1 Protecting SIP Against DoS An Architectural Approach

2 Motivation ► SIP implementations vulnerable to DoS ► Current solutions placed near destination  But these cannot cope with large attacks ► Need an architectural approach  Detect attack at destination  Block attack close to its sources

3 Basic Architecture ISP A Internet SIP FILTER SIP AGENTS SIP FILTER Legacy ISP B ISP B ISP D SIP FILTER SIP AGENTS Detect attack A filter request A

4 Basic Architecture: Detailed View C1 ISP A (SRC) Internet ISP B (DST) ISF C2 C3 PAPA C = SIP UA ISF = Ingress SIP filter ESF = Egress SIP filter R = SIP registrar P = SIP proxy RARA PAPA RARA ESF C4 Filter Request, send to

5 Basic Architecture: No Proxies C1 ISP A (SRC) Internet ISP B (DST) ISF C2 C3 PAPA RARA PAPA RARA ESF C4

6 Basic Architecture: One Proxy C1 ISP A (SRC) Internet ISP B (DST) ISF C2 C3 PAPA RARA PAPA RARA ESF C4

7 Basic Architecture: Two Proxies C1 ISP A (SRC) Internet ISP B (DST) ISF C2 C3 PAPA RARA PAPA RARA ESF C4

8 SIP ID-spoofing Prevention: Intra-Domain C1 ISP ISF R SIP ID: johnp IP: MAC: 00:00:00:00:00:00 C2 SIP ID: jackh IP: MAC: 00:00:00:00:00:01 C3 SIP ID: eve IP: MAC: 00:00:00:00:00:02 Database:.100 / :00: / :00: / :00:02 Database:.100 / johnp.101 / jackh.102 / jillm INTERNET.100 = johnp? YES.100 = eve? NO!

9 SIP ID-spoofing Prevention: Inter-Domain C1 ISP A (SRC) Internet ISP B (DST) ISF C2 C3 PAPA RARA PAPA RARA ESF C4 TLS tunnel ► ESF trusts packets came from ISF (TSL tunnel) ► ESF trusts ISF to ingress filter ► So, ESF can tell packets came from C1, C2 or C3

10 Filtering Protocol ► Detector at destination triggers filter request ► Need to know which SF to send request to  Wait until next packet, record TLS endpoint ► Need to authenticate requests  TLS tunnel takes care of this

11 Attack Detection ► Either at source or destination domain  Destination ► Can detect even very distributed attacks ► State-holding attacks on proxies  Source ► Can prevent spoof-based attacks ► Can detect flooding clients, prevent attack

12 Additional Slides

13 Attacks Prevented by Authentication Mechanism ► BYE attack ► CANCEL attack ► RE-INVITE / UPDATE attacks ► REFER attack (don’t accept from non-tunneled referrers) ► Route-record spoofing (don’t accept from non-tunneled) ► REDIRECT server impersonation, moved permanently ► Reflection, fake Route, Via or Request-URI ► Reflection, spoofed INVITE ► State-holding attack, INVITEs with spoofed SIP IDs

14 Attacks Prevented by Source-Domain Filtering ► Registrar attacks  Flooding  Guessing login/password via brute-force  De-registering entries  Amplification attack, get all current registrations  SQL injection attacks  Registering too many IDs, amp attacks through forking ► Parser attacks  Large header/body  Mismatched Content-Length header to actual length  Malicious re-arrangement of fundamental headers

15 Attacks Prevented by Source-Domain Filtering (ctnd) ► Flooding attacks  SIP Invites  State-holding for proxies, too many sessions ► Proxy attacks  Force look-up of fake DNS names, black-list  Loops through Via header

16 Attacks Prevented by Destination-Domain Filtering ► Distributed Flooding attacks ► State-holding attacks on proxies (black list?)  INVITE to unresponsive TCP port  INVITE to co-operating but unresponsive node  Colluding node, too many open sessions

17 Possible Extensions ► Captchas ► Scoring (and its authentication) ► Logging of filtered calls?

18 Bibliography ► RFC3261, RFC2543, RFC4474 ► VOIP Intrusion Detection Through Interacting Protocol State Machines ► VoIP Honeypot Architecture ► Understanding SIP ► VoIP Security and Privacy Threat Taxonomy ► Survey of Security Vulnerabilities in SIP

