© verizon copyright 2009. * columbia - verizon research

85
© Verizon Copyright 2009. October 27, 2022 Columbia - Verizon Research Columbia - Verizon Research Secure SIP: Scalable DoS Prevention Mechanisms for Secure SIP: Scalable DoS Prevention Mechanisms for SIP-based VoIP Systems, and Validation Test Tools SIP-based VoIP Systems, and Validation Test Tools Gaston Ormazabal Verizon Verizon Laboratories Laboratories

Upload: catharine24

Post on 15-May-2015

890 views

Category:

Documents


5 download

TRANSCRIPT

Page 1: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009.

April 12, 2023

Columbia - Verizon ResearchColumbia - Verizon ResearchSecure SIP: Scalable DoS Prevention Mechanisms for SIP-Secure SIP: Scalable DoS Prevention Mechanisms for SIP-based VoIP Systems, and Validation Test Toolsbased VoIP Systems, and Validation Test Tools

Gaston Ormazabal

Verizon Verizon LaboratoriesLaboratories

Page 2: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 22

AgendaAgenda

• A successful collaboration

– Verizon and CATT Professor Schulzrinne - three year program

• Project Overview

– Background, Research Focus, and Goals

– DoS

• VoIP Threat Model

• DoS Detection and Mitigation Strategy

• DoS Validation Methodology - DoS Automated Attack Tool

• Value to Verizon

– Intellectual Property/Technology Licensing

• Next Steps

• Conclusions

Page 3: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 3

Verizon – CATT Program

• Collaboration between Verizon and Center of Advanced Technology Telecommunications

• Verizon• PI: Gaston Ormazabal

• CATT– Columbia University

• PI: Prof. Henning Schulzrinne• Graduate Students

– Currently Milind Nimesh– Previously Sarvesh Nagpal, Eilon Yardeni

– New York University • Polytechnic Institute

Page 4: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 44

Background & Research FocusBackground & Research Focus

• SIP is the VoIP protocol of choice for both wireline and wireless telephony

– Control protocol for the Internet Multimedia Systems (IMS) architecture

• VoIP services fast becoming attractive DoS and ToS targets– DoS attack traffic traversing network perimeter reduces availability of signaling and media for VoIP– Theft of Service must be prevented to maintain service integrity

– Reduces ability to collect revenue and provider’s reputation both are at stake

• Attack targets– SIP infrastructure elements (proxy, softswitch, SBC, CSCF-P/I/S)– End-points (SIP phones)– Supporting services (e.g., DNS, Directory, DHCP, HSS, DIAMETER, Authorization Servers)

• Verizon needs to solve security problem for VoIP services– Protocol-aware application layer gateway for RTP– SIP DoS/DDoS detection and prevention for SIP channel– Theft of Service Architectural Integrity Verification Tool

• Need to verify performance & scalability at carrier class rates – Security and Performance are a zero sum game

• Columbia likes to work on real life problems & analyze large data sets – Goal of improving generic architectures and testing methodologies– Columbia has world-renowned expertise in SIP

Page 5: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 55

GoalsGoals

• Study VoIP DoS and ToS for SIP– Definition – define SIP specific threats– Detection – how do we detect an attack?– Mitigation – defense strategy and implementation– Validation – validate our defense strategy

• Generate requirements for future security network elements and prototypes

– Share these requirements with vendors

• Generate the test tools and strategies for their validation

– Share these tools with vendors

Page 6: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 66

ApproachApproach

• Definition

• Detection

• Mitigation

• Validation

Page 7: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 77

VoIP Threat Taxonomy VoIP Threat Taxonomy

Scope of our research - 2006

Scope of our research - 2007

*- VoIP Security and Privacy Threat Taxonomy, VoIP Security Alliance Report, October, 2005 (http://www.voipsa.org)

Page 8: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 88

Denial of Service & Theft of ServiceDenial of Service & Theft of Service

• Denial of Service – preventing users from effectively using the target services

– Service degradation to a “not usable” point– Complete loss of service

• Distributed Denial of Service attacks represent the main threat facing network operators*

– Most attacks involve compromised hosts (bots)• botnets sized from a few thousands to over a million• 25% of all computers on Internet may be botnets

• Theft of Service – any unlawful taking of an economic benefit from a service provider

