1 Protecting SIP Against DoS An Architectural Approach.

Slides:

Advertisements

Similar presentations

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

Advertisements

Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.

Security Issues In Mobile IP

Fraunhofer FOKUS 2007 VoIP Defender The Future of VoIP Protection Fraunhofer FOKUS Institute, Germany.

Network Security Essentials Chapter 11

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

IUT– Network Security Course 1 Network Security Firewalls.

Voice over IP and IP telephony Network convergence – Telephone and IT – PoE (Power over Ethernet) Mobility and Roaming Telco – Switched -> Packet (IP)

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.

1 ITEC 809 Securing SIP in VoIP Domain Iyad Alsmairat Supervisor: Dr. Rajan Shankaran.

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

Security Awareness: Applying Practical Security in Your World

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

SIP Greg Nelson Duc Pham. SIP Introduction Application-layer (signaling) control protocol for initiating a session among users Application-layer (signaling)

IT Expo SECURITY Scott Beer Director, Product Support Ingate

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.

Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Ingate & Dialogic Technical Presentation SIP Trunking Focused.

DoS, Fraud and More Dr. Dorgham Sisalem Director Strategic Architecture.

SMTP PROTOCOL CONFIGURATION AND MANAGEMENT Chapter 8.

Steps Towards a DoS-resistant Internet Architecture Mark Handley Adam Greenhalgh CII/University College London.

NAT Traversal Speaker: Chin-Chang Chang Date:

VoIP Security Assessment: Methods and Tools H. Abdelnur, V. Cridlig, R. State and O. Festor Madynes, LORIA-INRIA.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Module 11: Remote Access Fundamentals

DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

Presented By Team Netgeeks SIP Session Initiation Protocol.

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

Author(s) Politehnica University of Bucharest Automatic Control and Computers Faculty Computer Science Department Implementation of GRUU in SIP Vladut-Stefan.

Content-oriented Networking Platform: A Focus on DDoS Countermeasure ( In incremental deployment perspective) Authors: Junho Suh, Hoon-gyu Choi, Wonjun.

Deployment of Snort IDS in SIP based VoIP environments Jiří Markl Jaroslav Dočkal.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

Module 7: Advanced Application and Web Filtering.

RFC 3964 Security Considerations for 6to4 Speaker: Chungyi Wang Adviser: Quincy Wu Date:

Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.

Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://

Mobile IPv6 and Firewalls: Problem Statement Speaker: Jong-Ru Lin

DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.

MIPv6Security: Dimension Of Danger Unauthorized creation (or deletion) of the Binding Cache Entry (BCE).

The Session Initiation Protocol - SIP

1 Protecting SIP Against DoS An Architectural Approach.

S Postgraduate Course in Radio Communications. Application Layer Mobility in WLAN Antti Keurulainen,

1 Personal Mobility Management for SIP-based VoIP Services 王讚彬國立台中教育大學資訊工程學系

Presentation on ip spoofing BY

25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.

 Mobile IP is the underlying technology for support of various mobile data and wireless networking applications.  It is designed by IETF.

1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure.

Mobile Networking (I) CS 395T - Mobile Computing and Wireless Networks

Revisiting Ethernet: Plug-and-play made scalable and efficient

Session Initiation Protocol

Domain 4 – Communication and Network Security

Introduction to Network Security

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

Chris Meullion Preston Burden Dwight Philpotts John C. Jones-Walker

Session Initiation Protocol (SIP)

Configuring TMG as a Firewall

* Essential Network Security Book Slides.

دیواره ی آتش.

Ingate & Dialogic Technical Presentation

Session 20 INST 346 Technologies, Infrastructure and Architecture

Presentation transcript:

1 Protecting SIP Against DoS An Architectural Approach

2 Motivation ► SIP implementations vulnerable to DoS ► Current solutions placed near destination  But these cannot cope with large attacks ► Need an architectural approach  Detect attack at destination  Block attack close to its sources

3 Basic Architecture ISP A Internet SIP FILTER SIP AGENTS SIP FILTER Legacy ISP B ISP B ISP D SIP FILTER SIP AGENTS Detect attack A filter request A

4 Basic Architecture: Detailed View C1 ISP A (SRC) Internet ISP B (DST) ISF C2 C3 PAPA C = SIP UA ISF = Ingress SIP filter ESF = Egress SIP filter R = SIP registrar P = SIP proxy RARA PAPA RARA ESF C4 Filter Request, send to

