Presentation is loading. Please wait.

Presentation is loading. Please wait.

Henning Schulzrinne Gaston Ormazabal Eilon Yardeni Verizon Labs

Published byPierce Hancock Modified over 6 years ago

Similar presentations

Presentation on theme: "Henning Schulzrinne Gaston Ormazabal Eilon Yardeni Verizon Labs"— Presentation transcript:

1 Columbia - Verizon Research Securing SIP: Scalable Mechanisms For Protecting SIP-Based Systems
Henning Schulzrinne Gaston Ormazabal Eilon Yardeni Verizon Labs Somdutt Patnaik Columbia University David Helms CS Department CloudShield VoIP Cannot be fully deployable without solving the DoS problem. And it is very important for Verizon’s reputation that they deploy a solution that is completely devoid of outages that DoS attacks can potentially cause. Such an outage wouldn’t mean much to people like Vonage or Skype but it definitely means a lot to Verizon. Kundan Singh Eilon Yardeni Somdutt Patnaik November 14, 2018

2 Agenda Denial of service threats: RTP & SIP Pinhole filtering
SIP DOS detection and mitigation strategy Implementation: CloudShield Testing methodology and results

3 Background Telephony services migrating to IP becoming attractive DoS target Attack traffic traversing the perimeter reduces availability of signaling and media for VoIP service Attack targets: SIP infrastructure elements (proxy, softswitch, SBC) end-points (SIP phones) supporting services (e.g., DNS) Carriers need to solve perimeter protection problem for security of VoIP services Protocol-aware application layer gateway SIP DoS/DDoS attack detection and prevention Test tools verify performance & scalability Verizon has made a strategic decision to proceed with all future deployments of VoIP to be SIP based

4 Goals Build a prototype of the fastest dynamic pinhole filter firewall for RTP media Study VoIP DoS for SIP signalling Definition – define SIP specific threats Detection – how do we detect an attack? Mitigation – defense strategy and implementation Validation – validate our defense strategy Generate requirements for future security network elements Generate the test tools and methodology strategies for their validation Mention Patents To define the problem we need to understand the threats and Vulnerabilities of the SIP protocol. Hence we need to build a threat model. We don’t need to re-invent the wheel. VoIP Security Alliance lead by Prof. Schulzrinne has lead down the VoIP threat model which we adopt here.

5 Problem Overview sipd DPPM VoIP Traffic Attack Traffic Untrusted
Filter II Filter I sipd DPPM SIP SIP SIP VoIP Traffic Attack Traffic RTP RTP Give overview of last years filtering and briefly mention the new filters for the 5060 channel as the current work

6 Scope of Our Research Scope of current work
Looking at most aspects except QoS and Malformed requests/msgs Implementation Flaws – Malformed requests Call hijacking and Spoofed messages – Application Level Attacks Flooding attacks

7 Basic Strategy and Motivation
Implementation flaws are easier to deal with: Systems can be tested before used in production Systems can be patched when a new flaw is discovered Attack signatures could be integrated with a firewall Protocol & flooding attacks are harder to defend against Commercially available solutions for general UDP/SYN flooding, but none for SIP  address protocol and flooding attacks specifically for SIP UDP floods, SYN attacks can be protected by other products in the market. I.e. Arbor Networks, Cisco/Riverhead Technologies For sip threre is no solution and this is where we come, It’s like “peeling the onion”

8 Main Focus of our Strategy
VULNERABILITY: SIP over UDP  spoofing SIP requests Registration/call hijacking Modification of media sessions Session teardown Request flooding Error message flooding SIP ‘Method’ vulnerabilities STRATEGY: Two detection and mitigation filters Media: SIP-aware dynamic pinhole filtering SIP: Rule-based detection and mitigation filters

9 Media Filters Implemented large scale SIP-aware firewall using dynamic pinhole filtering Media filter as first-line of defense against DoS attacks: Only signaled media channels can traverse the perimeter End systems are protected against flooding by random RTP The RTP pinhole filtering approach is a good first-line of defence, but… Signaling port is subject to attack Signaling channel is subject to bad traffic since it is open to all kinds of incoming traffic