– With intention to deprive of lawful revenue or property

*- Worldwide ISP Security Report, September 2005, Arbor Networks

*- Criminals 'may overwhelm the web', 25 January, 2007. BBC

Page 9: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 99

SIP DoS Attack TaxonomySIP DoS Attack Taxonomy

• DoS– Implementation flaws

– Application level

– Flooding

Page 10: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 1010

DoS Implementation Flaws DoS Implementation Flaws

• Vulnerability target origin– Different levels of the network protocol stack – Underlying OS/firmware

• Result – Excessive consumption

• Memory• Disk• CPU

– System reboot or crash– Potential for TOS

Attacker sends carefully crafted packet(s) to exploit a specific implementation flaw

Page 11: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 1111

DoS Application Level AttacksDoS Application Level Attacks

• Registration Hijacking– Attacker registers his device with another user's

URI

• Call Hijacking– Attacker injects a “301 Moved Permanently”

message to an active session

• Amplification attacks– Attacker creates bogus requests with falsified Via

header field that identifies a target host• UAs/proxies generate a DDoS against that target

A feature of SIP is manipulated to cause a DoS attack

Page 12: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 1212

DoS Application Level AttacksDoS Application Level Attacks

• Session teardown attacks– Attacker spoofs a BYE message

• Injects it to an active session • Tears down the session• Tricks billing server to stop billing, call continues

• Modification of media sessions– Attacker spoofs re-INVITE messages causing

• QoS reduction• Media redirection• Security attributes modification

• Media streams attacks– Attacker injects spoofed RTP packets with high

SEQ numbers into the media streams • Changes the play-out sequence

Page 13: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 1313

DoS Flooding AttacksDoS Flooding Attacks

• IP variants – UDP floods – ICMP echo attacks – SYN floods

• VoIP variants– Floods of INVITE or REGISTER messages

• Cause excessive processing at a SIP proxy– Floods of RTP

• Cause excessive processing at Media Gateway

• Requires more resources from the attacker• Harder to defend against

– Even the best maintained networks can become congested

Attacker floods a network link or overwhelms the target host

Page 14: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 1414

GoalsGoals

• Definition

• Detection

• Mitigation

• Validation

Page 15: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 1515

Mitigation StrategyMitigation Strategy

• Implementation flaws are easier to deal with– Systems can be tested before used in production– Systems can be patched when a new flaw is

discovered– Attack signatures can be integrated with a firewall

• Application level and flooding attacks are harder to defend against

– SIP infrastructure element defense

• Commercially available solutions for general UDP/SYN flooding but none for SIP

Address application level and flooding attacks specifically for SIP

Page 16: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 1616

Strategy FocusStrategy Focus

• VULNERABILITY : Most security problems are due to:

– flexible grammar syntax-based attacks

– Plain text interception and modification

– SIP over UDP ability to spoof SIP requests• Registration/Call Hijacking• Modification of Media sessions• SIP ‘Method’ vulnerabilities

– Session teardown– Request flooding – Error Message flooding

• RTP flooding

• STRATEGY: Two DoS detection and mitigation filters– SIP: Two types of rule-based detection and mitigation filters– Media: SIP-aware dynamic pinhole filtering

Application Level

Flooding

Page 17: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 1717

Previous Work on SIP DoSPrevious Work on SIP DoS

• Implemented a large scale SIP-aware firewall using dynamic pinhole filtering

– First-line of defense against DoS attacks at the network perimeter

• Only signaled RTP media channels can traverse it

• End systems are protected against flooding of random RTP

• The RTP pinhole filtering approach is a good first-line of defense but…

– The signaling port (5060) is still subject to attack on the signaling infrastructure

– hence SIP specific filtering was implemented for the first time

Page 18: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 1818

Mitigation Solution OverviewMitigation Solution Overview

Untrusted

DPPM sipd

Trusted

SIPSIP SIP

RTP RTP

Filter I Filter II

VoIP Traffic

Attack Traffic

Untrusted

DPPM sipd

Trusted

SIPSIP SIP

RTP RTP

Filter I Filter II

Page 19: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 1919

SIP Detection and Mitigation FiltersSIP Detection and Mitigation Filters

• Authentication Based - Return Routability Check– Require SIP built-in digest authentication mechanism

• Authentication with shared secret– Filter out spoofed sources

• Method Specific Based – Rate Limiting– Transaction based

• Thresholding of message rates– INVITE– Errors

• State Machine sequencing– Filter “out-of-state” messages– Allow “in-state” messages