5 Basic Architecture: No Proxies C1 ISP A (SRC) Internet ISP B (DST) ISF C2 C3 PAPA RARA PAPA RARA ESF C4

6 Basic Architecture: One Proxy C1 ISP A (SRC) Internet ISP B (DST) ISF C2 C3 PAPA RARA PAPA RARA ESF C4

7 Basic Architecture: Two Proxies C1 ISP A (SRC) Internet ISP B (DST) ISF C2 C3 PAPA RARA PAPA RARA ESF C4

8 SIP ID-spoofing Prevention: Intra-Domain C1 ISP ISF R SIP ID: johnp IP: MAC: 00:00:00:00:00:00 C2 SIP ID: jackh IP: MAC: 00:00:00:00:00:01 C3 SIP ID: eve IP: MAC: 00:00:00:00:00:02 Database:.100 / :00: / :00: / :00:02 Database:.100 / johnp.101 / jackh.102 / jillm INTERNET.100 = johnp? YES.100 = eve? NO!

9 SIP ID-spoofing Prevention: Inter-Domain C1 ISP A (SRC) Internet ISP B (DST) ISF C2 C3 PAPA RARA PAPA RARA ESF C4 TLS tunnel ► ESF trusts packets came from ISF (TSL tunnel) ► ESF trusts ISF to ingress filter ► So, ESF can tell packets came from C1, C2 or C3

10 Filtering Protocol ► Detector at destination triggers filter request ► Need to know which SF to send request to  Wait until next packet, record TLS endpoint ► Need to authenticate requests  TLS tunnel takes care of this

11 Attack Detection ► Either at source or destination domain  Destination ► Can detect even very distributed attacks ► State-holding attacks on proxies  Source ► Can prevent spoof-based attacks ► Can detect flooding clients, prevent attack

12 Additional Slides

13 Attacks Prevented by Authentication Mechanism ► BYE attack ► CANCEL attack ► RE-INVITE / UPDATE attacks ► REFER attack (don’t accept from non-tunneled referrers) ► Route-record spoofing (don’t accept from non-tunneled) ► REDIRECT server impersonation, moved permanently ► Reflection, fake Route, Via or Request-URI ► Reflection, spoofed INVITE ► State-holding attack, INVITEs with spoofed SIP IDs

14 Attacks Prevented by Source-Domain Filtering ► Registrar attacks  Flooding  Guessing login/password via brute-force  De-registering entries  Amplification attack, get all current registrations  SQL injection attacks  Registering too many IDs, amp attacks through forking ► Parser attacks  Large header/body  Mismatched Content-Length header to actual length  Malicious re-arrangement of fundamental headers

15 Attacks Prevented by Source-Domain Filtering (ctnd) ► Flooding attacks  SIP Invites  State-holding for proxies, too many sessions ► Proxy attacks  Force look-up of fake DNS names, black-list  Loops through Via header

16 Attacks Prevented by Destination-Domain Filtering ► Distributed Flooding attacks ► State-holding attacks on proxies (black list?)  INVITE to unresponsive TCP port  INVITE to co-operating but unresponsive node  Colluding node, too many open sessions

17 Possible Extensions ► Captchas ► Scoring (and its authentication) ► Logging of filtered calls?

18 Bibliography ► RFC3261, RFC2543, RFC4474 ► VOIP Intrusion Detection Through Interacting Protocol State Machines ► VoIP Honeypot Architecture ► Understanding SIP ► VoIP Security and Privacy Threat Taxonomy ► Survey of Security Vulnerabilities in SIP

19 ISP C1 C2 C3 SF Basic Architecture: Deployment P Re INTERNET SIP traffic Ro Non-SIP traffic Ro SIP IN traffic: to SF Filter only IN traffic to SF

20 NATs: Enterprise Scenario C1 ISP A (SRC) Internet ISP B (DST) ISF C2 C3 PAPA RARA PAPA RARA ESF C4 Filter Request, send to NAT

21 NATs: End-Customer Scenario C1 ISP A ISF C2 C3 PAPA RARA NAT HOME Internet ► ISF can only ingress filter for NAT’s MAC ► R has multiple SIP IDs for NAT’s IP ► Filter: ► C2 can still DoS C1, but this is local problem C1 : C2 : C3 :