INTRODUCTION OF VOIP AND SIP SECURITY 2 Ge Zhang, Karlstad University May, 2009
Outline Review SIP vulnerabilities by external infrastructures DNS server as an example Confidentiality Integrity Availability Further VoIP security Web server Firewall Accounting database Discussion
Review What are the pros and cons of VoIP? Why VoIP is relatively insecure, compared with PSTN? Five security mechanisms can be applied in SIP services. 1. challenge-response authentication 2. inter-domain authentication 3. S/MIME 4. TLS 5. IPSec Are they good enough to make SIP VoIP security?
Protocols for VoIP The threats from external servers Red: Exclusively only for VoIP (internal server) Green: Shared infrastructures (external server) SDP ENUM WWW signaling name AAA media NAT HTTP SIP DNS RADIUS RTP STUN TCP UDP IPv4/IPv6
An example: DNS server DNS usage in SIP (to discovery IP address of the proxy in the target domain) Mapping of the target domain name to a IP address (A record) Multiple services discovery (NAPTR, SRV record) Mapping of a PSTN telephone number to a SIP address (ENUM record)
DNS NAPTR/SRV NAPTR (discovery services) NAPTR 30 50 "s" "SIP+D2U" "" _sip._udp.example.com. NAPTR 50 40 "s" "SIP+D2S" "" _sip._sctp.example.com. NAPTR 50 50 "s" "SIP+D2T" "" _sip._tcp.example.com SRV (discovery host names) _sip._udp.example.com SRV 5 100 5060 sip-udp01.example.com. _sip._udp.example.com SRV 10 100 5060 sip-udp02.example.com. A (discovery IP addresses) Sip-udp01.example.com A 1800 193.11.159.6
DNS ENUM Mapping from PSTN phone number to SIP URI e164.arpa is the root server +46547001528 -> 8.2.5.1.0.0.7.4.5.6.4.e164.arpa IN NAPTR 100 10 "u" "sip+e2u" "!^.*$!sip:ge.zhang@kau.se!". IN NAPTR 102 10 "u" "mailto+e2u" "!^.*$!mailto:ge.zhang@kau.se!" Choose sip:ge.zhang@kau.se, treated as URI, then go on. DNS server enum NAPTR SRV A +46 54 700 1528 SIP INVITE SIP INVITE SIP proxy SIP proxy
8. answer DNS usage in SIP Recursive DNS request in SIP, to find the authoritative server DNS mapping records can be cached locally Root DNS server UA kau.se DNS server wh.org DNS server SIP proxy SIP proxy UA 3. sip.wh.org?.org DNS server 4. contact.org 6. contact wh.org 5. sip.wh.org? 7. sip.wh.org? 2. sip.wh.org? 9. answer 1. INVITE obama@sip.wh.org 11. INVITE obama@sip.wh.org 10. INVITE obama@sip.wh.org
Security risks Threat on Confidentiality Profile the mapping records in the DNS cache. Threat on Integrity DNS spoofing, the call will be forwarded to an undesired callee. Threat on Availability Exploiting the latency of DNS requests, then the proxy can be blocked and then unavailable.
Threat on Confidentiality Round Trip Time (RTT): the time interval between request and its response. The difference of RTT can reveal the fact whether the DNS mapping of remote domain has been cached or not. Cache content=calling history Then an attacker can observe the calling history of a domain. It is called a timing attack. Considering (Time To Live) TTL for cache. Then, the attacker can profile the calling behavior!
Threat on Integrity DNS spoofing: provide spoofed DNS mapping Random Number (16 bits: 65535 possible values) Discuss: what is the problem? The integrity of data source
Birthday paradox Given a group with n persons, what is the probability P(n) that at least two persons have the same birthday. It is easier to first calculate the probability that all people have different birthdays. People 2 9 16 23 30 37 44 65 79 P(365) 0.002 7 0.0946 0.2836 0.5073 0.7063 0.8487 0.9329 0.9977 0.9999 Query 50 100 250 200 250 300 350 400 500 550 650 750 P(65535) 0.018 5 0.0728 0.1569 0.2621 0.3785 0.4961 0.6069 0.7048 0.8517 0.9008 0.9604 0.9865
Threat on Availability According to a measurement of MIT 90% DNS request take less than 1 second, 5% DNS request take around 1-5 seconds 5%DNS request take more than 5 seconds Reason for latency Geographic distance configuration Question: Is DNS cache helpful here?