10 Ongoing - SIP DoS Detection and Mitigation Filters
Authentication based - Return Routability Check For UDP use SIP's built-in digest authentication mechanism Use null-authentication when no shared secret is established Filter out spoofed sources Rate limiting Transaction based Thresholding of message rates INVITE Errors State Machine sequencing Filter “out-of-state” messages Allow “in-state” messages Dialog based Maintain a database of INVITE sources (Contacts) to verify and accept a BYE message only from legitimate source addresses Method vulnerability based

11 Mitigation Solution Overview
Untrusted Untrusted Trusted Trusted Filter II Filter I Filter I Filter II sipd sipd DPPM DPPM SIP SIP SIP SIP SIP SIP VoIP Traffic Attack Traffic VoIP Traffic Attack Traffic RTP RTP RTP RTP

12 Application Server Module
CloudShield CS-2000 10/100/1000 10/100 System Level Port Distribution 1 2 Application Server Module Pentium 1GHz ASM 1000 1000 Backplane 3 4 Gigabit Ethernet Interconnects D 0 D 1 D 0 D 1 P 0 P 0 Main Features: Fully programmable packet processing engine with 5 Gbps processing capacity per 2RU Stateful tracking of up to 16 Million flows per blade (2 blades per chassis) Payload regex search support Packet handling: drop, rate shape, redirect, overwrite, resize, copy, and create Fragment and stream reassembly Available with GbE and OC-3; -12; -48 POS (10GbE Q1CY07) interfaces DPPM Intel IXP 2800 E 1 E 1 DPPM Intel IXP 2800 E 2 E 2

13 CS-2000 Processing Pipeline
Management Plane Functions Management; Visualization; Collaboration Control Plane Functions Data APIs; Reporting; Provisioning Data Plane Packet Operations Program Execution Silicon Database Pattern Matching Protocol Engines Stream Assembly Application Logic PKT PKT PKT PKT PKT PKT PKT PKT PKT PKT

14 Prototype Implementation
Use network processor to filter RTP media and SIP authentication attempts to the proxy and rate-limit messages based on particular heuristics: Utilize wire-speed deep packet inspection Thresholds are kept internal in the DPPM State is only kept at CloudShield in CAM tables Use the firewall controlling proxy model for media filtering and the authentication filter Columbia's SIP Proxy sipd controls the Cloudshield 2000 Deep Packet Inspection Server Utilize the Firewall Control Protocol to establish filters in real time Insert filters for Media Ports and SIP UAs that are being challenged

15 Pinhole Firewall Components
Static Filtering Filtering of pre-defined ports (e.g., SIP, ssh) Dynamic Filtering Filtering of dynamically opened ports (e.g., RTP) Switching Layer Perform switching between the input ports Firewall Control Module Intercept SIP call setup messages Get RTP ports from the SDP Maintain call state Firewall Control Protocol The way the Firewall Control Module talks with the CloudShield Push dynamic table updates to the data plane Could be used by multiple SIP Proxies that control one or more CloudShield firewalls CS-2000 Data Plane Execution Part of SIP-proxy Executed in the Linux Control Plane Note: the API between the Firewall Control Messages module and the Control Messages Proxy should be based both on in-box communication and socket communication since the sipd could also run on a separate box

16 PacketWorks IDE Eclipse-based development environment
RAVE DPI language editor, compiler and debugger Software simulation of CS2000 DPPM engine

17 Integrated DDOS and Dynamic Pinhole Filter
Linux server ASM sipd SIP SIP DDOS Table CAM DPPM FCP/UDP Static Table CAM CAM Dynamic Table ***This diagram will be important to have in a working version to include in the final paper to be sent for publication Outbound Inbound Lookup Switch Drop

18 Integrated Testing and Analysis Tool
Pinhole Filter Integrated End Point Tool Components SIPUA Test Suite Loader/Handler Establishes calls using SIP Sends 160 byte RTP packets every 20ms Settable to shorter interval if needed for granularity Starts RTP sequence numbers from zero Dumps call number, sequence number, current timestamp and port numbers to a file Scanning Probes nmap Automated Script based Control Software Timing Devices Data Analysis Module Analyze handler’s file for initial and teardown call delays, Number of packets dropped before pinhole opening Number of packets crossing after pinhole closing Scan results for pinhole coverage Protocol Analyzer SNORT Graphical Displays

