Advanced Flooding Attack on a SIP Server Xianglin Deng, Canterbury University Malcolm Shore, Canterbury University & Telecom NZ.

Slides:



Advertisements
Similar presentations
Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.
Advertisements

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
COSC 541 Project: Firewalls Instructor: Professor Mort Anvari Students: Wei Li Houcheng Zhai Quarter: Spring 2001.
Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.
TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
STUN Tutorial Jonathan Rosenberg Chief Technology Officer.
SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.
Module 5: Configuring Access for Remote Clients and Networks.
History DHCP was first defined as a standards track protocol in RFC 1531 in October 1993, as an extension to the Bootstrap Protocol (BOOTP). The motivation.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
SIP Security Matt Hsu.
TCP/IP Protocol Suite 1 Chapter 11 Upon completion you will be able to: User Datagram Protocol Be able to explain process-to-process communication Know.
Firewall Vulnerabilities Presented by Vincent J. Ohm.
Academic Advisor: Dr. Yuval Elovici Professional Advisor: Yuri Granovsky Team: Yuri Manusov Yevgeny Fishman Boris Umansky.
Application Design. Academic Advisor: Dr. Yuval Elovici Professional Advisor: Yuri Granovsky Team: Yuri Manusov Yevgeny Fishman Boris Umansky.
SIMPLEStone – A presence server performance benchmarking standard SIMPLEStone – A presence server performance benchmarking standard Presented by Vishal.
Demonstrating HTTP Session Hijacking through ARP Cache Poisoning and Man-in-the-Middle Attack and exploring HTTPS and VOIP session vulnerabilities Mainuddin.
Mobile IP.
COEN 252: Computer Forensics Router Investigation.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
POP Configuration Microsoft Outlook Express 6.x.
Setting up in Outlook Express. Select “Tools” from the toolbar menu.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Remote Assistance  Using this program you can allow someone to work on your computer, chat with you and view your screen with your permission  The other.
Firewalls CS158B Don Tran. What is a Firewall? A firewall can be a program or a device that controls access to a network.
SIP South Carolina Cisco User Group Martin Jefferson IE UC Practice Manager.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Mapping Internet Addresses to Physical Addresses (ARP)
Intranet, Extranet, Firewall. Intranet and Extranet.
Module 8: Managing Client Configuration and Connectivity.
Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
 Introduction  VoIP  P2P Systems  Skype  SIP  Skype - SIP Similarities and Differences  Conclusion.
NAT Traversal Speaker: Chin-Chang Chang Date:
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Chapter 13 – Network Security
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Call Control with SIP Brian Elliott, Director of Engineering, NMS.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Session Initiation Protocol (SIP) 王承宇 張永霖.
Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.
CHAPTER 10 Session Hijacking. INTRODUCTION The act of taking over a connection of some sort, for examples, network connection, a modem connection or other.
Protecting Students on the School Computer Network Enfield High School.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
1 STUN Changes draft-ietf-behave-rfc3489bis-03 Jonathan Rosenberg Dan Wing Cisco Systems.
Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.
A Cooperative SIP Infrastructure for Highly Reliable Telecommunication Services BY Sai kamal neeli AVINASH THOTA.
Interactive Connectivity Establishment : ICE
Telecommunications Networking II Lecture 41d Denial-of-Service Attacks.
1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure.
Fortinet VoIP Security June 2007 Carl Windsor.
Working at a Small-to-Medium Business or ISP – Chapter 8
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Introduction to Networking
Unit 27: Network Operating Systems
File Transfer Protocol
– Chapter 3 – Device Security (B)
BRIA Android Configuration
BRIA Android Configuration
– Chapter 3 – Device Security (B)
دیواره ی آتش.
Allocating IP Addressing by Using Dynamic Host Configuration Protocol
Presentation transcript:

Advanced Flooding Attack on a SIP Server Xianglin Deng, Canterbury University Malcolm Shore, Canterbury University & Telecom NZ

SIP Protocol SIP is used as the connection mechanism for IP- based multimedia services, including VoIP SIP is normally deployed as a service not requiring user authentication SIP can be configured to operate in authenticated mode

