Verteiltes Monitoring von SIP-basierten Angriffen

59. DFN-Betriebstagung, Berlin, 15.10.2013 Verteiltes Monitoring von SIP-basierten Angriffen Prof. Dr.-Ing. Erwin P. Rathgeb Dirk Hoffstadt, MS M.Sc. Adnan Aziz, M.Sc. Networking Technology Group Institute for Experimental Mathematics & Institute for Computer Science & Business Information Systems University of Duisburg-Essen Overview Introduction SIP fraud and misuse scenarios Multi-stage Toll Fraud scheme SIP misuse detection for forensic analysis Tools: SIP Trace Recorder and SIP Honeypots Clustering: from packets to attacks Typical multi-stage attack example Distributed real-time SIP misuse detection Distributed System overview Deployment options Hardware Software Virtual sensors Page 2 1

Voice over IP Threats and misuse scenarios Threat Description Goal Flooding Fuzzing SPIT Registration Hijacking/ Toll Fraud Flood the device with VoIP protocol packets like INVITE, OPTIONS Send malformed messages to the system (e.g. PROTOS) Unwanted calls, often initiated automatically Compromise user account, make (toll) calls Denial of Service (brute force) Denial of Service (exploit software vulnerabilities) Trick users into spending money or revealing secret information (Phishing) Save money on toll calls Earn money from toll calls Make calls anonymously Denial of Service: Generic threat, mitigation approaches known in principle (overload control, rigorous programming) SPIT: Adaptation of generic threat, mitigation based on signalling (SPIT Filter) or media (voice recognition and analysis) Registration Hijacking/Toll Fraud: Novel, specific threat, High damage potential (financial, legal) Page 3 State of SIP misuse Attacks monitored by PBX vendor Data from 01/2011 Page 4 2

Benefit/cost for VoIP attacks Attacker module for lab tests Registration Hijacking SIPvicious ToolBox svmap Scan for SIP registrars svwar Scan for active extensions svcrack Password scan Denial of Service SIP-INVITE Flooder Perform DoS attack with SIP-Invites SPIT Generator Asterisk SW-PBX with call files Generate SPIT calls with freely configurable announcement Call file extension for Phishing Record answers Page 5 Common SIP misuse scenario Multi-stage scheme for Toll Fraud Toll Fraud is particularly attractive Immediate financial benefit Caller anonymization Predominant misuse scheme at the moment Basic scheme Stage 1: Find SIP server Server Scan Stage 2: Find active extensions Extension Scan Stage 3: Crack password Registration ti Hijacking Stage 4: Make calls using victim s account Toll Fraud Page 6 3

Common SIP misuse scenario Stage 1: Server Scan Anywhere 200 OK Internet Company SIP-Server Server OPTIONS Attacker sends SIP OPTIONS messages to detect active SIP server in a network SIP packets from one source IP address directed to multiple targets Scan behaviour: 1 to 96 OPTIONS messages per server Variations by using other SIP messages (e.g. INVITE) Result: List of active SIP servers Page 7 Common SIP misuse scenario Stage 2: Extension Scan Internet REGISTER 100 250 Not found Unauthorized Attacker sends multiple SIP REGISTER messages to detect active user accounts / extensions SIP packets from one source IP address directed to one target host (SIP server) Different extensions / account names Scan behaviour: 1 to 40,000 REGISTER messages per server 100 250 251 252 Result: List of active extensions/user accounts Page 8 4

Common SIP misuse scenario Stage 3: Registration Hijacking Internet REGISTER 250 Password: 1234 2244 Forbidden 200 OK 250 Attacker sends multiple SIP REGISTER messages to guess the password Successful attack: Server sends a 200 OK message SIP packets from one source IP address directed to one target host and one extension Scan behaviour: up to 13 million messages per extension Result: Valid credentials for active extension Page 9 Common SIP misuse scenario Stage 4: Toll Fraud Chargeable calls: abroad, 0900, mobile Register at 250@ company.de with password 2244 Internet 250 Attacker registers at a previously cracked extension Attacker sends INVITE messages to establish Toll Fraud calls Chargeable calls to abroad or premium numbers Toll Fraud can cause the account owner substantial financial damage Result: Calls via victim s account Page 10 5