– Dialog based• Only useful in BYE and CANCEL messages

• Dynamic Pinhole Filtering for RTP• Only signaled RTP media channels can traverse perimeter

– Obtain from SDP interception

• End systems are protected against flooding of random RTP

Page 20: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 2020

CloudShield CS-2000 SystemCloudShield CS-2000 System

10/100/1000 10/100

E1E2

Backplane

F0

C3

C4

Gigabit Ethernet Interconnects

D0

D1

E1E2

F0

C3

C4

D0

D1

3 4

P0

P0

System Level Port DistributionSystem Level Port Distribution

Application Server ModulePentium 1GHz

1000 1000

0 1 2

ASM

DPPM

Intel IXP 2800

DPPM

Intel IXP 2800

Page 21: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 2121

SIP Digest AuthenticationSIP Digest Authentication

User AgentClient (UAC)

ProxyServer

INVITE

Generate thenonce value407 Proxy Authentication

Required (nonce, realm..)

INVITE

(nonce, response…)

Authentication: computeF(nonce, username, password, realm)

and compare with response

ACK

Compute response =F(nonce, username, password, realm)

nonce – a uniquely generated string used for one challenge only and has a life time of 60 seconds

Page 22: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 2222

SIP Digest Authentication StatisticsSIP Digest Authentication Statistics

• Digest authentication accounts for

– nearly 80% of processing cost of a call for a stateless server

– 45% of a call for a stateful server*

• Additional cost – 70% for message

processing – 30% for authentication

computation (hashing)** SIP Security Issues: The SIP Authentication Procedure and its Processing Load, Salsano et al., IEEE Network, November 2002

Page 23: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 2323

NPU

DPPM

RAM

Return-Routability ImplementationReturn-Routability Implementation Succeeds Succeeds

SIP UA sipd

INVITE407 Needs Auth

IP 128.59.21.70 CAM

(128.59.21.70, nonce="6ydARDP51P8Ef9H4iiHmUc7iFDE=" )

Untrusted Trusted

INVITE, Proxy-AuthRemove Filter(128.59.21.70,

”nonce”)INVITEINVITE

INVITE sip:[email protected] SIP/2.0Via: SIP/2.0/UDP 128.59.21.70:5060Max-Forwards: 70From: sip:[email protected]: sip:[email protected]: sip:[email protected]:5060Subject: sipstone invite testCSeq: 1 INVITECall-ID: [email protected]: application/sdpContent-Length: 211 v=0o=user1 53655765 23587637 IN IP4 128.59.21.70s=Mbone Audiot=3149328700 0i=Discussion of Mbone Engineering [email protected]=IN IP4 128.59.21.70t=0 0m=audio 3456 RTP/AVP 0a=rtpmap:0 PCMU/8000

Add Filter(128.59.21.70,

”nonce”)

407 Needs Auth

SIP/2.0 407 Proxy Authentication RequiredVia: SIP/2.0/UDP 127.0.0.1:7898From: sip:[email protected]: sip:[email protected]; tag=2cg7XX0dZQvUIlbUkFYWGACall-ID: [email protected]: 1 INVITEDate: Fri, 14 Apr 2006 22:51:33 GMTServer: Columbia-SIP-Server/1.24Content-Length: 0Proxy-Authenticate: Digest realm="cs.columbia.edu", nonce="6ydARDP51P8Ef9H4iiHmUc7iFDE=", stale=FALSE, algorithm=MD5, qop="auth,auth-int"

INVITE sip:[email protected] SIP/2.0Via: SIP/2.0/UDP 128.59.21.70:5060Max-Forwards: 70From: sip:[email protected]: sip:[email protected]: sip:[email protected]:5060Subject: sipstone invite testCSeq: 3 INVITECall-ID: [email protected]: application/sdpContent-Length: 211Proxy-Authorization: Digest username="anonymous", realm="cs.columbia.edu", nonce="6ydARDP51P8Ef9H4iiHmUc7iFDE=", uri="sip:[email protected]", response="0480240000edd6c0b64befc19479924c", opaque="", algorithm="MD5" v=0o=user1 53655765 2353687637 IN IP4 128.59.21.70s=Mbone Audiot=3149328700 0i=Discussion of Mbone Engineering [email protected]=IN IP4 128.59.21.70t=0 0m=audio 3456 RTP/AVP 0a=rtpmap:0 PCMU/8000

