Presentation is loading. Please wait.

Presentation is loading. Please wait.

Denial of Service on SIP VoIP Infrastructures Using DNS Flooding

Published byMegan Martin Modified over 10 years ago

Similar presentations

Presentation on theme: "Denial of Service on SIP VoIP Infrastructures Using DNS Flooding"— Presentation transcript:

1 Denial of Service on SIP VoIP Infrastructures Using DNS Flooding
Attack Scenario and Countermeasures Ge Zhang, Sven Ehlert, Thomas Magedanz and Dorgham Sisalem Fraunhofer Institute FOKUS

2 Outline Background: DNS usage in SIP network Vulnerability and Attack
Experiment Test bed Previous Limited Solutions Cache Solution Conclusion and Future Work

3 Background DNS Usage in SIP Infrastructures (3).
(1) Domain Names contained in SIP message headers. (e.g. INVITE, TO, FROM, VIA) (2) Telephone number mapping (ENUM). (e.g. Translate to e164.arpa) (3) Server location. (e.g. SRV, NAPTR request)

4 Background 1 Parsing message 2 3 Resolving Domain name 4 5 DNS Server
Continue…

5 Scope of the Attack 1 Parsing message 2 3 Resolving Domain name
4 Blocked!! 5 waiting…. DNS Server Continue…

6 Scope of the Attack

7 Scope of the Attack INVITE: SIP:u1@so6f.columbia.edu SIP/2.0
Via: SIP/2.0/UDP ; branch=z9hG4bk29FE738 CSeq: INVITE To: Content-Type: application/sdp From: SIP: tag=24564 Call-ID: Subject: Message Content-Length: 184 Contact: SIP: <SDP part not shown>

8 Experiment test bed Internet SER (outgoing proxy) A SIP proxy
A DNS server An attacking tool 100 external SIP providers User Agents (SIPp): a SIP traffic generator tool. Attacking tool UA (SIPp) unresolvable SER (outgoing proxy) DNS server SIP providers Internet

9 Limited Solutions Message Scheduler DNS ... Message Forward
Increasing Parallel Processes ... Process n Process 2 Process 1 Message Scheduler DNS Message Forward

10 Limited Solutions

11 Limited Solutions Asynchronous Scaling through Message Processing Interruption

12 Limited Solutions

13 Cache Solution Parsing message Resolving Domain name DNS Cache
DNS Server Continue…

14 Cache Solution (n is the parallel processes number)
how to detect the attacking? (n is the parallel processes number) How to prevent being blocked? 1 emergency process Whenever H ≥ n – 1, alarm! The next DNS request will not be forwarded to external DNS server, instead, it will only look up in the cache and reply immediately. Hence the proxy will absolutely be blocked at time t when H = n

15 Cache Solution For example, n = 4.
Occupied processes H ≥ n – 1 ( 3 ≥ 4 - 1) emergency waiting waiting waiting Process 4 Process 3 Process 2 Process 1 DNS Cache DNS Server

16 Cache Solution

17 Cache Solution Cache replacement policies
Motivation: As the number of cache entries (e) can not practically cope with the unlimited number of possible domain names, we have to find a way to optimally use the limited number of cache entries. FIFO LRU LFU

18 Cache Solution

19 Cache Solution Investigate the relationship between the number of cache entries and the performance of proxy e = number of cache entries Less than 270, growth Greater than 270, stop

20 Conclusion and future work
attack is easy to launch . compared with previous solution, the cache solution is better . 4 parameters affect the performance: cache replacement policy, cache entries number, processes number of proxy and attacking interval. Accurate the research result (INVITE, ACK, BYE) Consider the new threat (DNS cache poisoning) Build an scalable defense system for it

21 Questions

Download ppt "Denial of Service on SIP VoIP Infrastructures Using DNS Flooding"

Similar presentations

SIP(Session Initiation Protocol) - SIP Messages

SIP(Session Initiation Protocol) - SIP Messages
AG Projects ENUM provisioning - Jan 2006 Telecom Signaling Networks and Service Forum January 18, 2006 Amsterdam.

AG Projects ENUM provisioning - Jan 2006 Telecom Signaling Networks and Service Forum January 18, 2006 Amsterdam.
SIP, Presence and Instant Messaging

SIP, Presence and Instant Messaging
Fraunhofer FOKUS 2007 VoIP Defender The Future of VoIP Protection Fraunhofer FOKUS Institute, Germany.

Fraunhofer FOKUS 2007 VoIP Defender The Future of VoIP Protection Fraunhofer FOKUS Institute, Germany.
The Mobile Grid Concept Vicente Olmedo Technical University of Madrid.

The Mobile Grid Concept Vicente Olmedo Technical University of Madrid.
1 IP Telephony (VoIP) CSI4118 Fall 2005. 2 Introduction (1) A recent application of Internet technology – Voice over IP (VoIP): Transmission of voice.

1 IP Telephony (VoIP) CSI4118 Fall Introduction (1) A recent application of Internet technology – Voice over IP (VoIP): Transmission of voice.
Vince Humphries European Radiocommunications Office

Vince Humphries European Radiocommunications Office
Ge Zhang, Sven Ehlert, and Thomas Magedanz Fraunhofer Institute FOKUS, Berlin, Germany 1 Presented by Murad Kaplan.

Ge Zhang, Sven Ehlert, and Thomas Magedanz Fraunhofer Institute FOKUS, Berlin, Germany 1 Presented by Murad Kaplan.
THIS IS THE WAY ENUM Variants Jim McEachern Carrier VoIP Standards Strategy THIS IS.

THIS IS THE WAY ENUM Variants Jim McEachern Carrier VoIP Standards Strategy THIS IS.
Running SIP behind NAT Dr. Christian Stredicke, snom technology AG Tokyo, Japan, Oct 22 th 2002.

Running SIP behind NAT Dr. Christian Stredicke, snom technology AG Tokyo, Japan, Oct 22 th 2002.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
NETW-250 Troubleshooting Last Update 2014.02.19 1.0.1 Copyright 2012-2014 Kenneth M. Chipps Ph.D. www.chipps.com 1.

NETW-250 Troubleshooting Last Update Copyright Kenneth M. Chipps Ph.D. 1.
July 20, 2000H.323/SIP1 Interworking Between SIP/SDP and H.323 Agenda Compare SIP/H.323 Problems in interworking Possible solutions Conclusion Q/A Kundan.

July 20, 2000H.323/SIP1 Interworking Between SIP/SDP and H.323 Agenda Compare SIP/H.323 Problems in interworking Possible solutions Conclusion Q/A Kundan.
Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.

Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.
NAT/Firewall Traversal April 2009. NAT revisited – “port-translating NAT”

NAT/Firewall Traversal April NAT revisited – “port-translating NAT”
STUN Date: 2011-05-25 Speaker: Hui-Hsiung Chung 1.

STUN Date: Speaker: Hui-Hsiung Chung 1.
1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 5 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.

1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 5 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.
SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.

SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.
September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.

September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems

Similar presentations

Ads by Google