Threat on Availability Attackers find a list of domain names which can take long time to get resolved Generate SIP requests with these domain names! Discussion: Is DNS cache helpful here? Delay! The Internet latency DNS server 1 DNS server Attacker Victim SIP proxy latency DNS server n
Threat on Availability (2) It depends on the implementation of proxy Synchronous? (default, in most cases) All resources, blocked Discussion: is parallel processes architecture helpful? Asynchronous? Discussion: Is this mechanism helpful? Get new message Wait DNS Result Asynchronous processing Message parsing Message processing DNS request Message saving Message sending DNS server
Threat on Availability (3) The attacking message: the SIP message contain a host name hard2resolve.domain The attacking rate of the attacking tool (r): how many attacking messages per second The delay time on a DNS request (ddns) for resolving hard2resolve.domain Parallel processes of the proxy: 4 and 16 DNS (delay)
Threat on Availability (4)
Threat on Availability (5)
Attacks using web server (1) Domain: kau.se SIP Proxy SIP Proxy Domain:iptel.org Web Server internet Web Server alice@kau.se bob@iptel.org INVITE sip:bob@iptel.org SIP/2.0 From: sip:alice@kau.se; tag=1b34514 To: sip:bob@iptel.org Call-Id: 1-17912@193.11.155.22 Cseq: 1 INVITE Contact: <sip:alice@kau.se> Date: Sat, 16 Aug 2008 14:50:15 GMT HTTP or HTTPS methods Cache is needed in case of repeated downloading
Discussion Is there any similar vulnerability which can be exploit? (similar to the previous example) Availability? Integrity? Confidentiality?
Attacks using web server (2) Domain: kau.se Proxy Proxy Domain: iptel.org Web Server internet alice@kau.se bob@iptel.org Attacker
Attacks using web server (3) Round Trip Time (RTT): time cost between sending a SIP request and receiving a response Caller s ProxySIP Request Callee s Proxy Web server Caller s Proxy Callee s Proxy SIP Request SIP Processing + Verifying Signature Downloading Request SIP Processing SIP Response Downloading Certificate (a) The scenario in which the certificate of the caller s proxy has already been cached. Therefore, it is no need to re-download the certificate. SIP Response Verifying Signature (b) The scenario in which the certificate has not been cached. The callee s proxy has to download it.
Attacks using web server (4) 5 sample domains 3 situations: (1) called recently, (2) not called recently, request downloading certificate through http connection, (3) not called recently, request downloading certificate through https connection
Attacks using web server (5) T
Attacks using firewall VoIP firewall? (The number of rules in a ruleset) An IDS analyzes the incoming traffic, and update the ruleset of the firewall automatically The detection point is based on 2 layer, the networking layer and application SIP layer Therefore, 2 kind of ruleset will be applied No rule: 170M bps 100 IP-layer rules: 130 M bps 20 SIP-layer rules: 70 M bps.
Attacks using accounting database 5. Alice->193.11.155.4 6. OK
Attacks using accounting database SQL injection in SIP (contributed by university of Aegean) Well-formed Authorization: Digest username= nick, realm= kau.se, algorithm= md5, select password from subscriber where username= nick and realm= kau.se ; Mal-formed Authorization: Digest username= nick ; drop table subscriber;--, realm= kau.se, algorithm= md5, select password from subscriber where username= nick ; drop table subscriber;--
Conclusions External servers! SDP ENUM WWW signaling name AAA media NAT HTTP SIP DNS RADIUS RTP STUN TCP UDP IPv4/IPv6
Questions?