Denial of Services on SIP VoIP infrastructures

Denial of Services on SIP VoIP infrastructures Ge Zhang Karlstad University ge.zhang@kau.se 1

Outline Background Denial of Service attack using DNS Conclusion 2

VoIP What is VoIP? What is its advantage? Cost Integration Easy-to-use What is its disadvantage? Reliability (no emergency call with skype (or other VoIP)!) Quality of Service Security 3

Session Initiation Protocol (SIP) SIP: an signalling protocol for creating, modifying and terminating VoIP sessions. SIP network elements: User Agents (UA), Proxy Server, Registrar, Location Server. Modeled on HTTP, user identity is similar to email address (e.g., sip:nick@kau.se) 4

Where s SIP SDP Application SIP RTP DNS(SRV) Transport TCP UDP Network IP Physical/Data Link Ethernet 5

SIP Call flow DNS Invite: Bob@ica.se Location server Invite: Bob@ica.se Proxy 200 OK internet Proxy 200 OK Invite: Bob@ica.se 200 OK Ack Alice@lidl.de RTP Session Bob@ica.se Domain: lidl Domain: ica 6

Background (SIP message) INVITE sip:bob@ica.se SIP/2.0 Via: SIP/2.0/UDP workstation1000.lidl.de From: sip:alice@lidl.de; tag=1b34283 To: sip:bob@ica.se Call-Id: 1-15673@193.11.155.22 Cseq: 1 INVITE Contact: <sip:alice@workstation1000.lidl.de> Date: Sat, 16 Aug 2008 11:50:15 GMT Content-Type: application/sdp Content-Length: 154 V=0 o=alice 2891234526 2891234526 IN IP4 workstation1000.lidl.de s=let us talk for a while c=in IP4 138.85.27.10 t=0 0 m=audio 20002 RTP/AVP 0 7

Outline Background Denial of Service attack using DNS Conclusion and future works 8

DNS flooding (DNS usage) INVITE sip:bob@ica.se SIP/2.0 Via: SIP/2.0/UDP workstation1000.lidl.de From: sip:alice@lidl.de; tag=1b34283 To: sip:bob@ica.se Call-Id: 1-15673@193.11.155.22 Cseq: 1 INVITE Contact: <sip:alice@workstation1000.lidl.de> Date: Sat, 16 Aug 2008 11:50:15 GMT Content-Type: application/sdp Content-Length: 154 V=0 o=alice 2891234526 2891234526 IN IP4 workstation1000.lidl.de s=let us talk for a while c=in IP4 138.85.27.10 t=0 0 m=audio 20002 RTP/AVP 0 9

DNS usage 1 1 Message Authentication Resolving Domain name 5 2 3 4 Continue DNS Server 10 SIP Proxy

DNS flooding (objective of DoS) 1 1 Message Authentication 2 Resolving Domain name 5 Waiting 3 4 blocked Continue DNS Server 11 SIP Proxy

DNS flooding DNS Root DNS com DNS de DNS net DNS se DNS lidl DNS ica alice tom bob 12

DNS flooding (Malicious request) INVITE sip:bob@ica.se SIP/2.0 Via: SIP/2.0/UDP workstation1000.lidl.de From: sip:alice@lidl.de; tag=1b34283 To: sip:bob@ica.se Call-Id: 1-15673@193.11.155.22 Cseq: 1 INVITE Contact: <sip:alice@workstation1000.lidl.de> Date: Sat, 16 Aug 2008 11:50:15 GMT Content-Type: application/sdp Content-Length: 154 V=0 o=alice 2891234526 2891234526 IN IP4 workstation1000.lidl.de s=let us talk for a while c=in IP4 138.85.27.10 t=0 0 m=audio 20002 RTP/AVP 0 13

Test bed A SIP proxy A DNS server An attacking tool 100 external SIP providers User Agents (SIPp): a SIP traffic generator tool. SIP providers Internet UA (SIPp) DNS server SER (outgoing proxy) unresolvable Attacking tool 14

Solution 1 Increasing Parallel Processes of the proxy Message Scheduler DNS... 15 Process 1 Process 2 Process n Message Forward

Result of Solution1 5000 n = 2 n = 4 n = 8 n = 16 n = 32 n = 64 4000 messages repl i ed 3000 2000 1000 16 0 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 attacki ng i nterval (s)

Solution2 Asynchronous Scaling through Message Processing Interruption 17

Result of Solution1 18

Solution3 Message Authentication Resolving Domain name DNS cache Continue DNS Server 19 SIP Proxy

blocked - example For example, n = 4. waiting waiting waiting waiting Blocked! 20 Process 4 Process 3 Process 2 Process 1 DNS cache SIP Proxy DNS Server

Cache Solution how to detect the attacking? (n is the parallel processes number) 1, a domain resolve call in process queue q but not S q ( t) = returned at time t, 0, otherwise H = n q= 1 S ( t q ), How to prevent being blocked? 1 emergency process Whenever H n 1, alarm! The next DNS request will not be forwarded to external DNS server, instead, it will only look up in the cache and reply immediately. Hence the proxy will absolutely be blocked at time t when H = n 21

Unblock Solution - example For example, n = 4. Occupied processes H n 1 ( 3 4-1) emergency waiting waiting waiting Process 4 Process 3 Process 2 Process 1 DNS cache SIP Proxy DNS Server 22

Result of cache solution messages replied 450 400 350 300 250 200 150 100 50 n=32 n=16 n=4 n=2 messages replied n=2 with DADP n=256 n=128 n=64 10000 9000 8000 7000 6000 5000 4000 3000 2000 1000 23 0 0 20 40 60 80 100 120 140 elapsed time (s) 0 0 20 40 60 80 100 120 140 elapsed time (s)

Cache Replacement Policy Cache replacement policies Motivation: As the number of cache entries (e) can not practically cope with the unlimited number of possible domain names, we have to find a way to optimally use the limited number of cache entries. FIFO LRU LFU 24

Result of Cache Solution 5000 No cache FI FO LRU LFU messages repl i ed 4000 3000 2000 1000 25 0 0. 1 0. 2 0. 3 0. 4 0. 5 0. 6 0. 7 0. 8 0. 9 1 attacki ng i nterval (S)

Cache entries messages repl i ed DADP wi th LFU 5000 4000 3000 2000 1000 wi thout DADP Investigate the relationship between the number of cache entries and the performance of proxy e = number of cache entries Less than 270, growth Greater than 270, stop 26 0 0 100 200 300 400 cache entri es

Conclusions Current VoIP system is far from secure Interface between VoIP system and other ICT-based system (DNS) The solutions are not perfect, open questions 27

Thanks! Questions &Thanks! Email: ge.zhang@kau.se 28