19 ISP C1 C2 C3 SF Basic Architecture: Deployment P Re INTERNET SIP traffic Ro Non-SIP traffic Ro SIP IN traffic: to SF Filter only IN traffic to SF

20 NATs: Enterprise Scenario C1 ISP A (SRC) Internet ISP B (DST) ISF C2 C3 PAPA RARA PAPA RARA ESF C4 Filter Request, send to NAT

21 NATs: End-Customer Scenario C1 ISP A ISF C2 C3 PAPA RARA NAT HOME Internet ► ISF can only ingress filter for NAT’s MAC ► R has multiple SIP IDs for NAT’s IP ► Filter: ► C2 can still DoS C1, but this is local problem C1 : C2 : C3 :

22 Experiment Results

Typical SIP Message Sizes SIP Message TypePayload Size (in bytes) ACK360 INVITE514 RINGING560 OK Payload size is the message size plus the IP/UDP headers

Network Topology 24 ► Computer91 (Dell 2950) ► 8 cores (2 x Intel Xeon ► 8 GB memory ► 3 Intel 82571EB Quad Port cards on PCI-e slots ► All others (Dell 1950) ► 4 cores (2 x Intel Xeon ► 2 GB memory ► 2 Intel 82561EB Dual Port cards on PCI-e slots

PF_RING Performance 25

Click Configuration Files (I) 26 c0 :: Classifier(12/0800, -); out0 :: Queue(200); pdeth13 :: PollDevice(eth13, PROMISC true) -> c0; // IP packets c0[0] -> Strip(14) -> CheckIPHeader() -> Strip(28) -> Unstrip(28) -> out0; // All others c0[1] -> out0; out0 -> tdeth11 :: ToDevice(eth11); Click SIP Forwarder

Click Configuration Files (II) 27 methclassifer0 :: SIPMethodClassifier("INVITE", "-"); c0 :: Classifier(12/0800, -); out0 :: Queue(200); pdeth13 :: PollDevice(eth13, PROMISC true) -> c0; // IP packets c0[0] -> Strip(14) -> CheckIPHeader() -> Strip(28) -> methclassifer0; methclassifer0[0] -> Discard; methclassifer0[1] -> Unstrip(28) -> out0; // All others c0[1] -> out0; out0 -> tdeth11 :: ToDevice(eth11); Click SIP method filter

28 Click Configuration Files (III) 28 filter0 :: SIPHashFilter("From" "URI", "To" "URI"); c0 :: Classifier(12/0800, -); out0 :: Queue(200); pdeth13 :: PollDevice(eth13, PROMISC true) -> c0; // IP packets c0[0] -> Strip(14) -> CheckIPHeader() -> Strip(28) -> filter0 -> Unstrip(28) -> out0; // All others c0[1] -> out0; out0 -> tdeth11 :: ToDevice(eth11); Click SIP hash-based headers filter

29 Click Configuration Files (IV) 29 StaticThreadSched( pdeth13 0, tdeth13 0, pdeth11 0, tdeth11 0, pdeth12 1, tdeth12 1, pdeth10 1, tdeth10 1, pdeth9 2, tdeth9 2, pdeth7 2, tdeth7 2, pdeth8 3, tdeth8 3, pdeth6 3, tdeth6 3, pdeth5 4, tdeth5 4, pdeth3 4, tdeth3 4, pdeth4 5, tdeth4 5, pdeth2 5, tdeth2 5); Click Threads

Click (old parser) Performance 30

Click (new parser) Performance 31

Click Hash-based Performance 32

Number of Filters Chain Length Number of Hash Buckets ,0005,00010, ,5005,00025,00050, ,00025,00050,000250,000500, ,50037,50075,000375,000750, ,00050,000100,000500,0001,000, ,000100,000200,0001,000,0002,000, ,000150,000300,0001,500,0003,000, ,000200,000400,0002,000,0004,000, ,000250,000500,0002,500,0005,000, Figures in red denote line-rate configurations