DoS/DDoS Attacks and Protection on VoIP/UC Presented by: Sipera Systems
Agenda What are DoS and DDoS Attacks? VoIP/UC is different Impact of DoS attacks on VoIP Protection techniques 2 UC Security Requirements
DoS and DDoS attacks DoS A Denial of Service Attack is an attempt to make a resource unavailable to its intended users. One common method is saturating the server with requests such that it can not process legitimate requests DDoS A Distributed denial of service attack multiple compromised systems flood the target system The Advantages of DDoS are that multiple machines can generate more attack traffic Multiple attack machines are harder to turn off and detect than one attack machine 3 UC Security Requirements
DoS and DDoS attacks Role of Spoofing DDoS attacks can be carried out by spoofing multiple sources It does not give the advantage of ability to generate more traffic It still makes it extremely hard for to detect and block a particular source to mitigate the attack Role of Zombies or Bots DDoS attacks can be carried out by compromising large number of machines to launch attacks. These machines waiting for a command from the attacker to launch attacks are called zombies or botnets 4 UC Security Requirements
DoS and DDoS attacks Reflection In this DDoS attack, attacker spoofs the victims address and sends forged requests to large number of machines, and the responses coming back from these machines flood the victim Recursive Amplification attacks In this attack, attacker sends one spoofed request which results in multiple requests coming back to the victim and further resulting in even more requests and this recursing Example is DNS attacks, SIP amplification attack using forking proxies: draft-ietf-sip-fork-loop-fix-07 5 UC Security Requirements
DoS and DDoS attacks Attack targets Typical targets are servers, but changes in peer-to-peer The target can be network, TCP/IP stack, application Reconnaissance Is a military and medical term denoting exploration conducted to gain information, this typically is a precursor to most attacks Stealth DoS A low volume attack purposely trying to evade detection 6 UC Security Requirements
VoIP/UC is different Real-time Peer-to-peer Weak VoIP Endpoints VoIP is Different Complex Protocols for Rich Features Human Interactive Application Layer 7 UC Security Requirements
VoIP is Different Real-time Sensitivity Sent Packet loss Out-of-order Network Late packet Received Playback 8 UC Security Requirements
VoIP is Different Peer-to-peer SMTP: Connect to Server & Send email Server POP3: Connect to Server & Receive emails Make Call IP PBX Deliver Call Answer Call Client Client Client/Server Conversation RTP over UDP (Voice, Video) Client/Server Client/Server Peer-to-peer 9 UC Security Requirements
VoIP is Different Complex Protocols Port 25 open for SMTP/TCP Port 5060 open for SIP/TCP One port Few servers Dynamic ports Every phone is a server 10 UC Security Requirements
VoIP is Different Application Layer Header Attack Header Attack Header Att Attack Header Att Header Att Header Att Header ack Header ack Header ack Header ack Packet processing Header inspection Limited payload inspection Application state, Context, Semantic processing 11 UC Security Requirements
VoIP is Different Human Interactive Human-to-machine Human-to-human 12 UC Security Requirements
VoIP is Different Weak VoIP Endpoints Virus scanner, firewall, HIDS High CPU, Memory Security protocols: IPSec,802.1X No security tools Weak CPU, Low memory Limited security protocols 13 UC Security Requirements
Impact of DoS Attacks Real-time Sensitivity Even a two packet 40 ms drop has a perceptible drop in MOS scores Jitter buffer are usually < 100ms a variation in delay of more than that results in drops ITU specifies 150ms as the maximum end to end delay for voice Sent Network Received Playback 14 UC Security Requirements
Impact of DoS Attacks Peer-to-peer Attackers can directly flood endpoints Make Call IP PBX Deliver Call Any segment of network possibly can be an attack target Client/Server Answer Call Conversation RTP over UDP (Voice, Video) Client/Server Peer-to-peer 15 UC Security Requirements
Impact of DoS Attacks Complex Protocols Complexity is friend of attacker More ports more ways to attacks More attacks like reflection, amplification possible Dynamic ports Every phone is a server Port 5060 open for SIP/TCP 16 UC Security Requirements
Impact of DoS Attacks Application Layer Application layer makes the servers susceptible low rate attacks Each message can result in heavy processing Creation of complex state machines Transfer Conference Hold Forward 17 UC Security Requirements
Impact of DoS Attacks Weak VoIP Endpoints Endpoints are weak Low CPU, low memory: easy to overwhelm No Security tools: No protection on endpoint against DoS attacks No security tools Weak CPU, Low memory Limited security protocols 18 UC Security Requirements
VoIP is Different Human Interactive Human interaction allows for stealth attacks targeting users Very low volume traffic can overwhelm users Human-to-human 19 UC Security Requirements
Same threat Impact of DoS Attacks on VoIP Real-time Sensitivity Small delays, cause incoherent voice Application layer and Protocol Complexity SIP Requests (INVITE/CANCEL) Weak VoIP devices Relative impact of flood Human interactive Reduced Flood Intensity VoIP User VoIP Phone VoIP Network Server (IP-PBX) Data Network Endpoint (Browser) Data Network Server (Web Server) Data Network 0.01 calls per second (1 per min) 0.1 to 1 calls per second 10-50 calls per second It is a Client (you can t flood it) 10,000 TCP SYNs per second Data Network Pipe = 1 Gbps Phone rings every 5 minutes 20 UC Security Requirements
