1 / 10

Deployment of Snort IDS in SIP based VoIP environments

Deployment of Snort IDS in SIP based VoIP environments. Jiří Markl Jaroslav Dočkal. Motivation and targets. Evident advantages of VoIP The same level of availability as in PSTN DoS attacks on SIP infrastructure Attacks identification Applicability of Snort IDS for attacks detection.

suchi
Download Presentation

Deployment of Snort IDS in SIP based VoIP environments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Deployment of Snort IDS in SIP based VoIP environments Jiří Markl Jaroslav Dočkal

  2. Motivation and targets • Evident advantages of VoIP • The same level of availability as in PSTN • DoS attackson SIP infrastructure • Attacks identification • Applicability of Snort IDS for attacks detection

  3. Identified attacks • Attacks to SIP proxies • Common TCP/IP attacks • Direct attacks (Teardrop, Ping of Death, SYN Flood) • Indirect attacks (Smurf attack) • Other TCP floods (STREAM attack, Null flood) • Distributed denial of service • Attacks using specific SIP vulnerabilities • Attacks to contributing services • DNS, ENUM • Application servers

  4. SIP specific attacks • Brute force attack using Invite messages • Denial of service utilizing Register message alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \ (msg:"INVITE message flooding"; content:"INVITE"; depth:6; \ threshold: type both, track by_src, count 200, seconds 60; \ sid:1000100; rev:1;) #Suppresion of alerting for known proxy 147.32.121.12 suppress gen_id 1, sig_id 1000100, track by_src, ip 147.32.121.12

  5. SIP specific attacks – continuation • Tearing down sessions • Bye, Cancel • Denial of service utilizing responses • 3xx, 4xx, 5xx, 6xx • Using message amplification to cause the DoS • loops • forking

  6. SIP specific attacks – continuation • Brute force authentication attack • 401 Unauthorized • 407 Proxy Authentication Required alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \ (msg:"INVITE message flooding"; \ content:"SIP/2.0 401 Unauthorized"; depth:24; \ threshold: type both, track by_src, count 100, seconds 60; \ sid:1000600; rev:1;)

  7. SIP specific attacks – continuation • Attacks using SQL injection • Using unresolvable DNS names alert udp $DNS_SERVERS 53 -> $SIP_PROXY_IP any \ msg:"DNS No such name treshold"; \ content:"|83|"; offset:3; depth:1; \ threshold: type both , track by_src, count 2000, seconds 60; \ sid:1000400; rev:1;)

  8. Snort usage conclusions • Advantages • Based on existing OpenSource solution • SIP proxy independent • Can be used for detection of various attacks and known exploits – lots of rules available • Can be used for detection of misconfigurations in SIP network • Drawbacks • Problems with secured connections (TLS) • Usable only for simple detection

  9. SIP rules published on Snort.org Developed rules can be obtained from Snort.org within current Community Rules set. http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/ Community-Rules-CURRENT.tar.gz

  10. Thanks.

More Related