SIP misuse detection tools SIP Trace Recorder Internet Monitoring Port STR DB Target subnet SIP Trace Recorder (STR) Passive SIP monitoring and logging Stateful correlation, e.g. CDR generation Detection of successful attacks Optional privacy preservation Deployment in production networks Focus: Statistical attack analysis Target Network Page 11 SIP misuse detection tools SIP Trace Recorder and SIP Honeypots Internet Monitoring Port Evaluation and Presentation STR DB No active VoIP components VoIP Server Full Interaction Full Honeypot Interaction Full Honeypot Interaction Honeypot Low Interaction Low Honeypot Interaction Low Honeypot Interaction Honeypot Target Network SIP Trace Recorder (STR) Passive SIP monitoring and logging Stateful correlation, e.g. CDR generation Detection of successful attacks Optional privacy preservation Deployment in production networks Focus: Statistical attack analysis Full Interaction SIP Honeypot Extended SIP Server with logging function Full SIP functionality Call handling Media handling Focus: Detailed forensic analysis NEW: Low Interaction SIP Honeypot Script based Low resource utilization High flexibility Limited SIP functionality Focus: Dynamic experiments Evaluation and Presentation Consolidation of all attack data Automated data collection Flexible analysis capabilities Various views on data Attack clustering Web-based GUI Page 12 6

SIP misuse detection results Honeypot vs SIP Trace Recorder 10000000 1000000 New Honeypot 100000 10000 1000 100 10 Honeypot Monitoring STR Monitoring 1 Dec 09 Jan 10 Feb 10 Mar 10 Apr 10 May 10 Jun 10 Jul 10 Aug 10 Sep 10 Oct 10 Nov 10 Dec 10 Jan 11 Feb 11 Mar 11 Apr 11 May 11 Jun 11 Jul 11 Aug 11 Sep 11 Oct 11 Nov 11 Dec 11 Jan 12 From 2009 until November 2010 Operated and monitored only the SIP Honeypots without t global monitoring From December 2010 until now STR was installed to monitor complete subnets Substantial increase in the number of captured SIP messages Detection accuracy for multi stage attacks significantly improved On May, 17th, a new Honeypot was set up, resulting in a massive peak Page 13 SIP Trace Recorder Results Network without active SIP components 10000000 1000000 Network A Network B 100000 amount of SIP Messages 10000 1000 100 10 1 All traffic in the network is generated by Server Scans used to detect SIP-capable devices Attackers continuously search for SIP devices throughout the Internet Page 14 7

SIP Trace Recorder Results Network with active SIP components 10000000 1000000 Network A Network B 100000 amount of SIP Messages 10000 1000 100 10 1 The fraction of Server Scan packets in network with SIP server is rather low and can be traced back to occasional scans Majority of messages in network A belongs to Registration Hijacking attacks Attackers directly attack the SIP devices in network A and do not scan the network repeatedly to get the addresses Page 15 SIP Trace Recorder Evaluation & Presentation web interface Filter Options Geolocation analysis SIP messages per day User agent analysis Page 16 8

SIP misuse detection Clustering: From packets to attacks Server Scans different IP addresses extension 100 SIP method: OPTIONS Extensions Scans same IP address different extensions SIP method: REGISTER Registration Hijacking same IP address same extension SIP method: REGISTER different credentials Toll Fraud same IP address known Honeypot extension SIP method: INVITE From counting packets to analysing attacks Alternative view on the collected data Identify and analyse attack variants Month Server OPTIONS Scan Extension REGISTER Scan Reg. REGISTER Hijacking Toll INVITE Fraud 2011-01 187 98,483 0 0 1 136,081 1 221 2011-02 274 96,648 9 16,379 6 45,954 1 116 2011-03 241 103,666 127 92,740 25 125,151 3 64 2011-04 344 167,604 6 89 5 158 1 176 2011-05 238 79,243 10 35,280 7 9,603,316 1 1,032 2011-06 171 50,623 9 14,541 8 13,963,419 1 10 2011-07 70 71,078 6 27,482 40 10,483,106 8 684 2011-08 56 72,889 1 12,890 20 772,207 1 542 2011-09 35 93,441 10 108,247 148 3,243,164 13 10,506 2011-10 56 70,773 2 16,487 7 228,572 12 19,571 2011-11 55 85,012 42 196,356 146 2,259,409 31 9,195 2011-12 45 118,823 9 70,223 43 588,468 21 6,613 2012-01 32 102,204 36 301,491 33 3,037,620 15 358 Page 17 SIP misuse detection results Attack stage patterns 100% tacks Cumulativ ve distribution function of at 90% 80% 70% 60% 50% 40% 30% 20% 10% Server Scan Extension Scan Registration Hijacking Toll Fraud 0% 1 10 100 1000 10000 100000 1000000 10000000 Number of SIP messages Page 18 9

