Download presentation
Presentation is loading. Please wait.
Published byBryan Ritchie Modified over 11 years ago
1
Advanced Flooding Attack on a SIP Server Xianglin Deng, Canterbury University Malcolm Shore, Canterbury University & Telecom NZ
2
SIP Protocol SIP is used as the connection mechanism for IP- based multimedia services, including VoIP SIP is normally deployed as a service not requiring user authentication SIP can be configured to operate in authenticated mode
3
SIP Flooding SIP is vulnerable to flooding attacks. A typical attack would be an INVITE flood. Attacker SIP Proxy SIP Client INVITE RINGING Busy here TRYING
4
SIP Flooding SIP with authentication is more vulnerable to flooding attacks. Attacker SIP Proxy SIP Client INVITE 407 …nonce generate and store
5
SIP Flooding Firewalls can provide SIP anti-flooding protection. INVITE Blocked…
6
SIP Flooding We can defeat the firewall anti-flooding mechanism INVITE
7
SIP Flooding We propose an Security Enhanced SIP System (SESS) Non authenticated SIP Proxy with optional firewall authentication Involves enhancement of the firewall with predictive nonce checking (Rosenberg) Involves priority queues (Ohta) The SIP proxy maintains known user lists (DSouza) Incorporates a synchronisation protocol (KASP) We enhance the predictive nonce checking, priority queues and user lists
8
Predictive Nonce Checking Rosenberg 2001 Client SIP proxy server INVITE/REGISTER Generate predictive nonce 407/401 Nonce, realm Compute response= F(nonce,username,password,realm) INVITE/REGISTER nonce,realm, username,response Authentication: Compute F(nonce,username,password,realm) And compare with response
9
Improved Nonce Checking
10
Priority Queues Ohta 2006 Assign different priority to SIP INVITE messages
11
Improved Priority Queues Assign priorities based on the source IP address. VoIP service provider would benefit from giving frequent users higher priorities
12
User Lists DSouza 2004 Assigns high priority to known hosts
13
Improved User Lists Enforce authentication on unknown hosts Defines a dual-stage list Adds expiry to the lists
14
KASP IP HeaderUDP HeaderKASP:+fu10.0.0.34 Packet Structure
15
SESS Extract Source IP addr In fu? Yes Reset Timer, update received time Is ACK? Yes No Process SIP message No In nu? Yes No Last call made in time t? Yes No Promote user to fu, update received time Add user to nu, Send Update firewall info No Is a fu? Reset Timer, Timer expire interrupt Yes Remove user from fu Remove user from nu nu = userlist fu = frequent userlist Listen on incoming packets
16
JAIN SLEE Advantages: it is designed for telecommunications low latency and high throughput environments (10-20 calls per second per CPU; ~10 events per call; <200ms RTT) Its container-based infrastructure enables easy integration of new services and technologies Better availability and scalability through clustering A high-level programming language-JAVA is used – reduce the time to market
17
JAIN SLEE JAIN SLEE main operation When a message arrives at SLEE, it will first go through a resource adapter; The resource adapter wraps the message, and sends it to an activity context; SBBs that have subscribed to the activity context will receive the event, and process it.
18
SESS implementation Modified the SIP proxy SBB Observations on Use of JAIN SLEE Enhancement was possible with existing knowledge of Java Modifications easy/low risk due to component architecture resulting from JAIN SLEE approach Enhancement completed and tested in 3 days High level of confidence in the resulting server Much simpler and so more reliable than C No opportunity to trial throughput or availability claims Existence of many Java Libraries provides rich source of re- useable code
19
Experimental Results Average setup delays: = 9.39;(7.06)7.14;0.675;0.487 seconds
20
Experimental Results No discernable impact on the SIP proxy CPU … no INVITE flood attack packets penetrate
21
SIP ACK flooding Average setup delay = 5.9 seconds 500 Server Internal error occured
22
Temporary User List ACK Flood can still penetrate the SESS protection We use a temporary user list to ensure that ACKs cannot be accepted without an INVITE INVITE 407 INVITE KASP+nu OK INVITE OK ACK
23
ISESS Internet FirewallSIP ProxyInternal client INVITE = Improved Predictive nonce checking process INVITE 200OK = Security-enhanced SIP proxy process User 2000 makes 1 st call 200OK INVITE User 2000 makes 2nd call INVITE 200OK ACK Temp. Allow User ACK Voice stream Update user list ACK Voice stream
24
Experimental results Average setup delays: = 9.39; 8.356; 1.147; 0.975 seconds
25
SIP ACK FLOODING Average setup delays: = 0.815 seconds
26
Experimental Results With ISESS, no ACK flood packets penetrate
27
Conclusion SIP is vulnerable to flooding attack Commercial anti-flooding mechanisms can be defeated Current research provides some mitigation but is incomplete ISESS synthesises and extends current research into a substantially more complete solution to the problem of SIP flooding
28
Questions?
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.