Session Initiation Protocol (SIP)

Features of SIP SIP is a lightweight, transport-independent, text-based protocol. SIP has the following features: SIP is a lightweight, transport-independent, text-based protocol. SIP has the following features: Lightweight, in that SIP has only four methods, reducing complexity Lightweight, in that SIP has only four methods, reducing complexity Transport-independent, because SIP can be used with UDP, TCP, ATM & so on. Transport-independent, because SIP can be used with UDP, TCP, ATM & so on. Text-based, allowing for low overhead Text-based, allowing for low overhead SIP is primarily used for VOIP calls SIP is primarily used for VOIP calls

Functions of SIP Location of an end point Location of an end point Signal of a desire to communicate Signal of a desire to communicate Negotiation of session parameters to establish the session Negotiation of session parameters to establish the session And teardown of the session once established. And teardown of the session once established.

How SIP works SIP user agents: like cell phones, PCs etc. They initiate message writing. SIP user agents: like cell phones, PCs etc. They initiate message writing. SIP Registrar servers: They are databases containing User Agent locations; they send agents IP address information to SIP proxy servers. SIP Registrar servers: They are databases containing User Agent locations; they send agents IP address information to SIP proxy servers. SIP Proxy servers: accepts session request made by UA and queries SIP registrar server to find recipient UA address. SIP Proxy servers: accepts session request made by UA and queries SIP registrar server to find recipient UA address. SIP Redirect servers: they help communicating outside the domain SIP Redirect servers: they help communicating outside the domain

Continued..

Continued.. Our user A tries to call user B (1) Our user A tries to call user B (1) Domain SIP proxy server now queries Registrar server in the same domain to know about user B’s address (2) Domain SIP proxy server now queries Registrar server in the same domain to know about user B’s address (2) Registrar responds with the address (3) Registrar responds with the address (3) SIP proxy server calls B (4) SIP proxy server calls B (4) User B responds to SIP proxy (5) User B responds to SIP proxy (5) SIP proxy answers to User A (6) SIP proxy answers to User A (6) Now multimedia session is established on RTP protocol (7) Now multimedia session is established on RTP protocol (7)

More about SIP.. SIP relies on SDP and RTP protocols SIP relies on SDP and RTP protocols SIP proxy is a server in a SIP-based IP telephony environment SIP proxy is a server in a SIP-based IP telephony environment The SIP proxy takes over call control from the terminals and serves as a central repository for address translation (name to IP address) The SIP proxy takes over call control from the terminals and serves as a central repository for address translation (name to IP address)

SIP Advantages SIP is a based on HTTP and MIME, which makes it suitable for integrated voice-data applications SIP is a based on HTTP and MIME, which makes it suitable for integrated voice-data applications SIP is designed for real time transmission SIP is designed for real time transmission

SIP Advantages Uses fewer resources Uses fewer resources Is Less complex than H.323 protocol Is Less complex than H.323 protocol SIP uses URLs and is human readable SIP uses URLs and is human readable

SIP Disadvantages First one: One SIP challenge is that SIP message contain information that Client and/or server will like to keep private but SIP header as well as message in the open and distributed architecture of VOIP systems makes it difficult to keep this information confidential. First one: One SIP challenge is that SIP message contain information that Client and/or server will like to keep private but SIP header as well as message in the open and distributed architecture of VOIP systems makes it difficult to keep this information confidential. I will talk about a technique to address it later… I will talk about a technique to address it later…

Registration hijacking When a SIP user is registering with SIP Registrar server the attacker can hijack the registration: When a SIP user is registering with SIP Registrar server the attacker can hijack the registration: 1.By disabling the legitimate user's registration using DOS attack on user machine 2.Send a REGISTER request with the attacker's IP address instead of the legitimate user's Contact header information is changed by attacker by replacing its own IP in place of original users Contact header information is changed by attacker by replacing its own IP in place of original users

Registration hijacking This leads to the attacker getting the SIP messages intended for our original user- a clearly undesirable condition This leads to the attacker getting the SIP messages intended for our original user- a clearly undesirable condition Two main reasons for this attack are: SIP messages being sent in clear and no SIP message authentication built into the protocol Two main reasons for this attack are: SIP messages being sent in clear and no SIP message authentication built into the protocol

Eavesdropping Eavesdropping is a big problem for SIP based VOIP traffic. Many internet tools like Ethereal do that Eavesdropping is a big problem for SIP based VOIP traffic. Many internet tools like Ethereal do that

Eavesdropping….how ethereal works Eavesdropping in VoIP requires intercepting the signaling and associated media streams of a conversation Eavesdropping in VoIP requires intercepting the signaling and associated media streams of a conversation Media streams typically are carried over UDP using the RTP Media streams typically are carried over UDP using the RTP

How ethereal works Capture and decode RTP packets Capture and decode RTP packets Analyzing session : here we reassemble the packets Analyzing session : here we reassemble the packets We store this data in audio files (like.wav,.au) We store this data in audio files (like.wav,.au)

Some remedies…. IPSEC security for IP packets can be one solution IPSEC security for IP packets can be one solution A more common solution is to use Ethernet switches to restrict broadcasting data to all and sundry on the network. A more common solution is to use Ethernet switches to restrict broadcasting data to all and sundry on the network.

