DEFENDING COMMON ATTACKS

ON SIP
Karthik Budigere Ramakrishna
Helsinki University of Technology
AGENDA

 Introduction to SIP
 SIP Security Overview

 Types of attacks on SIP

 Counter Measures

 Conclusion
SIP OVERVIEW

 SIP-Session Initiation Protocol – RFC 3261

 Manages the multimedia sessions

 Request/Response based operation

 Widely used in VoIP deployments

 HTTP like text based protocol

 Better than the H.323 protocol

SIP CALL SETUP
SIP SECURITY
SIP Security provides basic services such as,
 Preserving Confidentiality and Integrity
 Prevents Replay attacks
 Prevents Message spoofing
 Provides authentication and privacy

Methods for security,

 HTTP Digest based authentication
 IPSec and TLS for protecting signaling path
 S/MIME protects integrity and confidentiality of the SIP
messages
TYPES OF ATTACKS ON SIP

 Message Flow Attacks

 The “BYE” Attack
 The “CANCEL” Attack
 The “UPDATE” Attack
 The “RE-INVITE” Attack

 Parser Attacks
 Flooding Attacks
 Registration Flooding Attack
 INVITE Flooding Attack

 SIP and SPAM

MESSAGE FLOW ATTACKS

The “BYE and “”CANCEL” Attack Scenario

MESSAGE FLOW ATTACKS .. CONTD..

Registration Hijacking and Unregister Attack.

DEFENDING MESSAGE FLOW ATTACKS

 Implementation of IPSec or TLS on all the nodes

 Utilization of cryptographic tokens

 Implementing SIPS (SIP over TLS)

 Mandatory implementation of network layer

security
 Usage of AoR in registration process

 Using the Identity Header and Identity Info

header – RFC 4474
PARSER ATTACKS

 This attack is by using the malformed messages.

 Attacker tries to crash the system by sending huge and
malicious messages.

Counter Measures:

 SIP parser should be robust.

 Usage of filtering rules
 Middle Box communication approach for validating
FLOODING ATTACKS

 Flooding Attacks happen by sending huge number of

messages to SIP server. This kind of attacks target the SIP
server resources and try to deplete them.
 CPU
 Memory
 Bandwidth

 Flooding attack can possible on any of the component of

SIP system
 Flooding results in DoS
FLOODING ATTACKS.. CONTD..

Registration Flooding and INVITE Flooding

FLOODING ATTACKS.. CONTD..
Counter Measures:
 Flooding attacks can be identified by various criteria such
as Helinger Sum, Cumulative Sum, Upper bound possible
etc.
 Use of IDS – Intruder Detection Systems
 Monitoring and Filtering
 Predictive Nonce
 Robust Server Design
 Fast processing and parsing and quick memory
allocation
 Parallel processing
 Non blocking operation
 Large Memory and High speed CPUs
 Stateless Server Design
DNS ATTACKS
 DNS does not provide any authentication or encryption for
messages exchanged hence susceptible for the attacks
Possible attacks are,
 DNS Spoofing
 DNS Flooding
 DNS Cache poisoning.
All these attacks results in DoS.

Counter Measures:
 Non Blocking design for DNS Server
 Usage of DNSSec
 Cache replacement policies
 Threshold specification in SIP proxy for issuing DNS query
SIP AND SPAM
Unsolicited messages sent to SIP systems are SPAM,
classified as
 CALL SPAM

 IM SPAM

 Presence SPAM

Defending Methods:
 Content Filtering

 Identity Based Filtering

 Interactive Methods

 Preventive Methods
CONCLUSION

 There are many other ways in which a SIP

system can be attacked (DoS and DDoS)
 Mandatory implementation of TLS or IPSec

 No common end to end security framework is

defined and implemented
 SIP deployments should be tested using the
standard test suites and made robust.
 Using IDS and enhanced SIP hosts and proxies
Thank You
Questions ??