Presentation is loading. Please wait.

Presentation is loading. Please wait.

Columbia - Verizon Research Security : VoIP Denial-of-Service

Published byColin Wood Modified over 6 years ago

Similar presentations

Presentation on theme: "Columbia - Verizon Research Security : VoIP Denial-of-Service"— Presentation transcript:

1 Columbia - Verizon Research Security : VoIP Denial-of-Service
Somdutt B. Patnaik Gaston Ormazabal Columbia University Verizon Labs CS Department Friday, November 09, 2018Friday, November 09, 2018

2 Agenda Project Overview Previous Work Problem Areas Goals
The SIP Threat Model DoS attack taxonomy Detection and Mitigation strategy Testbed and Validation strategy Demo Discussion Friday, November 09, 2018Friday, November 09, 2018

3 Previous Work Successfully implemented a large scale SIP-aware Firewall (using dynamic pinhole filtering) The filter is used as a first-line of defence against DoS attacks at the network perimeter and it enforces the following: Only signalled media channels can traverse the perimeter End systems are protected against flooding of random RTP or other attacks. End-points are dumb, we focus on signaling services Friday, November 09, 2018Friday, November 09, 2018

4 Extension to Previous Work
The firewall(pinhole filtering) approach is a great first-line of defense but it does not address the following: Attackers can still traverse the perimeter through the signalling port and media ports; viz., Pinholes cannot distinguish legitimate from illegitimate traffic This lead us to define the new problem... Friday, November 09, 2018Friday, November 09, 2018

5 Mitigation Solution Schematic Description
Untrusted Trusted Filter I Filter II sipd DPPM SIP SIP SIP VoIP Traffic Attack Traffic RTP RTP Friday, November 09, 2018Friday, November 09, 2018

6 Motivation Telephony services migrating to IP become an attractive DoS attack target Attack traffic that traverses the perimeter could target the availability of signalling VoIP service Attack targets could be supporting services (e.g. DNS), SIP infrastructure elements (proxy, softswitch, SBC) and end-points (SIP phones) Friday, November 09, 2018Friday, November 09, 2018

7 VoIP Threat Taxonomy (adopted from VOIPSA)
Scope of our research Refer to for more details on this taxonomy Friday, November 09, 2018Friday, November 09, 2018

8 Scope of Our Research Scope of current work
Friday, November 09, 2018Friday, November 09, 2018

9 Goals Study VoIP DoS Definition – define VoIP specific threats Detection – how do we detect an attack? Mitigation – defence strategy and implementation Validation – validate our defence strategy Generate requirements for future security network elements and test tools for their validation Friday, November 09, 2018Friday, November 09, 2018

10 THE SIP THREAT MODEL REFERENCES:
VoIP Security and Privacy Threat Taxonomy, VoIPSA October 2005 Friday, November 09, 2018Friday, November 09, 2018

11 The SIP Threat Model Eavesdropping Impersonation of a SIP entity
Interception and modification of SIP messages Service Abuse Denial of Service Friday, November 09, 2018Friday, November 09, 2018

12 SIP Threat Model details (1)
Eavesdropping Attacker can monitor signalling/media streams, but cannot or does not alter data itself Signalling channel is not confidential Call Pattern Tracking Discovery of identity, affiliation, presence Traffic Capture Packet recording Number harvesting Unauthorized collection of numbers, s, SIP URIs Friday, November 09, 2018Friday, November 09, 2018

13 SIP Threat Model details (2)
Impersonating of a SIP entity Impersonate a UA Absense of assurance of a request's originator Registration Hijacking – attacker deregisters a legitimate contact and registers its own device for that contact Impersonate a Server UAs should authenticate the server to whom they send requests Attacker impersonates a remote server and intercepts the UA's request Friday, November 09, 2018Friday, November 09, 2018

14 SIP Threat Model details (3)
Interception and modification of SIP messages Man-in-the-middle attack UA is using SIP to communicate media session keys Call Re-routing Attacker might modify the SDP in order to route media streams to a wire-tapping device Conversation Degradation Attacker might cause intentional reduction in QoS False Call Identification Change “Subject” so message considered Spam Friday, November 09, 2018Friday, November 09, 2018

15 SIP Threat Model details (4)
Service Abuse Call Conference Abuse Hide identity for the purpose of committing fraud Premium Rate Service Fraud Artificially increase traffic in order to maximize billing Improper Bypass or Adjustment to Billing Avoid authorized service charge by altering billing records Friday, November 09, 2018Friday, November 09, 2018