SIP misuse detection results Attack tools used User Agent Server Scan Ext Scan RegHij. Toll Fraud friendly-scanner 40.9331% 99.9950% 99.9999% - sundayddr 58.3421% - - - Asterisk PBX - - - 7.5429% SIPPER for Phoner - - - 26.4444% Eyebeam/X-Lite - - - 14.5568% Known Softphones - - - 21.9452% Others 0.7248% 0.0050% 0.0001% 29.5107% Analysis based on packet count only shows that 98% are generated by Sipvicious and related implementations Cluster based analysis Sundayddr is strictly a server scanning tool Sipvicious is the only tool currently used for multi-stage attacks Toll Fraud attempts are performed using popular SIP softphones (e.g., eyebeam, X-Lite, Sipper) or the open source PBX Asterisk Asterisk PBX Automated calls by using scripts without human interaction Page 19 SIP misuse detection results Improved attack stage correlation Source IP XXX.134.235.220 Source IP XXX.98.11.143 Source IP XXX.157.28.97 1,420 messages Server Scan 2,751 messages Extension Scan 504,069 messages Registration Hijacking Dynamic Low Interaction Honeypot 162 calls Toll Fraud Attempt 1 130 calls Toll Fraud Attempt 7 2012-09-18 03:15:59 2012-09-18 03:17:04 5 minutes 2012-09-18 03:20:56 2012-09-20 07:22:45 28 hours 3 days 2012-09-23 10:21:46 Attack successful Typical example attack a total of 508,643 SIP messages Toll Fraud calls are launched after a significant period of time originate from different IP addresses Paper: Improved Detection and Correlation of Multi Stage VoIP Attack Patterns by using a Dynamic Honeynet System IEEE ICC 2013, June 2013 Page 20 10

SIP misuse detection results Identification of attack variations Input data collected by the STR and the SIP Honeypot System More than 90 million SIP messages Collected between 12/2009 and 12/2012 Method Message clustering Map packets to attack instances and attack stages Comparison of instances of the same attack stages Based on IP and SIP header information Based on number of messages and timing Results Classification of major attack variants Server Scan: 7, Extension Scan: 2, Registration Hijacking: 2, Toll Fraud: 3 Significant number of minor variations identified Attackers start to modify code of attack tools Camouflage attacks, more softphone like behaviour Page 21 Generic Attack Replay Tool (GART) Set of attack samples with broad coverage Replaying real attack samples in arbitrary networks Can be used to test and calibrate detection and mitigation algorithms and components Comprehensive set of attack variants Based on overall STR database Currently total of 5684 attack samples Extraction of one typical sample per attack variant for reduced database > 40 GB Data Provides broad coverage STR Database Set of sample attacks configurable Built using Java Platform independent SQLite database Fast Lightweight Stage 1 Variation Stage 2 Variation Stage 3 Variation SQLite Database Stage 4 Variation Page 22 11

Generic Attack Replay Tool (GART) Set of attack samples with broad coverage Mapping of relevant header values according to local network To send attack traffic to local SIP server To receive responses at the sender Attack data characteristics are preserved Time stamps Sequence of packets Minimum configuration efforts Functional test was successful Paper: Development and Analysis of Generic VoIP Attack Sequences Based on Analysis of Real Attack Traffic IEEE TrustCom, July 2013 Page 23 BMBF Project SUNsHINE Fraud and misuse detection and mitigation for VoIP networks 4 partners 4 associated partners 2 year project, ends April 2013 (plus 3 months extension) Homepage http://www.sunshineproject.net/ Page 24 12

SUNsHINE Architecture Page 25 Real-time SIP misuse detection Security System Misuse Detection Passive behaviour Different environments PBX, Router, Home Gateways Detection by using attack signatures Dynamically loadable Standalone Low Interaction Honeypot plugin SCS Low Interaction Honeypot plugin Attacker Firewall Central Service (SCS) Aggregation of sensor alerts Based on SCS rules Management s Attack signature management Interface to mitigation components 0900 Callee Page 26 13

Realtime Misuse Detection & Mitigation Security System Mitigation Interface Alert SCS Low Interaction Honeypot plugin Attacker Firewall 0900 Callee Page 27 Realtime Misuse Detection & Mitigation Security System Mitigation Interface (2) Alert erbl SCS Low Interaction Honeypot plugin Attacker Firewall 0900 Callee Page 28 14

