Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Protecting SIP Against DoS An Architectural Approach.

Published byGregory Boone Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Protecting SIP Against DoS An Architectural Approach."— Presentation transcript:

1 1 Protecting SIP Against DoS An Architectural Approach

2 2 Motivation ► SIP implementations vulnerable to DoS ► Current solutions placed near destination  But these cannot cope with large attacks ► Need an architectural approach  Detect attack at destination  Block attack close to its sources

3 3 Basic Architecture ISP A Internet SIP FILTER SIP AGENTS SIP FILTER Legacy ISP B ISP B ISP D SIP FILTER SIP AGENTS Detect attack A filter request A

4 4 Basic Architecture: Detailed View C1 ISP A (SRC) Internet ISP B (DST) ISF C2 C3 PAPA C = SIP UA ISF = Ingress SIP filter ESF = Egress SIP filter R = SIP registrar P = SIP proxy RARA PAPA RARA ESF C4 Filter Request, send to ISF@domain

5 5 Basic Architecture: No Proxies C1 ISP A (SRC) Internet ISP B (DST) ISF C2 C3 PAPA RARA PAPA RARA ESF C4

6 6 Basic Architecture: One Proxy C1 ISP A (SRC) Internet ISP B (DST) ISF C2 C3 PAPA RARA PAPA RARA ESF C4

7 7 Basic Architecture: Two Proxies C1 ISP A (SRC) Internet ISP B (DST) ISF C2 C3 PAPA RARA PAPA RARA ESF C4

8 8 SIP ID-spoofing Prevention: Intra-Domain C1 ISP ISF R SIP ID: johnp IP: 10.0.0.100 MAC: 00:00:00:00:00:00 C2 SIP ID: jackh IP: 10.0.0.101 MAC: 00:00:00:00:00:01 C3 SIP ID: eve IP: 10.0.0.102 MAC: 00:00:00:00:00:02 Database:.100 / :00:00.101 / :00:01.102 / :00:02 Database:.100 / johnp.101 / jackh.102 / jillm INTERNET.100 = johnp? YES.100 = eve? NO!

9 9 SIP ID-spoofing Prevention: Inter-Domain C1 ISP A (SRC) Internet ISP B (DST) ISF C2 C3 PAPA RARA PAPA RARA ESF C4 TLS tunnel ► ESF trusts packets came from ISF (TSL tunnel) ► ESF trusts ISF to ingress filter ► So, ESF can tell packets came from C1, C2 or C3

10 10 Filtering Protocol ► Detector at destination triggers filter request ► Need to know which SF to send request to  Wait until next packet, record TLS endpoint ► Need to authenticate requests  TLS tunnel takes care of this

11 11 Attack Detection ► Either at source or destination domain  Destination ► Can detect even very distributed attacks ► State-holding attacks on proxies  Source ► Can prevent spoof-based attacks ► Can detect flooding clients, prevent attack

12 12 Additional Slides

13 13 Attacks Prevented by Authentication Mechanism ► BYE attack ► CANCEL attack ► RE-INVITE / UPDATE attacks ► REFER attack (don’t accept from non-tunneled referrers) ► Route-record spoofing (don’t accept from non-tunneled) ► REDIRECT server impersonation, moved permanently ► Reflection, fake Route, Via or Request-URI ► Reflection, spoofed INVITE ► State-holding attack, INVITEs with spoofed SIP IDs

14 14 Attacks Prevented by Source-Domain Filtering ► Registrar attacks  Flooding  Guessing login/password via brute-force  De-registering entries  Amplification attack, get all current registrations  SQL injection attacks  Registering too many IDs, amp attacks through forking ► Parser attacks  Large header/body  Mismatched Content-Length header to actual length  Malicious re-arrangement of fundamental headers

15 15 Attacks Prevented by Source-Domain Filtering (ctnd) ► Flooding attacks  SIP Invites  State-holding for proxies, too many sessions ► Proxy attacks  Force look-up of fake DNS names, black-list  Loops through Via header

16 16 Attacks Prevented by Destination-Domain Filtering ► Distributed Flooding attacks ► State-holding attacks on proxies (black list?)  INVITE to unresponsive TCP port  INVITE to co-operating but unresponsive node  Colluding node, too many open sessions

17 17 Possible Extensions ► Captchas ► Scoring (and its authentication) ► Logging of filtered calls?

18 18 Bibliography ► RFC3261, RFC2543, RFC4474 ► VOIP Intrusion Detection Through Interacting Protocol State Machines ► VoIP Honeypot Architecture ► Understanding SIP ► VoIP Security and Privacy Threat Taxonomy ► Survey of Security Vulnerabilities in SIP

19 19 ISP C1 C2 C3 SF Basic Architecture: Deployment P Re INTERNET SIP traffic Ro Non-SIP traffic Ro SIP IN traffic: to SF Filter only IN traffic to SF

20 20 NATs: Enterprise Scenario C1 ISP A (SRC) Internet ISP B (DST) ISF C2 C3 PAPA RARA PAPA RARA ESF C4 Filter Request, send to ISF@domain NAT

21 21 NATs: End-Customer Scenario C1 ISP A ISF C2 C3 PAPA RARA NAT HOME Internet ► ISF can only ingress filter for NAT’s MAC ► R has multiple SIP IDs for NAT’s IP ► Filter: C1@ISPA ► C2 can still DoS C1, but this is local problem 128.16.6.8 C1 : 128.16.6.8 C2 : 128.16.6.8 C3 : 128.16.6.8