16 SIP Threat Model details (5)
Denial of Service Denial-of-Service – preventing users from effectively using the target services Complete loss of service Service degradation to a “not usable” point Distributed denial-of service attacks continue to be the main threat facing network operators* Most attacks involve compromised hosts (bots), with botnets sized from a few thousands to over 100,000* *- Worldwide ISP Security Report, September 2005, Arbor Networks Friday, November 09, 2018Friday, November 09, 2018

17 SIP Threat Model details (6)
Denial of Service (contd.) Worldwide ISP Security Report, September 2005, Arbor Networks Friday, November 09, 2018Friday, November 09, 2018

18 SIP Denial of Service Attacks – A detailed view
Friday, November 09, 2018Friday, November 09, 2018

19 DoS Attack Taxonomy Implementation flaws Application level Flooding
Implementation flaws – codenomicon (PROTOS), Oulu university Conclusions – not focusing on implementation flaws, protos signatures could be integrated with a firewall device Friday, November 09, 2018Friday, November 09, 2018

20 DoS Attack Taxonomy details (1)
Implementation flaws Attacker send carefully crafter packet(s) that exploits a specific implementation flaw Target vulnerability might originate in different levels of the network protocol stack or in the underlying OS/firmware. Might cause excessive memory/disk/CPU consumption and/or system reboot or crash Examples could be: The ping-of-death attack – used to target a bug in the implementation of the IP stack Invalid call setup messages - sending a number of invalid calls set up messages (e.g., ACKs when none is expected) that could cause the endpoint to crash, reboot, or exhaust all its resources. Invalid media - - injection of invalid media into the call processor by the caller or by a third party (by guessing the appropriate control headers of the media stream) could cause the endpoint to crash, reboot, or exhaust all call processing capacity. Dynamic pinhole filtering can help alleviating the problem by blocking media sent by hosts that are not part of the signaled call. A more sophisticated attacker might spoof the IP address of a host that participates in the call and then inject invalid media to the call. Malformed signaling - sending malformed SIP messages (e.g., unusually long or syntactically incorrect) to the UA degrading its performance resulting in inability to process normal messages, setup and teardown calls - testing tools such as PROTOS condumnicom Friday, November 09, 2018Friday, November 09, 2018

21 DoS Attack Taxonomy details (2)
Application level – a feature of SIP is manipulated to cause a DOS attack Registration Hijacking Attacker registers his device with another user's URI Call Hijacking Attacker can inject a “301 Moved Permanently” message to an active session Modification of media sessions Attacker can spoof re-INVITE messages thereby reducing QoS, redirecting media, modifying security attributes Attacker can request arbitrarily large bandwidth in SDP thereby choking the available bandwidth of the proxy Friday, November 09, 2018Friday, November 09, 2018

22 DoS Attack Taxonomy details (3)
Application level (Contd.) Session teardown Attacker can spoof a BYE message and inject it to an active session thereby tearing down the session Amplification attacks Attacker can create bogus requests with falsified Via header field that identifies a target host UAs/proxies generates a DDoS against that target Media streams attack Attacker can inject spoofed RTP packets with high SEQ numbers into the media streams thereby changing the playout sequence Friday, November 09, 2018Friday, November 09, 2018

23 DoS Attack Taxonomy details (4)
Flooding Attacker can flood the network link or overwhelm the target host Usually requires more resources from the attacker Harder to defend against – even the best maintained networks can become congested Variant could be: UDP floods, ICMP echo attacks, SYN floods, etc. Floods of INVITE or REGISTER messages could cause excessive processing at a SIP proxy UDP floods, SYN attacks can be protected by other products in the market. I.e. Arbor Networks, Cisco/Riverhead Technologies For sip threre is no solution and this is where we come, It’s like “peeling the onion” Friday, November 09, 2018Friday, November 09, 2018

24 Our Mitigation Strategy
Friday, November 09, 2018Friday, November 09, 2018

25 Basic Strategy and motivation
Implementation flaws are easier to deal with: Systems can be tested before used in production Systems can be patched when a new flaw is discovered Attack signatures could be integrated with a firewall Application level and flooding attacks are harder to defend against SIP end-points are “dumb” - try to defend SIP infrastructure elements There are commercially available solutions for general UDP/SYN flooding (Arbor Networks, CISCO/Riverhead) but none for SIP Friday, November 09, 2018Friday, November 09, 2018

