denial of service on sip voip infrastructures using dns flooding n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Denial of Service on SIP VoIP Infrastructures Using DNS Flooding PowerPoint Presentation
Download Presentation
Denial of Service on SIP VoIP Infrastructures Using DNS Flooding

Loading in 2 Seconds...

play fullscreen
1 / 21

Denial of Service on SIP VoIP Infrastructures Using DNS Flooding - PowerPoint PPT Presentation


  • 128 Views
  • Uploaded on

Denial of Service on SIP VoIP Infrastructures Using DNS Flooding. Attack Scenario and Countermeasures Ge Zhang, Sven Ehlert, Thomas Magedanz and Dorgham Sisalem Fraunhofer Institute FOKUS. Outline. Background: DNS usage in SIP network Vulnerability and Attack Experiment Test bed

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Denial of Service on SIP VoIP Infrastructures Using DNS Flooding' - khanh


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
denial of service on sip voip infrastructures using dns flooding

Denial of Service on SIP VoIP Infrastructures Using DNS Flooding

Attack Scenario and Countermeasures

Ge Zhang, Sven Ehlert, Thomas Magedanz and Dorgham Sisalem

Fraunhofer Institute FOKUS

outline
Outline
  • Background: DNS usage in SIP network
  • Vulnerability and Attack
  • Experiment Test bed
  • Previous Limited Solutions
  • Cache Solution
  • Conclusion and Future Work
background
Background
  • DNS Usage in SIP Infrastructures (3).
  • (1) Domain Names contained in SIP message headers. (e.g. INVITE, TO, FROM, VIA)
  • (2) Telephone number mapping (ENUM). (e.g. Translate +34 98 765 4321 to 1.2.3.4.5.6.7.8.9.4.3.e164.arpa)
  • (3) Server location. (e.g. SRV, NAPTR request)
background1
Background

1

Parsing

message

2

3

Resolving

Domain name

4

5

DNS Server

Continue…

scope of the attack
Scope of the Attack

1

Parsing

message

2

3

Resolving

Domain name

4 Blocked!!

5 waiting….

DNS Server

Continue…

scope of the attack2
Scope of the Attack

INVITE: SIP:u1@so6f.columbia.edu SIP/2.0

Via: SIP/2.0/UDP 10.147.65.91; branch=z9hG4bk29FE738

CSeq: 16466 INVITE

To: sip:u1@2d4u.columbia.edu

Content-Type: application/sdp

From: SIP: u2@1otr.columbia.edu; tag=24564

Call-ID: 1163525243@10.147.65.91

Subject: Message

Content-Length: 184

Contact: SIP: u2@ued3.columbia.edu

<SDP part not shown>

experiment test bed
A SIP proxy

A DNS server

An attacking tool

100 external SIP providers

User Agents (SIPp): a SIP traffic generator tool.

SIP providers

Internet

DNS server

unresolvable

SER (outgoing proxy)

Attacking tool

UA (SIPp)

Experiment test bed
limited solutions

Message Scheduler

DNS

...

Process 1

Process 2

Process n

Message Forward

Limited Solutions
  • Increasing Parallel Processes
limited solutions2
Limited Solutions
  • Asynchronous Scaling through Message Processing Interruption
cache solution
Cache Solution

Parsing

message

Resolving

Domain name

DNS Server

DNS Cache

Continue…

cache solution1
how to detect the attacking?

(nis the parallel processes number)

How to prevent being blocked?

1 emergency process

Whenever H ≥ n – 1, alarm!

The next DNS request will not be forwarded to external DNS server, instead, it will only look up in the cache and reply immediately.

Cache Solution

Hence the proxy will absolutely be blocked at time t when H = n

cache solution2
Cache Solution
  • For example, n = 4.
  • Occupied processes H ≥ n – 1 ( 3 ≥ 4 - 1)

emergency

waiting

waiting

waiting

Process 4

Process 3

Process 2

Process 1

DNS Server

DNS Cache

cache solution4
Cache Solution
  • Cache replacement policies
  • Motivation: As the number of cache entries (e) can not practically cope with the unlimited number of possible domain names, we have to find a way to optimally use the limited number of cache entries.
  • FIFO
  • LRU
  • LFU
cache solution6
Cache Solution
  • Investigate the relationship between the number of cache entries and the performance of proxy
  • e = number of cache entries
  • Less than 270, growth
  • Greater than 270, stop
conclusion and future work
attack is easy to launch .

compared with previous solution, the cache solution is better .

4 parameters affect the performance: cache replacement policy, cache entries number, processes number of proxy and attacking interval.

Accurate the research result (INVITE, ACK, BYE)

Consider the new threat (DNS cache poisoning)

Build an scalable defense system for it

Conclusion and future work