240 likes | 478 Views
Voice Over IP Firewalls. Milind Nimesh December 8 th 2008 COMS W4995 - VoIP Security Prof. Henning Schulzrinne Fall 2008 Department of Computer Science Columbia University. Overview. Motivation Definition VoIP threat taxonomy SIP threat model Mitigation strategy
E N D
Voice Over IP Firewalls Milind NimeshDecember 8th 2008 COMS W4995 - VoIP SecurityProf. Henning Schulzrinne Fall 2008Department of Computer ScienceColumbia University
Overview • Motivation • Definition • VoIP threat taxonomy • SIP threat model • Mitigation strategy • Traditional Firewalls & VoIP • Types of Firewall • Media • Signaling • Effective firewall design Voice Over IP Firewalls
Motivation • VoIP networks becoming attractive targets • Attack targets • SIP infrastructure elements (e.g., proxy, softswitch, session border controller) • end-points (SIP phones) • supporting services (e.g., DNS, directory, DHCP) • Scale of DDoS attacks – 40 Gb/sec, total attack volume in 2007* • Hinders deployment • Traditional firewalls ineffective • Need for a VoIP firewall solution *Source: Arbor Networks Voice Over IP Firewalls
Definition • Detection • Mitigation Voice Over IP Firewalls
VoIP Threat Taxonomy Source: VoIP Security and Privacy Threat Taxonomy, VoIP Security Alliance Report, October, 2005 Voice Over IP Firewalls
SIP Attack Model • Implementation flaws • Application level syntactic vulnerabilities • Flooding Voice Over IP Firewalls
Implementation Flaws Vulnerability target origin in proxy different levels of the network protocol stack underlying OS/firmware Result excessive consumption memory disk CPU system reboot or crash Attacker sends carefully crafted packet(s) to exploit a specific implementation flaw Voice Over IP Firewalls
Application Level Attacks Registration hijacking attacker registers device with another user's URI Call hijacking attacker injects “302 Moved Temporarily” Amplification attacks attacker creates bogus requests with falsified Via header field that identifies a target host A feature of SIP is manipulated Voice Over IP Firewalls
Flooding Attacks IP variants UDP floods ICMP echo attacks SYN floods VoIP variants floods of INVITE or REGISTER messages floods of RTP Requires more resources from the attacker Harder to defend against even the best maintained networks can become congested Attacker floods a network link or overwhelms the target host Voice Over IP Firewalls
SIP DoS Attack Scenarios Flood of Responses Flood of Requests Flood of Out-of-State Source: Gaston Ormazabal, Henning Schulzrinne, Eilon Yardeni and Sarvesh Nagpal, Secure SIP: A scalable prevention mechanism for DoS attacks on SIP based VoIP systems, IPTComm 2008 Voice Over IP Firewalls
Definition • Detection • Mitigation Voice Over IP Firewalls
Mitigation Strategy • Implementation flaws easier to deal with • tools available to discover flaws, e.g., Protos • systems tested before used in production • Application level and flooding attacks harder to defend against • Commercially available solutions for general UDP/SYN flooding but none for SIP • Address application level and flooding attacks Voice Over IP Firewalls
Traditional Firewalls & VoIP Firewall LAN Internet Signaling Media Media blocked by Firewall Attacks cannot handle dynamic media ports no application awareness Voice Over IP Firewalls
Types of VoIP Firewall • Media • open required media ports dynamically • only signaled RTP media channels can traverse perimeter • result: protection against flooding of random RTP • Signaling • monitor SIP packets • guard against application level attacks • result: protection against manipulation of SIP Voice Over IP Firewalls
VoIP Traffic Attack Traffic Effective Firewall Design SIPSpecific Filter Untrusted Untrusted Trusted Trusted Filter II Filter I Filter I Filter II sipd DPPM SIP Proxy SIP SIP SIP SIP SIP RTP RTP Dynamic Pinhole Filter Voice Over IP Firewalls
Dynamic Pinhole Filtering INVITE sip:user1@proxy.com SIP/2.0 200 OK From: <sip:user2@loader> From: <sip:user1@handler> c=IN IP4 128.59.19.163 m=audio 43564 RTP/AVP 0 c=IN IP4 128.59.19.162 m=audio 56432 RTP/AVP 0 SIPUA User1 SIPUA User2 CAM Table 128.59.19.163:43564 128.59.19.163:56432 Voice Over IP Firewalls
SIP Specific Filters Authentication Based - Return Routability Check require SIP built-in digest authentication mechanism filter out spoofed sources Method Specific Based – Rate Limiting transaction based thresholding of message rates INVITE Errors state machine sequencing filter “out-of-state” messages allow “in-state” messages Voice Over IP Firewalls
