1 / 21

Denial of Service on SIP VoIP Infrastructures Using DNS Flooding

Denial of Service on SIP VoIP Infrastructures Using DNS Flooding. Attack Scenario and Countermeasures Ge Zhang, Sven Ehlert, Thomas Magedanz and Dorgham Sisalem Fraunhofer Institute FOKUS. Outline. Background: DNS usage in SIP network Vulnerability and Attack Experiment Test bed

khanh
Download Presentation

Denial of Service on SIP VoIP Infrastructures Using DNS Flooding

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Denial of Service on SIP VoIP Infrastructures Using DNS Flooding Attack Scenario and Countermeasures Ge Zhang, Sven Ehlert, Thomas Magedanz and Dorgham Sisalem Fraunhofer Institute FOKUS

  2. Outline • Background: DNS usage in SIP network • Vulnerability and Attack • Experiment Test bed • Previous Limited Solutions • Cache Solution • Conclusion and Future Work

  3. Background • DNS Usage in SIP Infrastructures (3). • (1) Domain Names contained in SIP message headers. (e.g. INVITE, TO, FROM, VIA) • (2) Telephone number mapping (ENUM). (e.g. Translate +34 98 765 4321 to 1.2.3.4.5.6.7.8.9.4.3.e164.arpa) • (3) Server location. (e.g. SRV, NAPTR request)

  4. Background 1 Parsing message 2 3 Resolving Domain name 4 5 DNS Server Continue…

  5. Scope of the Attack 1 Parsing message 2 3 Resolving Domain name 4 Blocked!! 5 waiting…. DNS Server Continue…

  6. Scope of the Attack

  7. Scope of the Attack INVITE: SIP:u1@so6f.columbia.edu SIP/2.0 Via: SIP/2.0/UDP 10.147.65.91; branch=z9hG4bk29FE738 CSeq: 16466 INVITE To: sip:u1@2d4u.columbia.edu Content-Type: application/sdp From: SIP: u2@1otr.columbia.edu; tag=24564 Call-ID: 1163525243@10.147.65.91 Subject: Message Content-Length: 184 Contact: SIP: u2@ued3.columbia.edu … <SDP part not shown>

  8. A SIP proxy A DNS server An attacking tool 100 external SIP providers User Agents (SIPp): a SIP traffic generator tool. SIP providers Internet DNS server unresolvable SER (outgoing proxy) Attacking tool UA (SIPp) Experiment test bed

  9. Message Scheduler DNS ... Process 1 Process 2 Process n Message Forward Limited Solutions • Increasing Parallel Processes

  10. Limited Solutions

  11. Limited Solutions • Asynchronous Scaling through Message Processing Interruption

  12. Limited Solutions

  13. Cache Solution Parsing message Resolving Domain name DNS Server DNS Cache Continue…

  14. how to detect the attacking? (nis the parallel processes number) How to prevent being blocked? 1 emergency process Whenever H ≥ n – 1, alarm! The next DNS request will not be forwarded to external DNS server, instead, it will only look up in the cache and reply immediately. Cache Solution Hence the proxy will absolutely be blocked at time t when H = n

  15. Cache Solution • For example, n = 4. • Occupied processes H ≥ n – 1 ( 3 ≥ 4 - 1) emergency waiting waiting waiting Process 4 Process 3 Process 2 Process 1 DNS Server DNS Cache

  16. Cache Solution

  17. Cache Solution • Cache replacement policies • Motivation: As the number of cache entries (e) can not practically cope with the unlimited number of possible domain names, we have to find a way to optimally use the limited number of cache entries. • FIFO • LRU • LFU

  18. Cache Solution

  19. Cache Solution • Investigate the relationship between the number of cache entries and the performance of proxy • e = number of cache entries • Less than 270, growth • Greater than 270, stop

  20. attack is easy to launch . compared with previous solution, the cache solution is better . 4 parameters affect the performance: cache replacement policy, cache entries number, processes number of proxy and attacking interval. Accurate the research result (INVITE, ACK, BYE) Consider the new threat (DNS cache poisoning) Build an scalable defense system for it Conclusion and future work

  21. Questions

More Related