26 Main Focus of our Strategy...
VULNERABILITY: A common vulnerability to SIP over UDP attacks is the ability to spoof SIP requests Registration/Call Hijacking Modification of Media sessions Session teardown Request flooding Bandwidth over-claim using SDP requests MITIGATION: Perform return routability check For UDP use SIP's built-in digest authentication mechanism Use null-authentication when no shared secret is established Rate-limit spoofed sources Maintain a Cloudshield CAM database of INVITE IPs to verify and accept a BYE message only from legitimate IP addresses Limit bandwidth grants to SDP requests (based on some heuristics) For TCP perform SYN relay Friday, November 09, 2018Friday, November 09, 2018

27 The Scheme sipd DPPM VoIP Traffic Attack Traffic
Untrusted Trusted Filter I Filter II sipd DPPM SIP SIP SIP VoIP Traffic Attack Traffic RTP RTP Friday, November 09, 2018Friday, November 09, 2018

28 SIP Digest Authentication (1)
User Agent Client (UAC) Proxy Server INVITE Generate the nonce value 407 Proxy Authentication Required (nonce, realm..) (nonce, response…) Authentication: compute F(nonce, username, password, realm) and compare with response ACK nonce – a uniquely generated string used for one challenge only and has a life time of X seconds Compute response = F(nonce, username, password, realm) Friday, November 09, 2018Friday, November 09, 2018

29 SIP Digest Authentication (2)
The introduction of digest authentication accounts for nearly 80% of processing cost of a stateless server and 45% of a call stateful server* 70% of additional cost is for message processing and 30% for authentication computation (hashing)* we can see that using authentication has a performance price. This is why we suggest to use the cloudshield to protected the proxy from generating a lot of challenges *- SIP Security Issues: The SIP Authentication Procedure and its Processing Load, Salsano et al., IEEE Network, November 2002 Friday, November 09, 2018Friday, November 09, 2018

30 Mitigation Solution Overview
Untrusted Trusted Filter I Filter II sipd DPPM SIP SIP SIP VoIP Traffic Attack Traffic RTP RTP Friday, November 09, 2018Friday, November 09, 2018

31 Mitigation Implementation (1)
Use the Cloudshield to rate-limit SIP authentication attempts to the proxy Use the firewall controlling proxy model Columbia's SIP Proxy sipd controls the Cloudshield 2000 Deep Packet Inspection Server Utilize wire-speed deep packet inspection State is only kept at Cloudshield Utilize the Firewall Control Protocol to establish filters in real time Insert filters for SIP UAs that are being challenged Friday, November 09, 2018Friday, November 09, 2018

32 Mitigation Implementation (2) Return-Routability Succeeds
INVITE SIP/2.0 Via: SIP/2.0/UDP :5060 Max-Forwards: 70 From: To: Contact: Subject: sipstone invite test CSeq: 3 INVITE Call-ID: Content-Type: application/sdp Content-Length: 211 Proxy-Authorization: Digest username="anonymous", realm="cs.columbia.edu", nonce="6ydARDP51P8Ef9H4iiHmUc7iFDE=", response=" edd6c0b64befc c", opaque="", algorithm="MD5" v=0 o=user IN IP s=Mbone Audio t= i=Discussion of Mbone Engineering Issues c=IN IP t=0 0 m=audio 3456 RTP/AVP 0 a=rtpmap:0 PCMU/8000 INVITE, Proxy-Authorization INVITE INVITE SIP/2.0 Via: SIP/2.0/UDP :5060 Max-Forwards: 70 From: To: Contact: Subject: sipstone invite test CSeq: 1 INVITE Call-ID: Content-Type: application/sdp Content-Length: 211 v=0 o=user IN IP s=Mbone Audio t= i=Discussion of Mbone Engineering Issues c=IN IP t=0 0 m=audio 3456 RTP/AVP 0 a=rtpmap:0 PCMU/8000 407 Needs Auth SIP/ Proxy Authentication Required Via: SIP/2.0/UDP :7898 From: To: tag=2cg7XX0dZQvUIlbUkFYWGA Call-ID: CSeq: 1 INVITE Date: Fri, 14 Apr :51:33 GMT Server: Columbia-SIP-Server/1.24 Content-Length: 0 Proxy-Authenticate: Digest realm="cs.columbia.edu", nonce="6ydARDP51P8Ef9H4iiHmUc7iFDE=", stale=FALSE, algorithm=MD5, qop="auth,auth-int" Mitigation Implementation (2) Return-Routability Succeeds Untrusted Trusted DPPM sipd SIP UA Add Filter ( , ”nonce”) Remove Filter ( , ”nonce”) NPU 407 Needs Auth INVITE, Proxy-Auth INVITE INVITE CAM RAM IP ( , nonce="6ydARDP51P8Ef9H4iiHmUc7iFDE=" ) Friday, November 09, 2018Friday, November 09, 2018