INVITE sip:test1@cs.columbia.edu SIP/2.0 Via: SIP/2.0/UDP 128.59.21.70:5060 Max-Forwards: 70 From: sip:test5@cs.columbia.edu To: sip:test1@cs.columbia.edu Contact: sip:test5@128.59.21.70:5060 Subject: sipstone invite test CSeq: 1 INVITE Call-ID: 1736374800@lagrange.cs.columbia.edu Content-Type: application/sdp Content-Length: 211 v=0 o=user1 53655765 23587637 IN IP4 128.59.21.70 s=Mbone Audio t=3149328700 0 i=Discussion of Mbone Engineering Issues e=mbone@somewhere.com c=IN IP4 128.59.21.70 t=0 0 m=audio 3456 RTP/AVP 0 a=rtpmap:0 PCMU/8000 INVITE sip:test1@cs.columbia.edu SIP/2.0 Via: SIP/2.0/UDP 128.59.21.70:5060 Max-Forwards: 70 From: sip:test5@cs.columbia.edu To: sip:test1@cs.columbia.edu Contact: sip:test5@128.59.21.70:5060 Subject: sipstone invite test CSeq: 3 INVITE Call-ID: 1736374800@lagrange.cs.columbia.edu Content-Type: application/sdp Content-Length: 211 Proxy-Authorization: Digest username="anonymous", realm="cs.columbia.edu", nonce="6ydARDP51P8Ef9H4iiHmUc7iFDE=", uri="sip:test1@cs.columbia.edu", response="0480240000edd6c0b64befc19479924c", opaque="", algorithm="MD5" v=0 o=user1 53655765 2353687637 IN IP4 128.59.21.70 s=Mbone Audio t=3149328700 0 i=Discussion of Mbone Engineering Issues e=mbone@somewhere.com c=IN IP4 128.59.21.70 t=0 0 m=audio 3456 RTP/AVP 0 a=rtpmap:0 PCMU/8000 SIP/2.0 407 Proxy Authentication Required Via: SIP/2.0/UDP 127.0.0.1:7898 From: sip:test5@cs.columbia.edu To: sip:test1@cs.columbia.edu; tag=2cg7XX0dZQvUIlbUkFYWGA Call-ID: 1736374800@lagrange.cs.columbia.edu CSeq: 1 INVITE Date: Fri, 14 Apr 2006 22:51:33 GMT Server: Columbia-SIP-Server/1.24 Content-Length: 0 Proxy-Authenticate: Digest realm="cs.columbia.edu", nonce="6ydARDP51P8Ef9H4iiHmUc7iFDE=", stale=FALSE, algorithm=MD5, qop="auth,auth-int" INVITE INVITE INVITE, Proxy-Authorization INVITE 407 Needs Auth Add Filter (128.59.21.70, ”nonce”) Remove Filter (128.59.21.70, ”nonce”) 407 Needs Auth INVITE, Proxy-Auth Return Routability Implementation - Succeeds Untrusted Trusted sipd SIP UA NPU CAM IP 128.59.21.70 (128.59.21.70, nonce="6ydARDP51P8Ef9H4iiHmUc7iFDE=") Voice Over IP Firewalls 18
Method Specific Filtering INVITE filter redundant Invite messages by looking up its Transaction-ID and rejecting if its Transaction-ID already exists in State tables Responses 100 Trying 180 Ringing 200 OK Errors (300 – 600) Out-of-State sequence of unexpected messages This approach involves defense against specific method vulnerabilities Voice Over IP Firewalls
SIP Transaction State Validation Makes an entry for first transaction request and logs subsequent status messages logs all messages on per transaction basis Received packet is added to status messages table for original transaction if received status message fits valid state pattern - accepted messages resulting in invalid state pattern - dropped transaction state rolled back to the last known good state Overlays on top of other filtering mechanisms Voice Over IP Firewalls
SIP Transaction State Validation Request Message Response Message Response Message Response Message Response Message Transaction ID Regular Expression Engine Transaction Message Code Log 0 1 2 3 4 5 32 INVI _100 _180 _180 _200 Regular Expression List ----------------------------------------------------------- INVI(_100)*?(_180)*?_200{0,1}?(\x00){4} Voice Over IP Firewalls
Conclusion • VoIP networks attractive targets • Vulnerabilities exist in SIP • Need for specialized VoIP firewall • VoIP firewall • media • signaling • Firewall design • dynamic pinhole filter • SIP specific filter Voice Over IP Firewalls
References • Gaston Ormazabal, Henning Schulzrinne, Eilon Yardeni and Sarvesh Nagpal, Secure SIP: A scalable prevention mechanism for DoS attacks on SIP based VoIP systems, IPTComm 2008 • Jens Fiedler, Tomas Kupka, Sven Ehlert, Thomas Magedanz and Dorgham Sisalem, VoIP Defender: Highly Scalable SIP-based Security Architecture, IPTComm 2007 • Yardeni, E., Schulzrinne, H., Ormazabal, G.: SIP-aware Application Layer Firewall with Dynamic Pinholes for Media, Columbia Technical Report (2006), • Yardeni, E., Patnaik, S., Schulzrinne, H., Ormazabal, G., Helms, D.: SIP-aware Application Layer Firewall with Dynamic Pinholes for Media, NANOG 38 (October 2006) • VoIP Security and Privacy Threat Taxonomy, VoIP Security Alliance Report, October, 2005 • RFC 3261 - Session Initiation Protocol Voice Over IP Firewalls