Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protecting VoIP networks against denial of service and service theft Henning Schulzrinne with Gaston Ormazabal (Verizon) and IRT graduate students Dept.

Published byArthur Hopkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Protecting VoIP networks against denial of service and service theft Henning Schulzrinne with Gaston Ormazabal (Verizon) and IRT graduate students Dept."— Presentation transcript:

1 Protecting VoIP networks against denial of service and service theft Henning Schulzrinne with Gaston Ormazabal (Verizon) and IRT graduate students Dept. of Computer Science Columbia University March 30, 2007

2 VoIP is Different No retransmission for voice data --> no recovery of lost data Real time application --> delay must be below 150 ms Merges traditional PSTN networks with IP --> new avenues for attacks on IP networks and PSTN Optimize security overhead such that it doesn’t impact delays Billing in VoIP services is different from PSTN –flat rate billing –multiple extensions Diagram from http://www.sipera.comhttp://www.sipera.com

3 VoIP Threat Taxonomy Scope of our research Refer to http://www.voipsa.org for more details on this taxonomyhttp://www.voipsa.org

4 Scope of Our Research Scope of current work

5 Previous Work Successfully implemented a large scale SIP-aware Firewall (using dynamic pinhole filtering) –The filter is used as a first-line of defence against DoS attacks at the network perimeter and it enforces the following: Only signalled media channels can traverse the perimeter End systems are protected against flooding of random RTP or other attacks. The RTP pinhole filtering approach is a good first-line of defense but… –The signalling port (5060) is subject to attack on the signalling infrastructure –This lead us to define the new problem...

6 VoIP Traffic Attack Traffic Untrusted DPPM sipd Trusted SIP RTP Filter IFilter II VoIP Traffic Attack Traffic Untrusted DPPM sipd Trusted SIP RTP Filter I Filter II Mitigation Solution Overview

7 Testing Results – With the Return Routability filter Call Rate (calls/sec)No. of Concurrent calls (load) Number of calls setup Number of calls dropped % calls dropped 112,000 0 0.0% 5012,000 0 0.0% 10012,0001,33110,669 88.9% 1006,0001,2524,748 79.1% 1004,0001,3442,656 66.4% 1002,0001,92278 3.9% 2002,0001,884116 5.8% 3002,0001,800200 10%

8 Theft of Service Theft of service causes lost revenue and bad reputation –resources are abused causing monetary losses –unauthorized usage can degrade whole system’s performance Related theft of services attacks: –distributed denial of service on billing system –spoofing, content alteration, intrusion, platform attacks Checks to perform before establishing session: –enough funds, 800 numbers, emergency number –multimedia services, messages, etc. Possible theft of service scenarios: –using services without paying –illegal resource sharing for unlimited plans –compromised systems -- use third-party services –call spoofing and “vishing” Currently developing a test tool to identify weaknesses in deployed systems and lab prototypes

9 Benefits to Verizon and Columbia Technology Transfer to Verizon Labs –Set up a replica of Columbia testbed in Silver Spring VoIP lab for rapid SBC evaluation Licensing Agreement with CloudShield –Currently negotiating a Royalty Agreement to take technology to market Intellectual Property –Patents and Publications (NANOG)

Download ppt "Protecting VoIP networks against denial of service and service theft Henning Schulzrinne with Gaston Ormazabal (Verizon) and IRT graduate students Dept."

Similar presentations

The leader in session border control for trusted, first class interactive communications.

The leader in session border control for trusted, first class interactive communications.
IMS and Security Sri Ramachandran NexTone. 2 CONFIDENTIAL © 2006, NexTone Communications. All rights Traditional approaches to Security - The CIA principle.

IMS and Security Sri Ramachandran NexTone. 2 CONFIDENTIAL © 2006, NexTone Communications. All rights Traditional approaches to Security - The CIA principle.
SIP Trunking A VASP Perspective Thomas Roel Convergence Sales Engineer 651.796.7043

SIP Trunking A VASP Perspective Thomas Roel Convergence Sales Engineer
Addressing Security Issues IT Expo East 2011. Addressing Security Issues Unified Communications SIP Communications in a UC Environment.

Addressing Security Issues IT Expo East Addressing Security Issues Unified Communications SIP Communications in a UC Environment.
Mobile IPv6. Why study Mobility in IPv6? What is so different about Mobile IPv6 ?

Mobile IPv6. Why study Mobility in IPv6? What is so different about Mobile IPv6 ?
Traffic Analyst Complete Network Visibility. © 2013 Impact Technologies Inc., All Rights ReservedSlide 2 Capacity Calibration Definitive Requirements.

Traffic Analyst Complete Network Visibility. © 2013 Impact Technologies Inc., All Rights ReservedSlide 2 Capacity Calibration Definitive Requirements.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
A Hybrid and Cross-Protocol Architecture with Semantics and Syntax Awareness to Improve Intrusion Detection Efficiency in Voice over IP Environments Department.

A Hybrid and Cross-Protocol Architecture with Semantics and Syntax Awareness to Improve Intrusion Detection Efficiency in Voice over IP Environments Department.
NS-H0503-02/11041 Attacks. NS-H0503-02/11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.

NS-H /11041 Attacks. NS-H /11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.
CTO Office Reliability & Security Distinctions and Interactions Hal Lockhart BEA Systems.

CTO Office Reliability & Security Distinctions and Interactions Hal Lockhart BEA Systems.
Solutions for SIP The SIP enabler We enable SIP communication for business What the E-SBC can do for you.

Solutions for SIP The SIP enabler We enable SIP communication for business What the E-SBC can do for you.
® Context Aware Firewall Policies Ravi Sahita Priya Rajagopal, Pankaj Parmar Intel Corp. June 8 th 2004 IEEE Policy (Security)

® Context Aware Firewall Policies Ravi Sahita Priya Rajagopal, Pankaj Parmar Intel Corp. June 8 th 2004 IEEE Policy (Security)
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.

September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.
1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.

1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.
Testing SIP Services Over IP. Agenda  SIP testing – advanced scenarios  SIP testing - Real Life Examples.

Testing SIP Services Over IP. Agenda  SIP testing – advanced scenarios  SIP testing - Real Life Examples.
© Verizon Copyright 2008. 1 June 12, 2015 Columbia - Verizon Research Collaboration Secure SIP: Scalable DoS and ToS Prevention Mechanisms for SIP-based.

© Verizon Copyright June 12, 2015 Columbia - Verizon Research Collaboration Secure SIP: Scalable DoS and ToS Prevention Mechanisms for SIP-based.
Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies www.coresecurity.com.

Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies
DYSWIS1 Managing (VoIP) Applications – DYSWIS Henning Schulzrinne Dept. of Computer Science Columbia University July 2005.

DYSWIS1 Managing (VoIP) Applications – DYSWIS Henning Schulzrinne Dept. of Computer Science Columbia University July 2005.
May 23, 2006 Columbia Verizon Research Security: SIP Application Layer Gateway Eilon Yardeni Columbia University Gaston Ormazabal Verizon Labs.

May 23, 2006 Columbia Verizon Research Security: SIP Application Layer Gateway Eilon Yardeni Columbia University Gaston Ormazabal Verizon Labs.

Similar presentations

Ads by Google