Monitoring Overview Rule-based attack detection and reporting of misuse in SIP-based networks Light-weight software component for different hardware and software platforms Implemented in C++ using libpcap [1], Java version also available Input Data (Network interface, PCAP file, Socket) SIP traffic analysis The receives all traffic that is sent to any of the Honeypots Process of misuse detection and reporting is separated into three phases Capturing and filtering of SIP messages Analysis of SIP messages Recognize sequences of SIP messages that are characterized by pre-defined rules Report information (e.g., source IP, signature ID) about detected attacks to the Central Service via a secure interface Rules Listener Message Queue Analyzer Notification Page 29 Monitoring Rules (XML) Different attack types and variations are defined as a XML sensor rules E.g. Registration Hijacking Each rule defines a specific pattern of SIP messages and timing conditions Analysis based on signatures Timing conditions IPv4 information Source IP, Destination IP and Ports SIP Request / SIP Response SIP Header fields E.g., From, To, Via, Contact, Call- ID, Cseq Comparison of different header values (equal, not equal) within received SIP messages Page 30 15

Central Service Architecture / Mode of Operation SCS Interface (SSI) Controller Process (SCP) Store Reports Database SCS Incoming Reports Configuration, Rules, Status, etc. Management Worker Process (WP) SCS Rules SCS Analyse Results Store Notifications SCS Notification Process (NP) Actions SCS Notification Interface (SNI) Mitigation Components erbl Service Page 31 Monitoring - Deployment options Software installation in network devices PBXs, FritzBox, router, Vmware Virtual Machine Guest OS: Ubuntu 12.04 LTS or Debian Linux 7.1 2 network interfaces (Capturing & Management) Standard PC or Server with Ubuntu 12.04 LTS 2 network interfaces (Capturing & Management) ALIX system boards or Raspberry Pi OS: Debian Linux 7.1 Up to 3 network interfaces E.g., Bridging, +Honeypot, standalone Optional: Honeypot Plugin Virtual Central sensor / honeypot Traffic captured on multiple remote interfaces and tunneled to sensor Answer packets tunneled to originating interfaces Page 32 16

Distributed System Current NorNet setup SCS Virtual Machine Simula I1 I2 Attacker SIP Honeypot NTNU Universitetet i Tromsø I1 I1 129.242.157.228 Internet Universitetet i Bergen I1 158.37.6.195 University Duisburg- Essen I1 I2 132.252.152.105 89.246.242.228 Page 33 Distributed System Overview SCS Interface (SSI) Each sensor is connected to SCS ID, secret, MAC address, location info TLS secured (HTTPS) with server certificate t check Status updates and keep-alive messages Auto provisioning which is managed and controlled by SCS Configuration Signatures SIP traffic analysis based on sensor signatures Report generator Sends reports to SCS according to sensor signature settings Source IP, destination IP, signature ID, sensor ID, timestamp, source port, destination port, signature version Optional: extended reports Pre-defined SIP header values Page 34 17

Distributed Systems Central Service Overview Management Configuration Signatures ( Web-Editor or XML file) <-> signature mapping Status, report and statistics presentation Central logging SCS Features Receives sensor reports via SCS Interface (SSI) Central MySQL database Reports, signatures, SCS rules, sensor configurations, status, etc. Analysis based on SCS rules Depends on ID and Signature ID PHP script logic with pre-defined variables and result values Notification interface to mitigation components Up to three different actions per SCS rule Actions erbl Firewall alert PBX notification Page 35 Central Service Management Website (Screenshot) Page 36 18

Distributed System The NorNet approach Physically distributed sensors at different sites in the internet Deployment of hardware or installation of software reqired Local management necessary Privileged access to network interfaces required Virtually distributed sensors (NorNet approach) One central only (in Essen, Germany) Distributed NorNet nodes to capture input traffic GRE Tunnel(s) between each node and the central Filters TCP/UDP traffic on port 5060 Traffic redirection to the central by using DNAT via GRE tunnels Reverse direction is realized by routing policies Pros No software component on productive systems (no influence) Easy to manage single sensor Cons More bandwidth required in contrast to distributed approach Possible delays Page 37 Distributed System First NorNet results Node IP Node Name Number of Reports 172.31.1.1 Simula 57518 172.31.1.2 Simula 344 172.31.4.1 Uni Tromsø 3 172.31.42.1 UDE 73 172.31.42.2 UDE 144 172.31.5.1 Uni Stavanger 67 172.31.6.1 Uni Bergen 24839 172.31.8.1 Høgskoleni Narvik 8 172.31.9.1 NTNU 1 01.09.-12.09.2013 Page 38 19

VoIP fraud and misuse detection Conclusions SIP devices on the Internet are constantly scanned and attacked Significant damage possible Flexible and powerful attack tools readily avaiable for download SIPvicious Local monitoring over several years Development of sophisticated monitoring tools Analysis of attack traffic Distributed monitoring required to get a global view Distributed s System Several sensors deployed d around Germany NorNet adds significant number of additional monitoring points Technical details and live demos in the VoIP session Cooperation with DFN would be highly appreciated Deployment of hardware/software/virtual sensors Page 39 20