SIP Flooding SIP is vulnerable to flooding attacks. A typical attack would be an INVITE flood. Attacker SIP Proxy SIP Client INVITE RINGING Busy here TRYING

SIP Flooding SIP with authentication is more vulnerable to flooding attacks. Attacker SIP Proxy SIP Client INVITE 407 …nonce generate and store

SIP Flooding Firewalls can provide SIP anti-flooding protection. INVITE Blocked…

SIP Flooding We can defeat the firewall anti-flooding mechanism INVITE

SIP Flooding We propose an Security Enhanced SIP System (SESS) Non authenticated SIP Proxy with optional firewall authentication Involves enhancement of the firewall with predictive nonce checking (Rosenberg) Involves priority queues (Ohta) The SIP proxy maintains known user lists (DSouza) Incorporates a synchronisation protocol (KASP) We enhance the predictive nonce checking, priority queues and user lists

Predictive Nonce Checking Rosenberg 2001 Client SIP proxy server INVITE/REGISTER Generate predictive nonce 407/401 Nonce, realm Compute response= F(nonce,username,password,realm) INVITE/REGISTER nonce,realm, username,response Authentication: Compute F(nonce,username,password,realm) And compare with response

Improved Nonce Checking

Priority Queues Ohta 2006 Assign different priority to SIP INVITE messages

Improved Priority Queues Assign priorities based on the source IP address. VoIP service provider would benefit from giving frequent users higher priorities

User Lists DSouza 2004 Assigns high priority to known hosts

Improved User Lists Enforce authentication on unknown hosts Defines a dual-stage list Adds expiry to the lists

KASP IP HeaderUDP HeaderKASP:+fu Packet Structure

SESS Extract Source IP addr In fu? Yes Reset Timer, update received time Is ACK? Yes No Process SIP message No In nu? Yes No Last call made in time t? Yes No Promote user to fu, update received time Add user to nu, Send Update firewall info No Is a fu? Reset Timer, Timer expire interrupt Yes Remove user from fu Remove user from nu nu = userlist fu = frequent userlist Listen on incoming packets

JAIN SLEE Advantages: it is designed for telecommunications low latency and high throughput environments (10-20 calls per second per CPU; ~10 events per call; <200ms RTT) Its container-based infrastructure enables easy integration of new services and technologies Better availability and scalability through clustering A high-level programming language-JAVA is used – reduce the time to market

JAIN SLEE JAIN SLEE main operation When a message arrives at SLEE, it will first go through a resource adapter; The resource adapter wraps the message, and sends it to an activity context; SBBs that have subscribed to the activity context will receive the event, and process it.

SESS implementation Modified the SIP proxy SBB Observations on Use of JAIN SLEE Enhancement was possible with existing knowledge of Java Modifications easy/low risk due to component architecture resulting from JAIN SLEE approach Enhancement completed and tested in 3 days High level of confidence in the resulting server Much simpler and so more reliable than C No opportunity to trial throughput or availability claims Existence of many Java Libraries provides rich source of re- useable code

Experimental Results Average setup delays: = 9.39;(7.06)7.14;0.675;0.487 seconds

Experimental Results No discernable impact on the SIP proxy CPU … no INVITE flood attack packets penetrate

SIP ACK flooding Average setup delay = 5.9 seconds 500 Server Internal error occured

Temporary User List ACK Flood can still penetrate the SESS protection We use a temporary user list to ensure that ACKs cannot be accepted without an INVITE INVITE 407 INVITE KASP+nu OK INVITE OK ACK

ISESS Internet FirewallSIP ProxyInternal client INVITE = Improved Predictive nonce checking process INVITE 200OK = Security-enhanced SIP proxy process User 2000 makes 1 st call 200OK INVITE User 2000 makes 2nd call INVITE 200OK ACK Temp. Allow User ACK Voice stream Update user list ACK Voice stream

Experimental results Average setup delays: = 9.39; 8.356; 1.147; seconds

SIP ACK FLOODING Average setup delays: = seconds

Experimental Results With ISESS, no ACK flood packets penetrate

Conclusion SIP is vulnerable to flooding attack Commercial anti-flooding mechanisms can be defeated Current research provides some mitigation but is incomplete ISESS synthesises and extends current research into a substantially more complete solution to the problem of SIP flooding

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.