230 likes | 347 Views
4. Intrusion Detection Systems in VoIP. Selected Topics in Information Security – Bazara Barry. Session Initiation Protocol SIP. Session Initiation Protocol (SIP) is a standard signaling protocol for VoIP, and is appropriately coined as the “SS7 of future telephony.”
E N D
4 Intrusion Detection Systems in VoIP Selected Topics in Information Security – Bazara Barry
Session Initiation Protocol SIP Session Initiation Protocol (SIP) is a standard signaling protocol for VoIP, and is appropriately coined as the “SS7 of future telephony.” It was developed by the Internet Engineering Task Force (IETF) in RFC 2543 which was updated by RFC 3261. SIP was designed to address some important issues in setting up and tearing down sessions such as user location, user availability, and session management. Selected Topics in Information Security – Bazara Barry
Session Initiation Protocol SIP The simplicity and versatility of SIP make it the choice of instant messaging, video conferencing, and multiplayer game applications among others. SIP uses other protocols to perform various functions during a session such as Session Description Protocol (SDP) to describe the characteristics of end devices, Resource Reservation Setup Protocol (RSVP) for voice quality, and Real-time Transport Protocol (RTP) for real-time transmission. Selected Topics in Information Security – Bazara Barry
Start Line Header 1 Header 2 ….. Body SIP Message Format The SIP message is made up of three parts: the start line, message headers, and body. The start line contents vary depending on whether the SIP message is a request or a response. For requests it is referred to as a request line and for responses it is referred to as a status line. Selected Topics in Information Security – Bazara Barry
SIP Message Format The base SIP specifications define six types of request: the INVITE request, CANCEL request, ACK request, BYE request, REGISTER request, and the OPTIONS request. Response types or codes are also classified into six classes. 1xx for provisional/informational responses, 2xx for success responses, 3xx for redirection responses, 4xx for client error responses, 5xx for server error responses, and 6xx for global failure responses. Selected Topics in Information Security – Bazara Barry
SIP Architecture Elements in SIP can be classified into user agents (UAs) and intermediaries (servers). In an ideal world, communications between two endpoints (or UAs) happen without the need for servers. However, this is not always the case as network administrators and service providers would like to keep track of traffic in their network. Selected Topics in Information Security – Bazara Barry
SIP Architecture A SIP UA or terminal is the endpoint of dialogs: it sends and receives SIP requests and responses, it is the endpoint of multimedia streams, and it is usually the user equipment (UE) which is an application in a terminal or a dedicated hardware appliance. SIP servers are logical entities where SIP messages pass through on their way to their final destination. These servers are used to route and redirect requests. These servers include: Proxy server, Redirect server, Location server, Registrar server, Application server. Selected Topics in Information Security – Bazara Barry
SIP Session Selected Topics in Information Security – Bazara Barry
Contributing Source Count (CC) Padding Extension Marker Payload Type Sequence Number Timestamp Synchronization Source (SSRC) identifier Contributing Source (CSRC) identifier RTP Message Format Real-time Transport Protocol (RTP) is an application layer protocol that provides end-to-end delivery services for real-time audio and video. It was developed by the Internet Engineering Task Force (IETF) in RFC 1889 which was updated by RFC 3550. Selected Topics in Information Security – Bazara Barry
SIP Threat Model • Denial of service • Eavesdropping • Tearing down sessions • Session hijacking • Man in the middle Selected Topics in Information Security – Bazara Barry
RTP Threat Model Attackers can inject artificial packets with higher sequence numbers that will cause the injected packets to be played in place of the real ones. Flooding with RTP packets not only deteriorates the perceived quality of service (QoS) but also may cause phones dysfunctional and reboot operations. Selected Topics in Information Security – Bazara Barry
Intrusion Detection Systems Anderson, who introduced the concept of intrusion detection in 1980, defined an intrusion attempt or a threat to be the potential possibility of a deliberate unauthorized attempt to: Access information, Manipulate information, or Render a system unreliable or unusable. The role of an Intrusion Detection System (IDS) is to detect such attempts, and to inform system administrators about such threats in order to take countermeasures. Selected Topics in Information Security – Bazara Barry
Classification of ID Principles • Anomaly-based: explores issues in intrusion detection associated with deviation from normal system or user behavior. • Signature-based: models intrusive behaviors in the form of patterns or signatures. • Specification-based: The system’s behavioral specifications are used to create the model and also used as a basis to detect attacks Selected Topics in Information Security – Bazara Barry
Classification of ID Principles Selected Topics in Information Security – Bazara Barry
Classification of Monitored Resources • Host IDS (HIDS). • Network IDS (NIDS). Selected Topics in Information Security – Bazara Barry
General Classification Selected Topics in Information Security – Bazara Barry
Classification of ID Techniques The special needs of VoIP systems make it important for IDSs to adopt new detection techniques. In the following we discuss some of theses techniques. Selected Topics in Information Security – Bazara Barry
Classification of ID Techniques Stateful Detection: A stateless system considers every packet on its own, not recalling anything that it has derived in the past. On the other hand, a stateful intrusion detection system is one that keeps and regularly updates the state of the monitored resource. Attackers sometimes try to evade detection by splitting the attack body into multiple small packets. In such a case, the IDS is not able to detect the attack unless it reassembles the packet stream, which can only be done by stateful IDSs. Selected Topics in Information Security – Bazara Barry
Classification of ID Techniques Cross-Layer and Cross-Protocol Detection: Many attacks cross layer and protocol boundaries. For example, an attack that tries to create an authorized access to a service at the application layer may seem perfectly legitimate to the lower layers. Cross-layer and cross-protocol IDSs coordinate intrusion detection among different protocols and aid detection decisions on one layer by using information from different layers. Selected Topics in Information Security – Bazara Barry
Classification of ID Techniques Hybrid Detection: Hybrid intrusion detection systems may combine different intrusion detection principles such as anomaly-based and signature-based techniques for better detection capabilities. They may also combine different sources of audit data such as host-based and network-based sources to widen the range of the detectable attacks. Hybrid intrusion detection is gaining momentum in the research arena, and researchers are looking into various ways to make the combination efficient. Selected Topics in Information Security – Bazara Barry
Sample Attacks BYE Attack: An attacker can send a BYE message to either the caller or the callee to fool them into tearing down the session prematurely. The User Agent that receives the faked BYE message will immediately stop sending RTP packets, whereas the other User Agent will continue sending its RTP packets. BYE attack is common in VoIP environments and can be accomplished either by sniffing the network or performing a man-in-the-middle attack to insert a BYE request into the session. checking the status of RTP flow in the endpoint is vital in the detection process. A genuine BYE sender will stop sending RTP packets immediately after sending a BYE message. Selected Topics in Information Security – Bazara Barry
Sample Attacks Voice Injection Attack: An attacker can send artificial RTP packets with higher sequence numbers than the original ones, which causes the receiver to play the artificial ones instead. The IDS should compare the sequence number of the packet to that of the previous one. Whenever there is an increase that exceeds a certain threshold, an alarm should be raised. Selected Topics in Information Security – Bazara Barry
References • J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, R. Sparks, M. Handley, and E. Schooler, “SIP: Session Initiation Protocol,” RFC 3261, IETF Network Working Group, June 2002. • H. Schulzrinne, S. Casner, R. Frederick, and V. Jacobson, “RTP: A transport Protocol for Real-Time Applications,” RFC 1889, IETF Network Working Group, January 1996. • Robin Sommer, “Viable Network Intrusion Detection in High-Performance Environments,” PhD Thesis, Computer Science Department, Technical University Munchen, Germany, September 2005. Selected Topics in Information Security – Bazara Barry