advanced flooding attack on a sip server n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Advanced Flooding Attack on a SIP Server PowerPoint Presentation
Download Presentation
Advanced Flooding Attack on a SIP Server

Loading in 2 Seconds...

play fullscreen
1 / 28

Advanced Flooding Attack on a SIP Server - PowerPoint PPT Presentation


  • 121 Views
  • Uploaded on

Advanced Flooding Attack on a SIP Server. Xianglin Deng, Canterbury University Malcolm Shore, Canterbury University & Telecom NZ. SIP Protocol. SIP is used as the connection mechanism for IP-based multimedia services, including VoIP

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Advanced Flooding Attack on a SIP Server' - terentia


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
advanced flooding attack on a sip server

Advanced Flooding Attack on a SIP Server

Xianglin Deng, Canterbury University

Malcolm Shore, Canterbury University & Telecom NZ

sip protocol
SIP Protocol
  • SIP is used as the connection mechanism for IP-based multimedia services, including VoIP
  • SIP is normally deployed as a service not requiring user authentication
  • SIP can be configured to operate in authenticated mode
sip flooding
SIP Flooding
  • SIP is vulnerable to flooding attacks. A typical attack would be an INVITE flood.

Attacker SIP Proxy SIP Client

INVITE

TRYING

RINGING

INVITE

TRYING

Busy here

INVITE

TRYING

Busy here

INVITE

TRYING

Busy here

INVITE

TRYING

Busy here

INVITE

TRYING

Busy here

sip flooding1
SIP Flooding
  • SIP with authentication is more vulnerable to flooding attacks.

Attacker SIP Proxy SIP Client

INVITE

…nonce generate and store

407

…nonce generate and store

INVITE

407

…nonce generate and store

INVITE

407

…nonce generate and store

INVITE

407

INVITE

…nonce generate and store

407

…nonce generate and store

INVITE

407

sip flooding2
SIP Flooding
  • Firewalls can provide SIP anti-flooding protection.

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

Blocked…

INVITE

INVITE

INVITE

INVITE

INVITE

sip flooding3
SIP Flooding
  • We can defeat the firewall anti-flooding mechanism

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

sip flooding4
SIP Flooding
  • We propose an Security Enhanced SIP System (SESS)
  • Non authenticated SIP Proxy with optional firewall authentication
  • Involves enhancement of the firewall with predictive nonce checking (Rosenberg)
  • Involves priority queues (Ohta)
  • The SIP proxy maintains known user lists (D’Souza)
  • Incorporates a synchronisation protocol (KASP)
  • We enhance the predictive nonce checking, priority queues and user lists
predictive nonce checking

Client

SIP proxy server

INVITE/REGISTER

Generate predictive nonce

407/401

Nonce, realm

Compute response=

F(nonce,username,password,realm)

INVITE/REGISTER

nonce,realm, username,response

Authentication: Compute

F(nonce,username,password,realm)

And compare with response

Predictive Nonce Checking
  • Rosenberg 2001
priority queues
Priority Queues
  • Ohta 2006
    • Assign different priority to SIP INVITE messages
improved priority queues
Improved Priority Queues
  • Assign priorities based on the source IP address.
  • VoIP service provider would benefit from giving frequent users higher priorities
user lists
User Lists
  • D’Souza 2004
    • Assigns high priority to known hosts
improved user lists
Improved User Lists
  • Enforce authentication on unknown hosts
  • Defines a dual-stage list
  • Adds expiry to the lists
slide14
KASP

Packet Structure

slide15

Timer expire interrupt

Is ACK?

Reset Timer, update received time

Yes

Yes

No

Is a fu?

Extract

Source

IP addr

No

In fu?

No

Yes

Process

SIP

message

No

Yes

Last call made in time t?

In nu?

Remove user from nu

Remove user from fu

No

Yes

Add user to nu,

Promote user

to fu, update received time

Reset Timer,

Send Update firewall info

nu = userlist

fu = frequent userlist

SESS

Listen on incoming packets

jain slee
JAIN SLEE
  • Advantages:
    • it is designed for telecommunications low latency and high throughput environments (10-20 calls per second per CPU; ~10 events per call; <200ms RTT)
    • Its container-based infrastructure enables easy integration of new services and technologies
    • Better availability and scalability through clustering
    • A high-level programming language-JAVA is used – reduce the time to market
jain slee1
JAIN SLEE
  • JAIN SLEE main operation
    • When a message arrives at SLEE, it will first go through a resource adapter;
    • The resource adapter wraps the message, and sends it to an activity context;
    • SBBs that have subscribed to the activity context will receive the event, and process it.
sess implementation
SESS implementation
  • Modified the SIP proxy SBB
  • Observations on Use of JAIN SLEE
    • Enhancement was possible with existing knowledge of Java
    • Modifications easy/low risk due to component architecture resulting from JAIN SLEE approach
    • Enhancement completed and tested in 3 days
    • High level of confidence in the resulting server
    • Much simpler and so more reliable than C
    • No opportunity to trial throughput or availability claims
    • Existence of many Java Libraries provides rich source of re-useable code
experimental results
Experimental Results

Average setup delays: = 9.39;(7.06)7.14;0.675;0.487 seconds

experimental results1
Experimental Results

No discernable impact on the SIP proxy CPU … no INVITE flood attack packets penetrate

sip ack flooding
SIP ACK flooding

Average setup delay = 5.9 seconds

500 Server Internal error occured

temporary user list
Temporary User List
  • ACK Flood can still penetrate the SESS protection
  • We use a temporary user list to ensure that ACKs cannot be accepted without an INVITE

INVITE

407

INVITE

INVITE

INVITE

KASP+nu

OK

OK

OK

ACK

ACK

ACK

isess

User 2000 makes 1st call

Firewall

SIP Proxy

Internal client

INVITE

INVITE

Temp.

Allow User

Internet

INVITE

200OK

200OK

ACK

ACK

Update user list

ACK

User 2000 makes 2nd call

Voice stream

INVITE

INVITE

INVITE

200OK

200OK

ACK

ACK

Voice stream

= Security-enhanced SIP proxy process

= Improved Predictive nonce checking process

ISESS
experimental results2
Experimental results

Average setup delays: = 9.39; 8.356; 1.147; 0.975 seconds

sip ack flooding1
SIP ACK FLOODING

Average setup delays: = 0.815 seconds

experimental results3
Experimental Results

With ISESS, no ACK flood packets penetrate

conclusion
Conclusion
  • SIP is vulnerable to flooding attack
  • Commercial anti-flooding mechanisms can be defeated
  • Current research provides some mitigation but is incomplete
  • ISESS synthesises and extends current research into a substantially more complete solution to the problem of SIP flooding