250 likes | 277 Views
Security for Service Providers Protecting Service Infrastructure Against Dos Attacks. Dave Gladwin dave.gladwin@newport-networks.com. Agenda. What is a DoS attack? What is under attack? How are networks interconnected? What steps can be taken? How can we protect the interconnections?
E N D
Security for Service ProvidersProtecting Service Infrastructure Against Dos Attacks Dave Gladwin dave.gladwin@newport-networks.com
Agenda • What is a DoS attack? • What is under attack? • How are networks interconnected? • What steps can be taken? • How can we protect the interconnections? • How can we protect the Clients?
What is an attack? • Phreakers and hackers • From phones to computers and back again • Stealing services • Disrupting services • Attacks can be classed as Logic Attacks or Flood Attacks • Logic attacks exploit vulnerabilities in protocols or their implementations • E.g. Ping of death, Teardrop, Land etc. • Flood attacks disable targets through traffic volume • A flood attack can originate from a single platform- Denial of Service (DoS) attack • Or from multiple platforms- Distributed Denial of Service (DDoS) attack
Target Machine Target Machine DoS and DDoS DoS DDoS Attack Control Machine Attacking Machine Zombies Zombies Zombies
What are the Targets? • Targets: • SIP servers • SIP proxies • SIP clients • Launch pads: • SIP servers • SIP proxies • SIP clients • The SIP environment is subject to existing DoS attacks • …and newer SIP specific attacks
International Switch International Switch International Switch PSTN Networks PSTN PSTN Local Switch PSTN SS7 between Carriers International Switch is demarcation point between carriers
Hybrid Networks #1 IP core introduced typically to reduce transport costs PSTN PSTN Access Media Gateway Local Switch IP Core Media Gateway PSTN Media Gateway Media Gateway converts PSTN call to IP Media Gateway converts IP call back to PSTN for breakout
Hybrid Networks #2 Peering Networks interconnected using Media Gateways Media Gateways create demarcation for security and accounting Limited to voice calls only
IP Interconnect Peer Networks interconnected using Session Controllers Session Controllers create demarcation for security and accounting Voice or Multimedia calls
Peer-to-Peer characteristics • Web browsing is essentially anonymous • Multimedia peer-to-peer is not • A SIP client has a public presence • SIP Registration means public visibility of client • Public visibility means potential targets • Clients and Servers can become targets or launch pads • SIP Signalling attacks – partly logic, partly flood • Media attacks – pure floods
IP Telephony Security • Like any security system - Multiple levels are needed • Some safeguards are built into the Protocol • End-to-end encryption (client based) • Encrypts message body and some header fields • Does not hide TO and VIA fields • Hop-by-hop encryption of via fields (SIP server based) • Hide Hop or Hide Route • Network partitioning • Use of session controllers to provide demarcation • Access control • Use of session controllers to police resource utilization
Networks partitioning • Protect the core network edges – Peer and access • Prevention and cure – hide, limit and block • Hide Network topology • Remove ALL internal network information from IP and SIP messages • Proxy offers higher levels of security and privacy for users • Only the Proxy address is seen • Helps prevent clients being used as launch pads • Inserts dedicated device in the path • Block unsolicited media - Wire speed packet dropping:- Conventional DoS attacks at IP level- RTP/SIP INVITE attacks • Limit bandwidth consumption - Media throttling • Signalling integrity checks
Network Topology hiding SIP Client IP address A 2nd VIA To Peer Network Core IP Network SIP message Source: A VIA1: X VIA2: Y Y X 1st VIA • As SIP message traverses the network it may have VIAs added • When packet arrives at Peer Network, the Source Address and VIAs provide a roadmap • Don’t make it easy – Hide all this detail
Networks Topology hiding SIP Client IP address A 2nd VIA Session Controller Core IP Network To Peer Network B SIP message Source: B No VIAs 1st VIA • Session Controller proxies source address of message • Both IP and SIP parts of message are updated • All VIA information removed
Benefits • Network advertises SIP Call Agent address as Peer Session Controller to external networks • Any call entering or leaving the network appears to come from the address of the Session Controller • All internal network details are hidden • Signalling and Media paths are tied together at this pointwhich means… • Media Bandwidth can be policed • Unsolicited Media can be dropped
Media policing SIP Client IP address A Signalling indicates Bandwidth Core IP Network B Media Exceeds Bandwidth Session Controller Polices actual bandwidth • Protects Network Peering points • Prevents excessive media in Core Network • Protects Clients
Blocking of Unsolicited Media SIP Client IP address A No Media path opened by signalling Core IP Network B Unsolicited Media received Session Controller • Session Controller only opens ports for specific source/destination IP address/port pairs • Non-matching media is dropped at wire speed • Protects Core and Clients
User Security and Privacy Call Agent SIP Client A Access Network Unsolicited Media Core Network SIP Client Registers address A Address is now a ‘public’ address Unsolicited media can be directed at this address Difficult for the Service Provider to police
User Security and Privacy Call Agent SIP Client A Access Network Unsolicited Media B Core Network Session Controller SIP Client Registers – message is routed via the Session Controller Session Controller modifies source address to one of its own ‘B’ Address ‘B’ is now the ‘public’ address for Client A Unsolicited media directed at this address is dropped at wire speed Simple for the Service Provider to police
Example Media Attack SIP Media Server • Example: Attacker learns Client A’s registered address • Attacker sends INVITE to SIP Media Server Spoofing target's address • Client A and Access Network saturated with Media packets Media Server streams Media to Client A SIP Client A Attacker sends INVITE to Media Server, Source address: Client A Core Network Access Network
Media Attack Limited SIP Media Server Media Server streams Media to Proxy • Example: Attacker learns Client A’s registered address (Proxy) • Attacker sends INVITE to SIP Media Server spoofing target's proxied address • Session Controller does not have a valid media path set up for Client A • All unsolicited media is dropped - Access Network and Client protected SIP Client A Attacker sends INVITE to Media Server, Source address: Proxy address of Client A Core Network Access Network Session Controller
Partitioned Network • Corporate networks accessed via Session Controllers • Clients and Access Networks protected from unsolicited and excessive media • Peering points connected via Session Controllers • Provides media protection, accounting, and topology hiding
Other activities • STEM - Secure Telephony Enabled Middlebox • Proposal for a Middlebox solution aimed at improving security of Enterprise telephony services • ICE - Interactive Connectivity Establishment • Proposal for a client based connectivity solution • Makes use of STUN (Simple Traversal of UDP through NAT) • Connectivity is confirmed before media is sent
Summary • DoS needs targets • Implement ‘Hiding’ and encryption wherever possible • Reveal as little as possible • Hide entire network at the Peering point • Don’t advertise internal network addresses • Hide real clients in the access side • Don’t advertise real client addresses • Partition the Network with Session Controllers • Block unsolicited Media • Police actual media bandwidth • Limits the scope of any attack
Security for Service ProvidersThank You Dave Gladwin dave.gladwin@newport-networks.com