INVITE, Proxy-Authorization

Page 24: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 2424

Return-Routability Implementation Return-Routability Implementation FailsFails

SIP UA

NPU

DPPM sipd

INVITE INVITE407 Needs Auth

407 Needs A

uthIP 1.2.3.4 CAM

Add Filter(1.2.3.4,”nonce”)

INVITEX

Untrusted Trusted

(1.2.3.4, nonce="6ydARDP51P8Ef9H4iiHmUc7iFDE=" )

RAM

Page 25: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 2525

SIP Session AnalysisSIP Session Analysis

• A call contains one or more Dialogs– A Dialog contains one or more Transactions

• Request/response

• Typically 2 in case of an INVITE-200 OK & BYE-OK type of session

– Transactions are of two types• Client

– INVITE Transactions

– Non-INVITE Transactions

• Server

– INVITE Transactions

– Non-INVITE Transactions

SIP sessions/calls can be broken down to 4 levels of granularity

Page 26: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 2626

INVITE

180 Ringing

BYE

Caller CALLEE

ACK

Individual Messages

Transaction 2

INVITE

CALLEE

ACK

Transaction 1

INVITE

200 OK

Caller CALLEE

ACK

Individual Messages

Transaction 2

INVITE

CALLEE

ACK

Transaction 1

200 OK

Dialog

INVITE

180 Ringing

BYE

Caller CALLEE

ACK

Individual Messages

Transaction 2

INVITE

CALLEE

ACK

Transaction 1

INVITE

200 OK

Caller CALLEE

ACK

Individual Messages

Transaction 2

INVITE

CALLEE

ACK

Transaction 1

200 OK

Dialog

Dialogs and Transactions in SIPDialogs and Transactions in SIP

Page 27: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 2727

Level IdentifiersLevel Identifiers

• Dialog Level– A Dialog is identified by

• The “Call-ID” field• The “From” Tag• The “To” Tag

– Rate-limiting at Dialog level is coarser not applied to keep state information

• Transaction Level– A Transaction is identified by

• The "Branch" parameter of the Via header• The "Method" name in the CSeq field

– Rate-limiting is more refined and can pinpoint to more specific parameter thresholds more effective to keep state information

• The Transaction-ID and Dialog-ID are generated by applying CRC-32 on a collection of the above mentioned fields. – The unique CRC-32 Hash generated is used as an index in the CAM

tables

Page 28: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 2828

Method Specific FilteringMethod Specific Filtering

• INVITE– Filter redundant INVITE messages by looking up its Transaction-ID

and rejecting if its Transaction-ID already exists in State tables.

• Responses– 100 Trying – 180 Ringing– 200 OK– Errors (300 – 600)

• Out-of-State– Sequence of unexpected messages

This approach involves defense against specific method vulnerabilities

Page 29: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 2929

Transaction Filtering Transaction Filtering

• Rate limit messages based on expected Transaction traffic:– 1 INVITE per transaction– 1 (or more) 100 Trying per transaction– 1 (or more) 180 Ringing per transaction– 1 200OK per transaction– 1 ACK per transaction– N (based on testing) errors per transaction

• Error status message rate limiter implemented as high-speed counters in SRAM with granularity of 1 second

• Rate limits error status messages within the context of a valid transaction

Page 30: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 3030

SIP Message RelationshipsSIP Message Relationships

• CAM database has very low latency lookups

• Aged lookup tables implemented to track dialog and transaction relationships– Message lookup tables

• Dialog-ID Table

• Transaction-ID Table

– Messages Identified by Type and Code

• Type: Request or Response

• Code: Request Method or Response Status Code

Dialog ID

Transaction ID

Page 31: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 3131

Transaction Filtering Transaction Filtering

• For every new SIP request message received, a Transaction-ID (TXNID) is created– TXNID is a 32 bit integer calculated by HASH (Top Via: BranchID,

CSEQ Command Value) • TXNIDs are stored in a different CAM table (from pinholes and nonces)

– If TXNID is duplicate, drop the packet• “Ideally” only one SIP request message allowed per TXNID

– Binary switch• Retransmission of same request multiple times require a finite

retransmissions window– 5 packets in current network set up – Should be settable for more complex networks– Optimization to reduce false positives

