1 / 28

Advanced Flooding Attack on a SIP Server

Advanced Flooding Attack on a SIP Server. Xianglin Deng, Canterbury University Malcolm Shore, Canterbury University & Telecom NZ. SIP Protocol. SIP is used as the connection mechanism for IP-based multimedia services, including VoIP

terentia
Download Presentation

Advanced Flooding Attack on a SIP Server

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Advanced Flooding Attack on a SIP Server Xianglin Deng, Canterbury University Malcolm Shore, Canterbury University & Telecom NZ

  2. SIP Protocol • SIP is used as the connection mechanism for IP-based multimedia services, including VoIP • SIP is normally deployed as a service not requiring user authentication • SIP can be configured to operate in authenticated mode

  3. SIP Flooding • SIP is vulnerable to flooding attacks. A typical attack would be an INVITE flood. Attacker SIP Proxy SIP Client INVITE TRYING RINGING INVITE TRYING Busy here INVITE TRYING Busy here INVITE TRYING Busy here INVITE TRYING Busy here INVITE TRYING Busy here

  4. SIP Flooding • SIP with authentication is more vulnerable to flooding attacks. Attacker SIP Proxy SIP Client INVITE …nonce generate and store 407 …nonce generate and store INVITE 407 …nonce generate and store INVITE 407 …nonce generate and store INVITE 407 INVITE …nonce generate and store 407 …nonce generate and store INVITE 407

  5. SIP Flooding • Firewalls can provide SIP anti-flooding protection. INVITE INVITE INVITE INVITE INVITE INVITE INVITE INVITE INVITE Blocked… INVITE INVITE INVITE INVITE INVITE

  6. SIP Flooding • We can defeat the firewall anti-flooding mechanism INVITE INVITE INVITE INVITE INVITE INVITE INVITE INVITE INVITE INVITE INVITE INVITE INVITE INVITE INVITE INVITE

  7. SIP Flooding • We propose an Security Enhanced SIP System (SESS) • Non authenticated SIP Proxy with optional firewall authentication • Involves enhancement of the firewall with predictive nonce checking (Rosenberg) • Involves priority queues (Ohta) • The SIP proxy maintains known user lists (D’Souza) • Incorporates a synchronisation protocol (KASP) • We enhance the predictive nonce checking, priority queues and user lists

  8. Client SIP proxy server INVITE/REGISTER Generate predictive nonce 407/401 Nonce, realm Compute response= F(nonce,username,password,realm) INVITE/REGISTER nonce,realm, username,response Authentication: Compute F(nonce,username,password,realm) And compare with response Predictive Nonce Checking • Rosenberg 2001

  9. Improved Nonce Checking

  10. Priority Queues • Ohta 2006 • Assign different priority to SIP INVITE messages

  11. Improved Priority Queues • Assign priorities based on the source IP address. • VoIP service provider would benefit from giving frequent users higher priorities

  12. User Lists • D’Souza 2004 • Assigns high priority to known hosts

  13. Improved User Lists • Enforce authentication on unknown hosts • Defines a dual-stage list • Adds expiry to the lists

  14. KASP Packet Structure

  15. Timer expire interrupt Is ACK? Reset Timer, update received time Yes Yes No Is a fu? Extract Source IP addr No In fu? No Yes Process SIP message No Yes Last call made in time t? In nu? Remove user from nu Remove user from fu No Yes Add user to nu, Promote user to fu, update received time Reset Timer, Send Update firewall info nu = userlist fu = frequent userlist SESS Listen on incoming packets

  16. JAIN SLEE • Advantages: • it is designed for telecommunications low latency and high throughput environments (10-20 calls per second per CPU; ~10 events per call; <200ms RTT) • Its container-based infrastructure enables easy integration of new services and technologies • Better availability and scalability through clustering • A high-level programming language-JAVA is used – reduce the time to market

  17. JAIN SLEE • JAIN SLEE main operation • When a message arrives at SLEE, it will first go through a resource adapter; • The resource adapter wraps the message, and sends it to an activity context; • SBBs that have subscribed to the activity context will receive the event, and process it.

  18. SESS implementation • Modified the SIP proxy SBB • Observations on Use of JAIN SLEE • Enhancement was possible with existing knowledge of Java • Modifications easy/low risk due to component architecture resulting from JAIN SLEE approach • Enhancement completed and tested in 3 days • High level of confidence in the resulting server • Much simpler and so more reliable than C • No opportunity to trial throughput or availability claims • Existence of many Java Libraries provides rich source of re-useable code

  19. Experimental Results Average setup delays: = 9.39;(7.06)7.14;0.675;0.487 seconds

  20. Experimental Results No discernable impact on the SIP proxy CPU … no INVITE flood attack packets penetrate

  21. SIP ACK flooding Average setup delay = 5.9 seconds 500 Server Internal error occured

  22. Temporary User List • ACK Flood can still penetrate the SESS protection • We use a temporary user list to ensure that ACKs cannot be accepted without an INVITE INVITE 407 INVITE INVITE INVITE KASP+nu OK OK OK ACK ACK ACK

  23. User 2000 makes 1st call Firewall SIP Proxy Internal client INVITE INVITE Temp. Allow User Internet INVITE 200OK 200OK ACK ACK Update user list ACK User 2000 makes 2nd call Voice stream INVITE INVITE INVITE 200OK 200OK ACK ACK Voice stream = Security-enhanced SIP proxy process = Improved Predictive nonce checking process ISESS

  24. Experimental results Average setup delays: = 9.39; 8.356; 1.147; 0.975 seconds

  25. SIP ACK FLOODING Average setup delays: = 0.815 seconds

  26. Experimental Results With ISESS, no ACK flood packets penetrate

  27. Conclusion • SIP is vulnerable to flooding attack • Commercial anti-flooding mechanisms can be defeated • Current research provides some mitigation but is incomplete • ISESS synthesises and extends current research into a substantially more complete solution to the problem of SIP flooding

  28. Questions?

More Related