VoIP Fraud and Misuse



Similar documents
Verteiltes Monitoring von SIP-basierten Angriffen

PLUMgrid Toolbox: Tools to Install, Operate and Monitor Your Virtual Network Infrastructure

FRAFOS GmbH Windscheidstr. 18 Ahoi Berlin Germany

A Comprehensive Framework for Detecting and Preventing VoIP Fraud and Misuse

IBM C Exam Name: IBM Sametime 9.0 Administration. Product: Demo

Application Description

FRAFOS GmbH Windscheidstr. 18 Ahoi Berlin Germany

ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy

PROFESSIONAL SECURITY SYSTEMS

Enabling NAT and Routing in DGW v2.0 June 6, 2012

Dynamic Honeypot Construction

NETWORK SECURITY (W/LAB) Course Syllabus

ABC SBC: Securing the PBX. FRAFOS GmbH

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

ZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy

Installation and configuration guide

Introduction of Intrusion Detection Systems

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

Cisco Security Manager 4.2: Integrated Security Management for Cisco Firewall, IPS, and VPN Solutions

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

RAVEN, Network Security and Health for the Enterprise

Cisco Virtual Office Express

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

funkwerk packetalarm NG IDS/IPS Systems

NEC contribution to OpenDaylight: Virtual Tenant Network (VTN)

EAGLE EYE IP TAP. 1. Introduction

Global VoIP Security Threats Large Scale Validation Based on Independent Honeynets

Intrusion Detection Systems (IDS)

Web Traffic Capture Butler Street, Suite 200 Pittsburgh, PA (412)

CTS2134 Introduction to Networking. Module Network Security

1 Basic Configuration of Cisco 2600 Router. Basic Configuration Cisco 2600 Router

Second-generation (GenII) honeypots

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

ADTRAN SBC and Cisco Unified Call Manager SIP Trunk Interoperability

Ram Dantu. VOIP: Are We Secured?

Microsoft Office Communications Server 2007 & Coyote Point Equalizer Deployment Guide DEPLOYMENT GUIDE

Configuring a Mediatrix 500 / 600 Enterprise SIP Trunk SBC June 28, 2011

Firewalls P+S Linux Router & Firewall 2013

Installation and configuration guide

Name. Description. Rationale

WebRTC: Why and How? FRAFOS GmbH. FRAFOS GmbH Windscheidstr. 18 Ahoi Berlin Germany

Cisco AnyConnect Secure Mobility Solution Guide

Network Access Security. Lesson 10

Network Agent Quick Start

IP PBX. SD Card Slot. FXO Ports. PBX WAN port. FXO Ports LED, RED means online

Web Analytics Understand your web visitors without web logs or page tags and keep all your data inside your firewall.

ABC SBC: Securing and Flexible Trunking. FRAFOS GmbH

Knowledgebase Solution

Chapter 9 Firewalls and Intrusion Prevention Systems

PBX Setup Basic setup procedures

ThreatSTOP Technology Overview

50. DFN Betriebstagung

Carrier/WAN SDN Brocade Flow Optimizer Making SDN Consumable

Peer-to-Peer SIP Mode with FXS and FXO Gateways

How to Configure the Allworx 6x, 24x and 48x for use with Integra Telecom SIP Solutions

A Model-based Methodology for Developing Secure VoIP Systems

Enabling Security Operations with RSA envision. August, 2009

Cisco EXAM Implementing Cisco IP Telephony and Video, Part 2 (CIPTV2) Buy Full Product.

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

Owner of the content within this article is Written by Marc Grote

Tk20 Network Infrastructure

Wave SIP Trunk Configuration Guide FOR BROADVOX

How To Understand The Architecture Of An Ulteo Virtual Desktop Server Farm

VoIP telephony over internet

ETM System SIP Trunk Support Technical Discussion

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

Internet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols ETSF10 Internet Protocols 2011

WAN Optimization, Web Cache, Explicit Proxy, and WCCP. FortiOS Handbook v3 for FortiOS 4.0 MR3

Deploying Cisco Unified Contact Center Express Volume 1

McAfee Next Generation Firewall (NGFW) Administration Course

ABC SBC: Mobile Subscriber Support. FRAFOS GmbH

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

McAfee Firewall Enterprise System Administration Intel Security Education Services Administration Course

VOICE OVER IP SECURITY

PCBest Networks VOIP Recorder

NETASQ MIGRATING FROM V8 TO V9

Advanced LCR (Least Cost Router) With SIP Proxy Server

VoIP Recorder V2 Setup Guide

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Elastix SIP Firewall. Quick Installation Guide

FortiDDos Size isn t everything

IBM Software InfoSphere Guardium. Planning a data security and auditing deployment for Hadoop

ThinkTel ITSP with Registration Setup Quick Start Guide

Contents. vii. Preface. P ART I THE HONEYNET 1 Chapter 1 The Beginning 3. Chapter 2 Honeypots 17. xix

Network Security Administrator

Multi-Homing Security Gateway

Cisco Which VPN Solution is Right for You?