33 Mitigation Implementation (3) Return-Routability Fails
Untrusted Trusted DPPM sipd SIP UA NPU Add Filter ( ,”nonce”) INVITE INVITE 407 Needs Auth INVITE X 407 Needs Auth CAM RAM IP ( , nonce="6ydARDP51P8Ef9H4iiHmUc7iFDE=" ) Friday, November 09, 2018Friday, November 09, 2018

34 Mitigation Implementation (5) Integrated DDOS and Dynamic Pinhole filter
Linux server ASM sipd SIP SIP DDOS Table CAM DPPM FCP/UDP Static Table CAM CAM Dynamic Table ***This diagram will be important to have in a working version to include in the final paper to be sent for publication. Outbound Inbound Lookup Switch Drop Friday, November 09, 2018Friday, November 09, 2018

35 Testbed and Validation Strategy SIPStone
SIPStone is benchmarking tool for SIP proxy and redirect servers SIPStone attempts to measure the request handling capacity of a SIP server or a cluster of servers The implementation performs a series of tests that generates a pre-configured workload For our project SIPStone was enhanced with: Null digest authentication Optional spoofed source IP address SIP requests Friday, November 09, 2018Friday, November 09, 2018

36 Testbed and Validation Strategy Methodology
Use the SIPStone testing tool in a distributed environment to generate SIP traffic Generate both spoofed and legitimate source address requests Measure the following calls/sec throughput values: Legitimate requests, without authentication (Capacity) Legitimate requests, with authentication (Normal) Legitimate and spoofed requests, without authentication (Attack) Legitimate and spoofed requests, with authentication (Defense) Identify the impact of spoofed addresses floods on the calls/sec rate of legitimate requests We should see A << N, and ideally, D = N Friday, November 09, 2018Friday, November 09, 2018

37 Testbed Architecture SIP Proxy Legitimate Loaders (SIPStone) Attack
Call Handlers (SIPStone) Controller (SIPStone) GigE Switch GigE Switch The Cloudshield SIP Proxy Friday, November 09, 2018Friday, November 09, 2018

38 Demonstration Flood of spoofed INVITE requests Session teardown attack
Acquire a legitimate UA IP address Send a flood of spoofed INVITE requests using the UA’s IP address While the firewall blocks the attacker source IP, try to send an INVITE from the legitimate UA The UA’s INVITE is blocked Session teardown attack Sniff on the signaling channel Acquire an active session’s dialog identifiers (Call-ID, tags) and UAs SIP URIs Send a spoofed BYE message Friday, November 09, 2018Friday, November 09, 2018

39 Discussion... Friday, November 09, 2018Friday, November 09, 2018

40 Impact of TLS on DOS A good number of attacks identified will be eliminated TLS is not ready for “prime time” yet Few IP phone vendors are implementing SIP over TCP, a first step towards TLS Friday, November 09, 2018Friday, November 09, 2018

41 Conclusions Have demonstrated SIP vulnerabilities
Have implemented some “carrier-class” mitigation strategies Have built a validation testbed to measure performance Need to generalize methodology to cover a broader range of cases and apply anomaly detection, pattern recognition and learning systems Friday, November 09, 2018Friday, November 09, 2018