Spoofing Spoofing is another issue where someone can pose as a user and gets unauthorized access Spoofing is another issue where someone can pose as a user and gets unauthorized access Address authentication between callers built in the underlying transport protocols can resolve this Address authentication between callers built in the underlying transport protocols can resolve this

DOS Denial of service can be caused if the Proxy/registrar servers are somehow flooded Denial of service can be caused if the Proxy/registrar servers are somehow flooded The solution lies in configuring servers to tackle this problem in their configuration settings The solution lies in configuring servers to tackle this problem in their configuration settings

SIP Security Mechanisms IPSEC is another way to protect IP packets the secure encryption making them safe from unauthorized access/modification IPSEC is another way to protect IP packets the secure encryption making them safe from unauthorized access/modification So with shared keys between parties IPSEC can provide the secure path for communication between SIP partners So with shared keys between parties IPSEC can provide the secure path for communication between SIP partners

TLS TLS is another answer for security here networked parties during handshake can share their certificates which can be used for the secure transfer later. TLS is another answer for security here networked parties during handshake can share their certificates which can be used for the secure transfer later. It is widely in use in the wired internet market It is widely in use in the wired internet market TLS lies below FTP(ALP) but above TCP thus obviating the need for TCP header encryption. TLS lies below FTP(ALP) but above TCP thus obviating the need for TCP header encryption.

Session Border Controller for SIP A Firewall typically helps in the simple browser requesting for some information by ensuring that only the requested content gets transferred back to the browser and not the other information this is not so in a typical SIP using VOIP transfer where there are two holes on the firewall for public access: one for signaling and other for media packets. Also the firewall in say two LANs connected via internet will otherwise reject the other LANS traffic thinking it malicious.

SBC For these addresses to be on public side of firewall the IP address based attacks become a real possibility For these addresses to be on public side of firewall the IP address based attacks become a real possibility The SBC works by making all communication work outwards for media and signaling even the incoming ones The SBC works by making all communication work outwards for media and signaling even the incoming ones

SBC

SBC When our Client starts it registers with the registration server now SBC takes over the function of a PO Box so an incoming party knows your PO Box address but only your PO Box (your SBC) knows your real IP address. When our Client starts it registers with the registration server now SBC takes over the function of a PO Box so an incoming party knows your PO Box address but only your PO Box (your SBC) knows your real IP address. So primarily for both signaling and media exchange SBC acts as the bridge between outside client and us. So primarily for both signaling and media exchange SBC acts as the bridge between outside client and us.

SBC SBC allows: signaling and media connections to be dynamically opened and outbound connected. SBC allows: signaling and media connections to be dynamically opened and outbound connected. SBC hides your real IP and polices the signaling and media connections. SBC hides your real IP and polices the signaling and media connections.

SIP Denial of Service DOS attacks are based on exhausting some server response and thus rendering it incapable for some/all functionalities DOS attacks are based on exhausting some server response and thus rendering it incapable for some/all functionalities SIP server copies each incoming request in its internal buffers SIP server copies each incoming request in its internal buffers

Types of SIP servers (proxy server) Stateless servers: They just keep a copy of message while message is being sent out then delete it. Stateless servers: They just keep a copy of message while message is being sent out then delete it. Stateful servers: In general, we can distinguish between two types of states in SIP: Stateful servers: In general, we can distinguish between two types of states in SIP: Transaction state: A transaction stateful server stores a copy of the received request as well as the forwarded request Transaction state: A transaction stateful server stores a copy of the received request as well as the forwarded request Session state: In certain cases servers need to maintain some information about the session throughout the lifetime of the session. Session state: In certain cases servers need to maintain some information about the session throughout the lifetime of the session.