Astaro Deployment Guide High Availability Options Clustering and Hot Standby

Radware s Smart IDS Management. FireProof and Intrusion Detection Systems. Deployment and ROI. North America. International.

MULTIPOINT VIDEO CALLING

OfficeMaster Gate (Virtual) Enterprise Session Border Controller for Microsoft Lync Server. Quick Start Guide

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

Vega 100G and Vega 200G Gamma Config Guide

Using VDOMs to host two FortiOS instances on a single FortiGate unit

Installation of the On Site Server (OSS)

Transcription:

DFN Tagung 15.10.2013 VoIP Fraud and Misuse Detection and Mitigation Prof. Dr.-Ing. Erwin P. Rathgeb Dirk Hoffstadt, M.Sc. Networking Technology Group Institute for Experimental Mathematics & Institute for Computer Science & Business Information Systems University of Duisburg-Essen

Overview SIP misuse detection for forensic analysis Tools: SIP Trace Recorder and SIP Honeypots Real-time SIP misuse detection and mitigation Security System Central Service (SCS) Detection Scenarios Deployment Live Demo SIP Trace Recorder Security System Page 2

SIP misuse detection tools SIP Honeypots for forensic analysis Internet Monitoring Port STR DB No active VoIP components VoIP Server SIP Trace Recorder (STR) Passive SIP monitoring and logging Stateful correlation, e.g. CDR generation Detection of successful attacks Optional privacy preservation Deployment in production networks Focus: Statistical attack analysis Full Interaction SIP Honeypot Extended SIP Server with logging function Full SIP functionality Call handling Media handling Focus: Detailed forensic analysis Full Interaction Full Honeypot Interaction Full Honeypot Interaction Honeypot NEW: Low Interaction SIP Honeypot Script based Low resource utilization High flexibility Limited SIP functionality Focus: Dynamic experiments Evaluation and Presentation Low Interaction Low Honeypot Interaction Low Honeypot Interaction Honeypot Target Network Evaluation and Presentation Consolidation of all attack data Automated data collection Flexible analysis capabilities Various views on data Attack clustering Web-based GUI Page 3

Real-time SIP misuse detection Security System Misuse Detection Passive behaviour Different environments PBX, Router, Home Gateways Detection by using attack signatures Dynamically loadable Standalone Low Interaction Honeypot plugin SCS Low Interaction Honeypot plugin Attacker Firewall Central Service (SCS) Aggregation of sensor alerts Based on SCS rules Management s Attack signature management Interface to mitigation components 0900 Callee Page 4

Realtime Misuse Detection & Mitigation Security System Mitigation Interface Alert SCS Low Interaction Honeypot plugin Attacker Firewall 0900 Callee Page 5

Distributed Security System SCS Interface (SSI) Each sensor is connected to SCS ID, secret, MAC address, location info TLS secured (HTTPS) with server certificate check Status updates and keep-alive messages SIP traffic analysis based on XML signatures Light-weight software component for different hardware and software platforms Different input data (network interface, socket, PCAP-file) Filtering of SIP messages and Analyzing of SIP messages E.g., Timing conditions, IPv4 information, SIP header fields Comparison of different header values (equal, not equal) within received SIP messages Report generator Sends reports to SCS according to sensor signature settings Source IP, destination IP, signature ID, sensor ID, timestamp, source port, destination port, signature version Optional: extended reports Pre-defined SIP header values Auto provisioning which is managed and controlled by SCS Configuration & Signatures Page 6

Central Service Architecture / Mode of Operation SCS Interface (SSI) SCS Controller Process (SCP) Store Reports Database Incoming Reports Configuration, Rules, Status, etc. Management Worker Process (WP) SCS Rules SCS Analyse Results Store Notifications SCS Notification Process (NP) Actions SCS Notification Interface (SNI) Mitigation Components erbl-service Page 7

Distributed System Scenarios Physically distributed sensors at different sites in the internet Deployment of hardware or installation of software required Different hardware platforms or virtual machines Local management necessary Privileged access to network interfaces required Virtually distributed sensors (NorNet approach) One central only (in Essen, Germany) Distributed nodes to capture input traffic GRE Tunnel(s) between each node and the central Filters TCP/UDP traffic on port 5060 Traffic redirection to the central by using DNAT via GRE tunnels Reverse direction is realized by routing policies Pros No software component on productive systems (no influence) Easy to manage single sensor Cons More bandwidth required in contrast to distributed approach Possible delays Page 8

Distributed System Current NorNet setup SCS Virtual Machine Simula I1 I2 Attacker SIP Honeypot NTNU Universitetet i Tromsø I1 I1 129.242.157.228 Internet Universitetet i Bergen I1 158.37.6.195 University Duisburg- Essen I1 I2 132.252.152.105 89.246.242.228 Page 9

SIP Trace Recorder Evaluation & Presentation web interface Filter Options Geolocation analysis SIP messages per day Demo User agent analysis Page 11

Real-time SIP misuse detection demo Security System and live attack SIPvicious Attack-Tool VoIP Honeynet Internet Firewall SCS Berlin Demo TDR network Essen Page 12

Central Service Management Website (Screenshot) Page 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information