22 22 Experiment Results

23 Typical SIP Message Sizes SIP Message TypePayload Size (in bytes) ACK360 INVITE514 RINGING560 OK916 23 Payload size is the message size plus the IP/UDP headers

24 Network Topology 24 ► Computer91 (Dell 2950) ► 8 cores (2 x Intel Xeon X5355@2.66GHz) X5355@2.66GHz ► 8 GB memory ► 3 Intel 82571EB Quad Port cards on PCI-e slots ► All others (Dell 1950) ► 4 cores (2 x Intel Xeon 5150@2.66Ghz) 5150@2.66Ghz ► 2 GB memory ► 2 Intel 82561EB Dual Port cards on PCI-e slots

25 PF_RING Performance 25

26 Click Configuration Files (I) 26 c0 :: Classifier(12/0800, -); out0 :: Queue(200); pdeth13 :: PollDevice(eth13, PROMISC true) -> c0; // IP packets c0[0] -> Strip(14) -> CheckIPHeader() -> Strip(28) -> Unstrip(28) -> out0; // All others c0[1] -> out0; out0 -> tdeth11 :: ToDevice(eth11); Click SIP Forwarder

27 Click Configuration Files (II) 27 methclassifer0 :: SIPMethodClassifier("INVITE", "-"); c0 :: Classifier(12/0800, -); out0 :: Queue(200); pdeth13 :: PollDevice(eth13, PROMISC true) -> c0; // IP packets c0[0] -> Strip(14) -> CheckIPHeader() -> Strip(28) -> methclassifer0; methclassifer0[0] -> Discard; methclassifer0[1] -> Unstrip(28) -> out0; // All others c0[1] -> out0; out0 -> tdeth11 :: ToDevice(eth11); Click SIP method filter

28 28 Click Configuration Files (III) 28 filter0 :: SIPHashFilter("From" "URI", "To" "URI"); c0 :: Classifier(12/0800, -); out0 :: Queue(200); pdeth13 :: PollDevice(eth13, PROMISC true) -> c0; // IP packets c0[0] -> Strip(14) -> CheckIPHeader() -> Strip(28) -> filter0 -> Unstrip(28) -> out0; // All others c0[1] -> out0; out0 -> tdeth11 :: ToDevice(eth11); Click SIP hash-based headers filter

29 29 Click Configuration Files (IV) 29 StaticThreadSched( pdeth13 0, tdeth13 0, pdeth11 0, tdeth11 0, pdeth12 1, tdeth12 1, pdeth10 1, tdeth10 1, pdeth9 2, tdeth9 2, pdeth7 2, tdeth7 2, pdeth8 3, tdeth8 3, pdeth6 3, tdeth6 3, pdeth5 4, tdeth5 4, pdeth3 4, tdeth3 4, pdeth4 5, tdeth4 5, pdeth2 5, tdeth2 5); Click Threads

30 Click (old parser) Performance 30

31 Click (new parser) Performance 31

32 Click Hash-based Performance 32

33 Number of Filters Chain Length Number of Hash Buckets 1005001,0005,00010,000 5 5002,5005,00025,00050,000 50 5,00025,00050,000250,000500,000 75 7,50037,50075,000375,000750,000 100 10,00050,000100,000500,0001,000,000 200 20,000100,000200,0001,000,0002,000,000 300 30,000150,000300,0001,500,0003,000,000 400 40,000200,000400,0002,000,0004,000,000 500 50,000250,000500,0002,500,0005,000,000 33 Figures in red denote line-rate configurations

Download ppt "1 Protecting SIP Against DoS An Architectural Approach."

Similar presentations

SIP, Firewalls and NATs Oh My!. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.
Security Issues In Mobile IP

Security Issues In Mobile IP
Fraunhofer FOKUS 2007 VoIP Defender The Future of VoIP Protection Fraunhofer FOKUS Institute, Germany.

Fraunhofer FOKUS 2007 VoIP Defender The Future of VoIP Protection Fraunhofer FOKUS Institute, Germany.
Mobile IPv6. Why study Mobility in IPv6? What is so different about Mobile IPv6 ?

Mobile IPv6. Why study Mobility in IPv6? What is so different about Mobile IPv6 ?
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 5 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.

1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 5 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.

September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.
1 ITEC 809 Securing SIP in VoIP Domain Iyad Alsmairat 41546342 Supervisor: Dr. Rajan Shankaran.

1 ITEC 809 Securing SIP in VoIP Domain Iyad Alsmairat Supervisor: Dr. Rajan Shankaran.
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Secure Telephony Enabled Middle-box (STEM) Maggie Nguyen Dr. Mark Stamp SJSU - CS 265 Spring 2003 STEM is proposed as a solution to network vulnerabilities,

Secure Telephony Enabled Middle-box (STEM) Maggie Nguyen Dr. Mark Stamp SJSU - CS 265 Spring 2003 STEM is proposed as a solution to network vulnerabilities,
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks
SIP Greg Nelson Duc Pham. SIP Introduction Application-layer (signaling) control protocol for initiating a session among users Application-layer (signaling)

SIP Greg Nelson Duc Pham. SIP Introduction Application-layer (signaling) control protocol for initiating a session among users Application-layer (signaling)
Design and Implementation of SIP-aware DDoS Attack Detection System.

Design and Implementation of SIP-aware DDoS Attack Detection System.

Similar presentations

Ads by Google