Continued… Regardless the server will need to maintain the buffered data while contacting another entity like an authentication, authorization, and accounting (AAA) server, a Domain Name Service (DNS) server Regardless the server will need to maintain the buffered data while contacting another entity like an authentication, authorization, and accounting (AAA) server, a Domain Name Service (DNS) server

CPU based DOS When a SIP message is received SIP server needs to parse this message, do some processing (e.g., authentication) and forward the message When a SIP message is received SIP server needs to parse this message, do some processing (e.g., authentication) and forward the message Though Server CPU is high speed still a lot of parallel loads and following resource depletion can cause server blocks and other malfunctions causing a DOS Though Server CPU is high speed still a lot of parallel loads and following resource depletion can cause server blocks and other malfunctions causing a DOS

Bandwidth based DOS Sometimes access links connecting a SIP server are so much overloaded as to cause congestion Losses Sometimes access links connecting a SIP server are so much overloaded as to cause congestion Losses So SIP messages get lost causing further delay and at least a transient DOS occurs So SIP messages get lost causing further delay and at least a transient DOS occurs DOS attacks can both be with or without malicious intent. SIP and its supporting transport protocols both need protection and safeguarding from attack. DOS attacks can both be with or without malicious intent. SIP and its supporting transport protocols both need protection and safeguarding from attack.

DOS based on Memory exhaustion A Stateful server is an easy target for flooding with many requests for different transactions. A Stateful server is an easy target for flooding with many requests for different transactions. Memory based exploitation can have two basic types: to initiate a number of SIP sessions with different SIP identities and broken session attacks where a receiver gets an INVITE but then no response from the initiator many such pending invites can cause memory exhaustion Memory based exploitation can have two basic types: to initiate a number of SIP sessions with different SIP identities and broken session attacks where a receiver gets an INVITE but then no response from the initiator many such pending invites can cause memory exhaustion

Some Countermeasures Just like for a web or server make a list of suspected users and blacklist them Just like for a web or server make a list of suspected users and blacklist them Using authentication strategies is also preferable. But more CPU resources are needed to tighten these security problems Using authentication strategies is also preferable. But more CPU resources are needed to tighten these security problems

Continued.. Also having SIP proxy server and applications server on the same hardware can really slow down the response time. SIP proxy may need some other server’s service and this can cause other request to be suspended sometimes Also having SIP proxy server and applications server on the same hardware can really slow down the response time. SIP proxy may need some other server’s service and this can cause other request to be suspended sometimes Having dedicated hardware for servers is important Having dedicated hardware for servers is important

Continued.. The first line of Defense for DOS is having high speed CPU, big efficient memory and many access links The first line of Defense for DOS is having high speed CPU, big efficient memory and many access links Clean memory allocation and parsing schemes is equally important Clean memory allocation and parsing schemes is equally important Parallel processing can lead to many request being served simultaneously and parallel execution of message parsing and forwarding of messages. Parallel processing can lead to many request being served simultaneously and parallel execution of message parsing and forwarding of messages.

Challenges… Text based nature of SIP renders it vulnerable to spoofing, hijacking and message tampering Text based nature of SIP renders it vulnerable to spoofing, hijacking and message tampering SIP utilizes transport layer protocols like TCP, UDP. So its vulnerable to their set of attacks too like for TCP: SYN Flood and TCP session hijacking SIP utilizes transport layer protocols like TCP, UDP. So its vulnerable to their set of attacks too like for TCP: SYN Flood and TCP session hijacking FOR SIP software virus/bugs are also an issue which can be dealt by using antivirus software FOR SIP software virus/bugs are also an issue which can be dealt by using antivirus software

SIP Security Mechanism SIP specification does not include any specific security mechanism but relies on other internet security mechanisms like HTTPS Digest, TLS, and IPSEC.

How this authentication works

Continued.. SIP authentication works this way: SIP client sends a SIP INVITE which gets answered by a 407 reply which is the authenticator from the SIP Proxy server. SIP client sends a SIP INVITE which gets answered by a 407 reply which is the authenticator from the SIP Proxy server. Client now uses this authenticator to create information for its new header Client now uses this authenticator to create information for its new header With this new header attached it sends back REINVITE to Proxy server With this new header attached it sends back REINVITE to Proxy server

Continued.. IPSEC is another way to protect IP packets the secure encryption making them safe from unauthorized access/modification So in one traditional way with shared keys between communicating parties IPSEC can provide the secure path for communication between SIP partners

References… SIP: Wikipedia SIP Security Mechanisms: A state-of-the-art review Dimitris Geneiatakis, Georgios Kambourakis, Tasos Dagiuklas,Costas Lambrinoudakis and Stefanos Gritzalis Newport Networks SBC Whitepaper Denial of Service Attacks Targeting a SIP VoIP Infrastructure: Attack Scenarios and Prevention Mechanisms Dorgham Sisalem and Jiri Kuthan, Tekelec Sven Ehlert, Fraunhofer Fokus Many information chunks from certain websites