while processing them Save messages during transactions up to a few minutes CPU: Message parsing Application execution Bandwidth Not SIP-special 4

during transactions up to a few minutes CPU: Message

5 Memory Depletion Attacks Brute force: Start thousands of calls with different FROM, TO and Call-IDs Lesser impact, as they don't create state Fast CPU, good implementation and a lot of memory can handle these Monitoring and filtering to block Identify misbehaving users Setup blacklists / whitelists Broken Sessions: Start sessions and do not complete Create state at the server 5

memory can handle these Monitoring and filtering to block Identify misbehaving users Setup

6 Broken Session UA Proxy INVITE INVITE forwarding unreachable ~ 3 kbyte min 3 min waiting for response 6

7 Broken Session UA Proxy Proxy 404 Not Found 404 Not Found forwarding Spoofed Address ~ 3 kbyte ~ 30 sec waiting for ACK 7

8 Broken Session UA Proxy 300 Multiple Choices Malicious Proxy ~ 3 n kbyte > 3 min waiting for each reply 8

9 Stateless Authentication Stateless message handling Run security checks in stateless mode before moving to stateful Authentication SPAM After validation continue in stateful mode Authentication Authenticate all requests to prevent fraud Use stateless authentication, e.g. predictive nonces State Message Type Time Period Secret... Scramble To UA 9

stateful mode Authentication Authenticate all requests to prevent fraud Use stateless

10 CPU Exhaustion Attacks Message parsing and security enforcement Too many messages requiring parsing and authentication Exhaustion is a sign of bad implementation or underdimensioned hardware Application execution Too complex scripts or heavy database interaction Restrict application intelligence offered to user Server blocking Messages with non-resolvable DNS names Build TCP/TLS connections to non-existing receivers 10

execution Too complex scripts or heavy database interaction Restrict application intelligence offered to

11 CPU Exhaustion: Counter Measures Server design Dimension hardware appropriately to offered services Parallel process, each dealing with one request Non-blocking design: Non-blocking communication with DNS and database Implementation complexity and memory usage increase considerably DNS handling only use the IP address DNS caching Receive field in VIA headers INVITE Via: SIP/2.0/UDP caller.net:5060; \ received: ;rport:1234 Contact: user@sip.caller.net Content-Type: application/sdp c=in IP4 sip.caller.net m=audio 8000 RTP/AVP 4 11

$net:5060; \ received:100.0.0.2;rport:1234 Contact: user@sip.caller.net Content-Type: application/sdp c=in IP4 sip.caller.net m=audio 8000 RTP/AVP 4 11$

12 Attack Fans Loops Annoying and probably a configuration mistake Forked Loops Requires a larger level of coordination Can not be dealt with statelessly Loop detection increases complexity of proxies Max-Forward set by user Enforce local policies of a small Max-Forward 12

dealt with statelessly Loop detection increases complexity of

13 Distributed DoS Reply Forwarding Insert Spoofed Address INVITE Via: SIP/2.0/UDP target.sip.net; Via: SIP/2.0/UDP other.addr.net; Via: SIP/2.0/UDP yet.another.net; Innocent Hosts Message forwarding with reply 13

14 Distributed DoS Reply Forwarding Insert Spoofed Address INVITE Via: SIP/2.0/UDP target.sip.net; Via: SIP/2.0/UDP other.addr.net; Via: SIP/2.0/UDP yet.another.net; Innocent Hosts Response redirection Target Host 14

15 STUN Attacks Attacks on a STUN server Denial of Service Compromising STUN server to attack STUN clients Protocol design to prevent attack possibilities nearly fully stateless operation Authentication vulnerable to general DoS attacks common countermeasures dedicated STUN server monitoring and filtering 15

possibilities nearly fully stateless operation Authentication vulnerable to

16 Summary SIP offers attacks a wide variety of attack possibilities A lot of the attack possibilities depend on configuration of the SIP server, its implementation and usage scenario Effects of many attacks can be reduced by Efficient implementation and appropriate hardware Stateless processing and authentication Clever DNS handling Filtering and monitoring blacklists 16

scenario Effects of many attacks can be reduced by Efficient implementation and appropriate

Multimedia Communication in the Internet. SIP Security Threats. Sven Ehlert Next Generation Network Infrastructure Fraunhofer FOKUS 1

Multimedia Communication in the Internet SIP Security Threats Sven Ehlert Next Generation Network Infrastructure Fraunhofer FOKUS 1 Outline SIP Security Mechanisms Denial of Service VoIP SPAM 2 SIP Call