Professional Documents
Culture Documents
Chien-wei Lee
University of Canterbury 90 Ilam road Christchurch, New Zealand
xde13@student.canterbury.ac.nz
cwl20@student.canterbury.ac.nz
limitations with respect to new types of attacks, particularly at the upper layers of the architecture. Some malformed packets with spoofed IP addresses can pass through the firewall and damage the VoIP system. There are various types of attacks that can affect the performance of VoIP system. For example, SIP (Session Initiation Protocol)[1] request flooding, Registration hijacking, Sound injection, and so on. And the SIP request flooding is considered as the biggest threat to VoIP networks [2]. This project will examine the effect of flooding based DDoS attacks against SIP-based VoIP system, and propose a potential solution to this kind of attacks.
ABSTRACT
Voice over Internet Protocol (VoIP) is an emerging telecommunications technology that is already shaping the future of telephony. VoIP uses the Internet Protocol (IP) to transfer voice data in packets as opposed to the traditional circuit-switched network used by the Public Switched Telephone Network (PSTN). Since VoIP communications are based on an open environment such as the Internet, they are can be exposed to the attackers. Moreover, the strict performance requirements of VoIP have significant implications for security, particularly denial of service (DoS) issues. Due to the popularity and the wide deployment of the Session Initiation Protocol (SIP), one of the standard signalling protocols for VoIP, the project focuses on the SIP INVITE flooding attacks..
2. SIP operation
SIP is a plaintext-based signalling protocol; it provides its service through the request-respond model. Figure 1 shows the normal message flow in a SIP call setup process. When a caller wants to make a phone call, it sends an INVITE message to the VoIP proxy sever, and the SIP server finds the callee, and forwards the message to the callee. When the callee picks up the phone, an OK message is sent back to the caller, the caller then sends an ACK message to the callee, the call is then be setup.
General Terms
Security, Performance, Measurement Experimentation, Verification,
Keywords
SIP, Security, Flooding attack, Firewall.
1. Introduction
VoIP is an important application and forms part of a suit of multimedia application services. The reasons for this are: VoIP has the potential to offer voice service at a lower price than current PSTN infrastructure. b) IP based networks provide a flexible infrastructure for multimedia application such as VoIP. c) VoIP can interoperate with the legacy telephony system. It is possible to deploy a mix of VoIP and conventional PSTN infrastructure. However, many telecommunication companies security implementations of VoIP are commonly only based on intranets protected by firewalls. As the security implementations of a firewall are based on known attack vectors, they have a)
This paper was published in the proceedings of the New Zealand Computer Science Research Student Conference 2008. Copyright is held by the author/owner(s).
205
Figure 2: How INVITE message is handled by the SIP server When a client sends an INVITE message to the SIP server, the SIP server checks for a username and password (for the first INVITE message, there is no username and password included for authentication), stores the state of the session, and sends a 407 (AuthenticationRequired) message back to the client with a random nonce value. When the client receives a 407 message, it resends an INVITE message with the same session ID, nonce value, and its username and password. When the username and password is verified to be valid, the SIP server forwards the INVITE message to the target client.
Figure 4: The Flooding Traffic Profile in Burst Mode: A stream of total 10,000 packets was sent in 8 seconds. The other mode of flood sends packets out in chunks with a user-defined time delay between the chunks, thus called chunk mode. This special flooding mode is implemented to explore or exploit the vulnerability of some firewalls or IDS that are not able to detect or block the flooding traffic of this form. When running iFlood in chunk mode, a user will be prompted to specify the number of packets per chunk as well as the time delay between chunks. Figure 5 depicts the traffic profile of a flood sent in chunk mode.
206
N/A Nothing attack detected Attack detected Attack detected Block the traffic
Figure 5: The Flooding Traffic Profile in Chunk Mode: A total of 10,000 packets were sent in chunks. Each chunk of 1000 packets is separated by 1 second time delay.
110000 1100
Table 1, call setup delay with various numbers of attack packets go through. After a series of test floods, the threshold value was found to be approximately 11,000 packets, and this is a dynamic value, which may depend on traffic conditions and other factors. However, if the flood traffic is sent in chunk mode (eg, send a chunk of 10,000 invites at once, then stop for a second before sending the next chunk of 10,000), the firewall is not able to block the flooding traffic even though a DDoS is detected. Those chunks of flood packets overwhelmed the SIP proxy through the firewall, and significant DoS conditions, as described in previous attacks, were still achieved. Thus, chunk flooding has been found effective against this particular firewall and potentially some others as well. Furthermore, trying different combinations of chunk size and delay time can produce more subtle flood traffic, and they may influence the ability of firewalls or IDS to detect the attack. In general, increasing the delay time and decreasing the flood burst period makes the attack harder to detect, but can still be disruptive.
4. A proposed method to reduce the effect of the SIP flooding, by using stateless session authentication
Figure 6: SIP Testbed Setup with Firewall The other host on the untrusted domain represents an attacker, which runs iFlood to inject flood traffic into the network. The Asterisk PBX acts as a proxy server to forward request and respond between the two domains. All the client hosts, Asterisk PBX, and the attacker host are running on Intel Pentium 4 2.4GHz machines with 512MB RAM. There is a unique field (nonce) in the SIP 407 (Authentication Required) message which can be used to avoid replay attacks. A nonce is a server-specified data string which should be uniquely generated each time a 401(Unauthorized) or 407 response is made. Since most servers have a timer to mitigate replay attacks, the servers do not have to keep a record of the nonce. Thus, it is important for the firewall to performance the nonce checking. Figure 7 shows the call setup process with a firewall checking the nonce.
207
Figure 7: Call setup process with firewall checking nonce Figure 8 illustrates how the INVITE message is handled in detail:
The firewall will then send back a 407/401 (AuthenticationRequired/Unauthorized) message back to the client, with the calculated nonce value and drop the session. After the client receive a 407/401 message, it resends an INVITE message with the same CallID, serverspecified nonce, username and password. When the firewall receives an INVITE with a nonce value, it will extract the nonce value, recalculate and compare it with the CallID and source IP address. If it matches, the request is passed to the server. For better attack mitigation, the cryptographic secret should be changed after a small period of time, e.g. 30 seconds. (time frame overlap for 2 successive secret should be allowed) This provides a stateless authentication as the firewall does not need to store multiple CallIDs and nonce entries in a database, and it can protect the server from Spoofed SIP flooding attacks.
5. Future work
Implement the nonce-checking function on a Linux firewall, and test the performance of this firewall. Try to make the attack tool cleverer, try to break the defense of the firewall.
6. ACKNOWLEDGMENTS
Assistance by Ray Hunt, Theuns Verwoerd, and Mark Mai are gratefully acknowledged. Figure 8: How an INVITE request is handled When an INVITE/REGISTER messages is received at port 5060, the firewall will check the SIP header, looking for a nonce value. If the incoming SIP request does not have a nonce value, the firewall generates a nonce value, which should be the result of a cryptographic secret function computed over the CallID and source IP address. This ensures that the nonce is unique for each session, as a new CallID is generated when a session is initiated. Figure 9 shows how the nonce is calculated.
7. REFERENCES
[1] The SIP protocol stack RFC 2543: SIP: Session Initiation Protocol; March 1999. [2] Hunter, P., 2002. VOIP the latest security concern: DoS attack the greatest threat. Network Security. Issue 11, page 5-7. [3] Wireshark, Gerald Combs, http://www.wireshark.org/ [4] HACK_LIBRARY, Endler D., Collier M., VoIP hacking exposed [5] X-Lite, CounterPath Corporation, http://www.counterpath.com/