42 Backup Slides… Friday, November 09, 2018Friday, November 09, 2018

43 CS-2000 Physical Architecture
Deep Packet Processing Module (DPPM) Executes Network Application Inspecting and Controlling Packet Data Real-Time Silicon Database (128 bits wide X 512K long) and Unstructured Packet Processing CAM technology Single or Dual DPPM Configurations for HA, Performance or Multiple Use Physical Connectivity: Gigabit Ethernet and OC-3/OC-12/OC-48 POS Auxiliary Slots Future use for HDD Module Telemetry Inputs/Outputs Optical Bypass/HA Module Application Server Module (ASM) Hardened Linux Infrastructure Hosts Analysis Applications Network Element Management (Web, CLI, SNMP, ODBC) Mandatory Access Control Programmable High Performance packet processing server Deep Packet Processing Modules (DPPM) based on the Intel IXP 2800 Network Interface Card Silicon database (128 bits wide X 512K long) based on CAM technology Packet processing applications written in a propriety language called RAVE and “pushed” to DPPM Separate control processor to store application and management interface Since CAMs are an outgrowth of RAM technology, in order to understand a CAM, it helps to contrast it with a RAM. RAM is an integrated circuit that stores data temporarily. Data is stored in RAM at a particular location, which is called an address. In RAM, the user supplies the address and gets the data back. The number of address lines limits the depth of a memory using RAM, but the width of the memory can be extended as far as desired. With CAM, the user supplies the data and gets the address back. The CAM searches through the memory in one-clock cycle and returns the address where the data is found. The CAM can be preloaded at device startup and rewritten during device operation. CAM can accelerate any application requiring fast searches of databases, lists, or patterns, such as in image or voice recognition, or computer and communication designs. For this reason, CAM is used in applications where search time is critical and must be very short. For example, the search key could be the IP address of a network user, and the associated information could be a user’s access privileges and location on the network. If the search key presented to the CAM is present in the CAM’s table, the CAM indicates a match and returns the associated information, which consists of the user’s privileges. A CAM can thus operate as a data-parallel or single instruction/ multiple data (SIMD) processor. CAM can be used to accelerate any application ranging from LANs, database management, file-storage management, and table look up to pattern recognition, artificial intelligence, fully associative and processor-specific cache memories, to disk cache memories. Although CAM has many applications, it’s particularly well suited to performing search operations. In each one of these applications the user may not know the addresses of words that have particular pieces of information stored within a specific portion of the word length. Intel has IXP 2850 that already includes the crypto accelerator engines necessary to handle TLS Friday, November 09, 2018Friday, November 09, 2018

44 Session Border Controllers
CS2K CALL SERVER COMPLEX XPM ISM SMDI VOIC SS7 LINKS MS/ENET FLPP STP PAIR CALEA PMA COAM (N240) COAM (N240) IW-SPM MS2010 BCT MAS SSL SESSION MANAGER SSL SYSTEM MANAGER SST SDM CMT/ IEMS MG9K EM XA-CORE SAM21 SIP ERS8600 BEARER LAN ERS8600 CS LAN AER LCR AER AER ADM AER LCR C6509 C6509 MG15K (PVG) ADM GWR SS8 C7206 S/BC S/BC GR303 MG9K OLT SS8 C2950 Session Border Controllers PON PSTN (CLASS 4/5 E911 TOPS AIS) ONT ISG2000 NETSCREEN Friday, November 09, 2018Friday, November 09, 2018 SC3100 SS8 VOIC

Download ppt "Columbia - Verizon Research Security : VoIP Denial-of-Service"

Similar presentations

Copyright © 2007 Telcordia Technologies Challenges in Securing Converged Networks Prepared for : Telcordia Contact: John F. Kimmins Executive Director.

Copyright © 2007 Telcordia Technologies Challenges in Securing Converged Networks Prepared for : Telcordia Contact: John F. Kimmins Executive Director.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Securing Unified Communications Mor Hezi VP Unified Communications AudioCodes.

Securing Unified Communications Mor Hezi VP Unified Communications AudioCodes.
September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.

September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Session Initiation Protocol (SIP) By: Zhixin Chen.

Session Initiation Protocol (SIP) By: Zhixin Chen.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
May 23, 2006 Columbia Verizon Research Security: SIP Application Layer Gateway Eilon Yardeni Columbia University Gaston Ormazabal Verizon Labs.

May 23, 2006 Columbia Verizon Research Security: SIP Application Layer Gateway Eilon Yardeni Columbia University Gaston Ormazabal Verizon Labs.
Internet Telephony Helen J. Wang Network Reading Group, Jan 27, 99 Acknowledgement: Jimmy, Bhaskar.

Internet Telephony Helen J. Wang Network Reading Group, Jan 27, 99 Acknowledgement: Jimmy, Bhaskar.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
May 23, 2006 Columbia Verizon Research Security: VoIP Denial-of-Service (DoS) Columbia Verizon Research Security: VoIP Denial-of-Service (DoS) Eilon Yardeni.

May 23, 2006 Columbia Verizon Research Security: VoIP Denial-of-Service (DoS) Columbia Verizon Research Security: VoIP Denial-of-Service (DoS) Eilon Yardeni.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks
SIP Greg Nelson Duc Pham. SIP Introduction Application-layer (signaling) control protocol for initiating a session among users Application-layer (signaling)

SIP Greg Nelson Duc Pham. SIP Introduction Application-layer (signaling) control protocol for initiating a session among users Application-layer (signaling)
Via contains the address at which the originator is expecting to receive responses to this request. Mandatory To contains a display name and a SIP URI.

Via contains the address at which the originator is expecting to receive responses to this request. Mandatory To contains a display name and a SIP URI.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Similar presentations

Ads by Google