19 Integrated End Point SUT Untrusted Trusted IEP IEP Traffic Generator
Control and Analysis IEP SUT IEP Traffic Generator Traffic Analyzer Port Scanning SNORT Probes Traffic Passed Media Port through Pinholes Scanning/Probing Traffic 4 SIPUA Loader Signaling and Media Generation SIPUA Handler Signaling and Media Generation Timing Synchronization

20 Testbed Architecture Handler Loader IEP IEP SIP Proxy External Loaders
(SIPUA) External Handlers (SIPUA) Controller GigE Switch GigE Switch Handler IEP Loader IEP SIP Proxy

21 Testing And Analysis Methodology
Problem parameterized along two independent vectors Call Rate (calls/sec) Related to performance of SIP Proxy in Pentium Concurrent Calls Related to performance of table lookup in IXP 2800 Generate external load on the firewall SIPUA Loader/Handler in external load mode Generates thousands of concurrent RTP sessions For 30K concurrent calls have 120K open pinholes CAM table length is 120K entries Search algorithm finds match in one cycle When external load is established, run the IEP analysis SIPUA Loader/Handler in internal load mode Port scanning and Protocol analyzer Increment calls/sec rate Measure pinhole opening and closing delays Opening delay data provided in units of 20 ms packets Closing delay data provided in units of 10 ms packets Detect pinholes extraneously open Data Collected in Excel spreadsheet format (Number of concurrent calls, Calls/Sec, Opening delay, Closing delay, device) SIP Proxy SIP RAVE

22 Pinhole Filter Data Results

23 Conclusions Demonstrated SIP vulnerabilities in media and signaling
Implemented some “carrier-class” mitigation strategies Built a validation testbed to measure performance Need to generalize methodology to cover a broader range of cases and apply anomaly detection, pattern recognition and learning systems

Download ppt "Henning Schulzrinne Gaston Ormazabal Eilon Yardeni Verizon Labs"

Similar presentations

Fraunhofer FOKUS 2007 VoIP Defender The Future of VoIP Protection Fraunhofer FOKUS Institute, Germany.

Fraunhofer FOKUS 2007 VoIP Defender The Future of VoIP Protection Fraunhofer FOKUS Institute, Germany.
Copyright © 2007 Telcordia Technologies Challenges in Securing Converged Networks Prepared for : Telcordia Contact: John F. Kimmins Executive Director.

Copyright © 2007 Telcordia Technologies Challenges in Securing Converged Networks Prepared for : Telcordia Contact: John F. Kimmins Executive Director.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Extensible Networking Platform 1 1 - IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood

Extensible Networking Platform IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood
© Verizon Copyright 2008. 1 June 12, 2015 Columbia - Verizon Research Collaboration Secure SIP: Scalable DoS and ToS Prevention Mechanisms for SIP-based.

© Verizon Copyright June 12, 2015 Columbia - Verizon Research Collaboration Secure SIP: Scalable DoS and ToS Prevention Mechanisms for SIP-based.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
May 23, 2006 Columbia Verizon Research Security: SIP Application Layer Gateway Eilon Yardeni Columbia University Gaston Ormazabal Verizon Labs.

May 23, 2006 Columbia Verizon Research Security: SIP Application Layer Gateway Eilon Yardeni Columbia University Gaston Ormazabal Verizon Labs.
SIMPLEStone – A presence server performance benchmarking standard SIMPLEStone – A presence server performance benchmarking standard Presented by Vishal.

SIMPLEStone – A presence server performance benchmarking standard SIMPLEStone – A presence server performance benchmarking standard Presented by Vishal.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Secure Telephony Enabled Middle-box (STEM) Maggie Nguyen Dr. Mark Stamp SJSU - CS 265 Spring 2003 STEM is proposed as a solution to network vulnerabilities,

Secure Telephony Enabled Middle-box (STEM) Maggie Nguyen Dr. Mark Stamp SJSU - CS 265 Spring 2003 STEM is proposed as a solution to network vulnerabilities,
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.

Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Towards a Scalable and Secure VoIP Infrastructure Towards a Scalable and Secure VoIP Infrastructure Lab for Advanced Networking Systems Director: David.

Towards a Scalable and Secure VoIP Infrastructure Towards a Scalable and Secure VoIP Infrastructure Lab for Advanced Networking Systems Director: David.

Similar presentations

Ads by Google