Protection Techniques: Detecting Attack DoS Source monitoring: DoS Detection is possibly the simplest and is done based on large amounts of traffic from a single source DDoS Destination Monitoring: DDoS detection requires monitoring traffic on the destination/victim of attack and detecting large spikes in traffic volume Fingerprinting: Learning the details of message headers and detecting any mismatches allows fingerprinting to detect spoofind Stealth DoS Behavior Learning: This requires behavior learning in different time slots, based on time of day and day of week, and ability to monitor even slight deviations from learnt behavior 21 UC Security Requirements
Protection Techniques: Identifying attacker DoS This again is the simplest as part of detecting attack, the source of attack is easily identified, unless it is being spoofed DDoS Zombies: depending on the number of zombies attackers may or may not be identified based on volume, typically new sources of traffic (not seen in past are possible attackers) Spoofing: in this case since number of random sources can be as high as the address space in theory, new sources of traffic or cookie based techniques are used Stealth DoS Since attacks are very low volume, identifying an attacker is difficult, it is best to verify all traffic and then allow only verified traffic 22 UC Security Requirements
Protection Techniques: Mitigating Attacks DoS Block: Once attacker is identified blocking attacker is straightforward DDoS Block: In case of limited number of zombies this is possible Cookie verification: In case of three way handshake protocols, the attack target sends back cookies and hides state inside the cookie and waits for handshake to complete before allocating resources, in case of spoofing and simple script zombies attack is thwarted Re-authentication: On detecting a fingerprint mismatch re-authentication can be triggered blocking spoofing attacks Stealth DoS Cookie verification: In case of three way handshake protocols, the attack target sends back cookies and hides state inside the cookie and waits for handshake to complete before allocating resources, in case of spoofing and simple script zombies attack is thwarted 23 UC Security Requirements
Protection Technique: Mitigating Attacks Reflection Strict Protocol Conformance: Drop unwarranted responses or messages invalid for the state. Recursive Amplification Strict Protocol Conformance: Drop unwarranted responses or messages invalid for the state. Enforce Signaling Policies: Flexible policies to enforce specific messages, headers etc 24 UC Security Requirements
Protection Technique: Source Monitoring IP PBX 1. Observe non conformant traffic call walking Intranet Internet Protected Endpoints Detects Reconnaissance Detects DoS 25 UC Security Requirements
Protection Technique: Destination Monitoring Protected Endpoint IP PBX Intranet Internet Detects DDoS Attacks Spoofed and Zombies 1. Observe non conformant behavior 26 UC Security Requirements
Protection Technique: Behavior Learning IP PBX 1. Observe normal traffic Intranet Internet Protected Endpoints 2. Detect Bad Behavior Detects Stealth DoS 27 UC Security Requirements
Protection Technique: Fingerprinting IP PBX 3. Phone moves to new location 5. Phone re-registration complete 6. IPCS updates fingerprint Intranet 4b. Fingerprint mismatch, SIP Challenge, Response 4a. Phone tries to re-register Internet 2. IPCS learns fingerprint REGISTER sip:ss2.wcom.com SIP/2.0 Via: SIP/2.0/UDP there.com:5060 From: LittleGuy <sip:userb@there.com> Call-ID: 123456789@there.com Contact: <sip:userb@172.16.1.10> Sipera IPCS 1. Phone registers 7. Attacker script tries to spoof register 8. Fingerprint mismatch, REGISTER sip:ss2.wcom.com SIP/2.0 Via: SIP/2.0/UDP there.com:5060 From: LittleGuy <sip:userb@there.com> Call-ID: 123456789@there.com Contact: <sip:userb@172.16.1.11> Detects Spoofing 28 UC Security Requirements
Protection Technique: Cookie Verification IP PBX 5. Allow call Intranet 3. New call Internet 4. Challenge, Valid Response Protected Endpoint 1. Attacker makes call Blocks spoofed DDoS (at very high rates) Blocks scripts Blocks Stealth DoS 29 UC Security Requirements 2. Challenge, (spoofed address) No response
Protection Technique: Re-authentication IP PBX 5. Allow call Intranet 3. New call Internet 4. Re-auth, Valid Response Protected Endpoint 1. Attacker makes call 2. Re-auth, no response Blocks Spoofing Block Zombie Attacks 30 UC Security Requirements
Protection Technique: Strict Protocol Conformance IP PBX Intranet 2. Reflected Response Internet Protected Endpoint 1. Attacker sends message Blocks Reflection Blocks Amplification 31 UC Security Requirements
Protection Technique: Enforce Policies Policy Enforcement User, Network, Device, Time of Day, Domain based policies Blocks Signaling manipulation attacks 32 UC Security Requirements
Protection Technique: Purpose Built Hardware Media Latency Traditional Shared Resources Signaling Media Increased Attacks Traditional Real-Time Independent Planes Signaling Media 100 µs Call Volume Real-Time Deterministic low latency and low jitter under attack 33 UC Security Requirements
Protection Technique: Selective RTP anchoring Block Peer to Peer attacks Deterministic low latency and low jitter under attack 34 UC Security Requirements
Protection Technique: Per Domain Rate Limiting Restricts the impact of attack to one domain Ensures other domains see no effect 35 UC Security Requirements
Protection Technique: Random Early Discard Ensures Service is available under heavy attack Ensures Quick Recovery once attack is blocked Ensures established calls are not affected 36 UC Security Requirements