Attacking VoIP Networks



Similar documents
Attacking VoIP Networks

SIP Stack Fingerprinting and Stack Difference Attacks

VoIP Phreaking Introduction to SIP Hacking. Hendrik Scholz 22C3, Berlin, Germany

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Firewall Defaults and Some Basic Rules

SIP Trunk Configuration Guide. using

Connecting with Vonage

Lawful Interception in German VoIP Networks

SIP Essentials Training

Vesselin Tzvetkov, Holger Zuleger {vesselin.tzvetkov, Arcor AG&Co KG, Alfred-Herrhausen-Allee 1, Eschborn, Germany

Formación en Tecnologías Avanzadas

Grandstream Networks, Inc. UCM6100 Security Manual

VoIP some threats, security attacks and security mechanisms. Lars Strand RiskNet Open Workshop Oslo, 24. June 2009

Step 1: Checking Computer Network Settings:

TDC s perspective on DDoS threats

Configuration Notes 0217

Connecting with Free IP Call

Configuration Note for Jeron Provider 790 and Cisco CallManager

Session Initiation Protocol (SIP) Vulnerabilities. Mark D. Collier Chief Technology Officer SecureLogix Corporation

OpenScape Business V1

Configuring Interactive Intelligence ININ IP PBX For tw telecom SIP Trunking service USER GUIDE

DoS/DDoS Attacks and Protection on VoIP/UC

Linux Network Security

MyIC setup and configuration (with sample configuration for Alcatel Lucent test environment)

Firewall Firewall August, 2003

Configuring SIP Trunking and Networking for the NetVanta 7000 Series

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

Enumerating and Breaking VoIP

Learn Ethical Hacking, Become a Pentester

The SIP School- 'Mitel Style'

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

SIP Trunking Quick Reference Document

Provisioning and configuring the SIP Spider

Based on the VoIP Example 1(Basic Configuration and Registration), we will introduce how to dial the VoIP call through an encrypted VPN tunnel.

Firmware Release Notes

Improving DNS performance using Stateless TCP in FreeBSD 9

NAT and Firewall Traversal with STUN / TURN / ICE

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

OpenScape Business V2

Installation Manual for Zoom V3 Hardware and Vontronix VoIP Phone Service

SIP Trunking Application Notes V1.3

SIP SECURITY WILEY. Dorgham Sisalem John Floroiu Jiri Kuthan Ulrich Abend Henning Schulzrinne. A John Wiley and Sons, Ltd.

How to Configure the Allworx 6x, 24x and 48x for use with Integra Telecom SIP Solutions

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Deployment of Snort IDS in SIP based VoIP environments

Link2VoIP SIP Trunk Setup

How To Configure Aastra Clearspan For Aastro (Turbos) And Bpb (Broadworks) On A Pc Or Macbook (Windows) On An Ipa (Windows Xp) On Pc Or Ipa/

Connecting with sipgate

Voice Over IP (VoIP) Denial of Service (DoS)

MINIMUM NETWORK REQUIREMENTS 1. REQUIREMENTS SUMMARY... 1

Session Border Controller

Application Notes for Avaya IP Office 7.0 Integration with Skype Connect R2.0 Issue 1.0

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

FortiVoice. Version 7.00 VoIP Configuration Guide

Black Box Analysis and Attacks of Nortel VoIP Implementations

Chapter 8 Router and Network Management

Security of IPv6 and DNSSEC for penetration testers

Voice over IP Security

Spam goes VoIP. Number Harvesting for Fun and Profit. Hack in The Box 2007 Dubai Hendrik Scholz

How to make free phone calls and influence people by the grugq

10 Key Things Your VoIP Firewall Should Do. When voice joins applications and data on your network

FRITZ!Box Products Secure high-speed surfing and convenient telephoning over the Internet

SIP Trunking Service Configuration Guide for Time Warner Cable Business Class

SIP Trunking Service Configuration Guide for Skype

Denial of Service Attacks

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Voice Gateway with Router

NCAS National Caller ID Authentication System

Technical Configuration Notes

CIT 380: Securing Computer Systems

F5 Silverline DDoS Protection Onboarding: Technical Note

Geographic redundant VoIP systems with Kamailio

High Availability Configuration Guide

SIP Trunking. Service Guide. Learn More: Call us at

Technical Configuration Notes

hackers 2 hackers conference III voip (in)security luiz eduardo cissp, ceh, cwne, gcih

P160S SIP Phone Quick User Guide

SIP Basics. CSG VoIP Workshop. Dennis Baron January 5, Dennis Baron, January 5, 2005 Page 1. np119

Chapter 8 Network Security

SIP Proxy Server. Administrator Installation and Configuration Guide. V2.31b. 09SIPXM.SY2.31b.EN3

nexvortex Setup Guide

High Availability Configuration Guide

IP PBX. SD Card Slot. FXO Ports. PBX WAN port. FXO Ports LED, RED means online

Firewalls and Intrusion Detection

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Configuration Notes 0215

Avaya IP Office 8.1 Configuration Guide

Proxies. Chapter 4. Network & Security Gildas Avoine

SIP Trunking Service Configuration Guide for MegaPath

Security Testing Summary of Next-Generation Enterprise VoIP Solution: Unify Inc. OpenScape SBC V8

Transcription:

Attacking VoIP Networks Hendrik Scholz Freenet Cityline GmbH <hendrik.scholz@freenet-ag.de>

http://freenet.de/ German ISP + PSTN carrier > 700,000 DSL customers high VoIP acceptance VoIP enabled routers (AVM Fritz!, Siemens,...) VoIP used as PSTN replacement 2

Attack Vectors 3

Attack Vectors focus on Server (D)DOS: Traffic Amplification End Devices (CPE) Unintentional DDOS Protocol Independent Issues more Billing Evasion Identity Theft, Privacy (german Laws apply)... 4

Amplication Attack 5

Call Forking Call Forking parallel/serial forking wanted behaviour possible problems traffic amplification resource utilization User adam john john Contact adam@10.1.1.1:5060;tag=value john@172.30.1.1:5060;opaque=123 john@192.168.1.1:18123;foo=bar 6

Fork Loop Outline parallel call forking two contacts for one user add the loop strip IP from contact and add local domain add tag to keep contacts unique User a a Contact a@wormulon.net;uniq=1 a@wormulon.net;uniq=2 7

Fork Loop Tree see also: draft-ietf-sip-fork-loop-00 8

Fork Loop Preparation REGISTER contacts use sipp or sipsak inject call to user A use a phone wait for 2^70 INVITEs to be processed 1180591620717411303424 INVITEs 408 timeout will fire and tear down attack 9

Fork Loop Enhancements TCP contact SYN flood a random website PSTN contact forward to cell phone and back to SIP proxy results in new calls, fresh timers, full TTL Announcement contact starts playing immediately (183 Session Progress) redirect RTP to random victim using SDP modify PSTN/announcement/fork ratio 10

End User Devices 11

About End User Devices CPEs/PBXs/ATAs/... Operating System (Linux, VxWorks) Unpatched No logging/notification Web interface ISP-wide monocultures 12

Locating Devices smap mashup of sipsak and nmap available at http://www.wormulon.net/ utilize SIP OPTIONS request basic banner grabbing for fingerprinting scan DSL ISP 'dial up' ranges up to 90% hit ratio common: 60-70% VoIP enabled 13

smap output $ smap -O -t 200 89.53.10.0/24 scanning 89.53.10.0... timeout scanning 89.53.10.1... timeout... scanning 89.53.10.8... up User-Agent: AVM FRITZ!Box Fon WLAN 7050 14.04.01 (Jan 25 2006) scanning 89.53.10.9... up User-Agent: AVM FRITZ!Box Fon WLAN 7050 14.04.01 (Jan 25 2006) scanning 89.53.10.10... up User-Agent: AVM FRITZ!Box Fon WLAN 7050 14.04.01 (Jan 25 2006)... 256 hosts scanned, 114 up, 142 down, 0 errors $ nmap -sp 89.53.10.0/24... Nmap run completed -- 256 IP addresses (138 hosts up) scanned in 5.400 seconds $ 14

CPE Attacks little CPU power, limited number of lines resource starvation no inbound Authentication needed for ENUM SPIT remote management reboot, change config, click to dial, call control 15

Unintentional DDOS 16

What's that supposed to be? AVM Fritz!Box series routers/atas multiple generations same firmware train new feature: 'DSL reconnect between 3 and 4AM' 'fetch bindings' de-register own contact DSL de-/reconnect REGISTER SUBSCRIBE for MWI 17

Protocol Independent Attack 18

Timing Attack exploit UDP defragmentation timer evade Billing & Lawful Interception inspired by Marc Heuse's IPv6 talk at 22C3 goal: fool passive Lawful Interception 19

Lawful Interception Setup 20

Lawful Interception System receives mirrored traffic use libnids defragmentation in userland parse SIP messages (i.e. using libosip2) check username/phone # against DB copy message to LEA if needed 21

LI Timing Attack two different IP stacks different implementation different configuration LI Box might drop fragments too early... or too late redefined goal: prevent a message from being defragmented on LI system 22

LI timer < Live timer inject 1 st fragment 'LI' stores fragment 'Live' stores fragment wait for fragment to expire on 'LI' inject 2 nd fragment 'Live' de-fragments successfully 'LI' stores fragment 23

LI timer > Live timer inject 1 st fragment wait for 'Live' to drop fragment inject 2 nd fragment 'LI' defragments successfully 'Live' stores fragment inject 3 rd fragment 'LI' stores fragment 'LIVE' defragments and initiates call 24

Conclusions lots of issues do not underestimate German Laws pay attention to Privacy & Trust between Entities few things interesting really happen account creation to get free hardware sign up & use free PSTN minutes Research on Intrusion Detection/Prevention 25

Questions? <hendrik.scholz@freenet-ag.de> Btw: We're hiring!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information