– If TXNID is not duplicate, then go on to next step • When new subsequent status messages are received:

– If status message record is valid, request accepted– If status message record is bogus, packet dropped

• Additional check rate of requests per transaction per second not to exceed a selected finite number (6), else packet dropped

Page 32: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 3232

SIP Transaction State ValidationSIP Transaction State Validation

• Makes an entry for first Transaction Request and logs subsequent status messages – Logs all messages on per transaction basis – Use of wild cards in regular expression syntax – All permutations of allowed states validated in a single operation

• Received packet is added to status messages table for original Transaction – If received status message fits valid state pattern, it is accepted– Messages resulting in invalid state pattern are dropped and also

removed from transaction message log • e.g.: the sequence INVITE, 100, 180, 200, 180, 200 causes filter to

only allow INVITE, 100, 180, 200, and 180/200 is struck out as 180 is out of state

– Transaction state is rolled back to the last known good state

• Overlays on top of other filtering mechanisms

Page 33: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 3333

SIP Transaction State ValidationSIP Transaction State Validation

Transaction ID

Transaction Message Code Log0

INVI

1

_100

2

_180

3

_180

324

_200

5

Request Message

Response Message

Response Message

Response Message

Response Message

Regular Expression Engine

Regular Expression List-----------------------------------------------------------

INVI(_100)*?(_180)*?_200{0,1}?(\x00){4}

Page 34: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 3434

Firewall ComponentsFirewall Components

• Static Filtering– Filtering of pre-defined ports (e.g., SIP, ssh, 6252)

• Dynamic Filtering– Filtering of dynamically opened RTP ports– Filtering of nonce and method redundancy

• Switching Layer – Perform switching between the input ports

• Firewall Control Module– Intercept SIP call setup messages– Get nonce from 407 Need Auth– Get RTP ports from the SDP – Maintain call state

• Firewall Control Protocol– The way the Firewall Control Module talks with the

firewall– Push filter for SIP UA authentication challenge (with

nonce) and media ports– Push dynamic table updates to the data plane– May be used by multiple SIP Proxies that control one

or more firewalls

Firewall Data Plane Execution

Part of SIP-proxyExecuted in the LinuxControl Plane

Page 35: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 3535

Integrated DDOS andIntegrated DDOS and DynamicDynamic Pinhole FilterPinhole Filter

DPPM

Inbound Outbound

SIP

Linux server

Switch

FCP/UDP

Drop

Lookup

CAM CAM

DynamicTable

StaticTable

CAM CAM SIPDDOS

DDOSTable

CAM CAM

ASMsipd

Page 36: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 3636

GoalsGoals

• Definition

• Detection

• Mitigation

• Validation

Page 37: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 3737

Method-based SIP DoS Attack ScenariosMethod-based SIP DoS Attack Scenarios

Flood of Requests Flood of Responses

Flood of Out-of-State

Page 38: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 3838

Integrated Testing and Analysis EnvironmentIntegrated Testing and Analysis Environment

GigE Switch GigE Switch

SIP Proxy

Call Handlers

SIPUA/SIPp

Controller secureSIP

AttackLoaders

SIPStone/SIPp

Legitimate Loaders

SIPUA/SIPp

Firewall

Page 39: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 3939

Test ToolsTest Tools

• SIPp, SIPStone, and SIPUA are benchmarking tools for SIP proxy and redirect servers

– Establish calls using SIP in Loader/Handler mode– A controller software module (secureSIP) wrapped over SIPp/SIPUA/SIPStone

launches legitimate and illegitimate calls at a pre-configured workload

• SIPp – Robust open-source test tool / traffic generator for SIP– Customizable XML scenarios for traffic generation– 5 inbuilt timers to provide accurate statistics– Customized to launch SIP DoS attack traffic scenarios designed to cause proxy to fail

• SIPStone – Continuously launches spoofed calls which the proxy is expected to filter– For this project enhanced with:

– Null Digest Authentication– Optional spoofed source IP address SIP requests

• SIPUA Test Suite – Built-in Digest Authentication functionality– Sends 160 byte RTP packets every 20ms

– Settable to shorter interval (10ms) if needed for granularity– Starts RTP sequence numbers from zero– Dumps call number, sequence number, current timestamp and port numbers to a file

Page 40: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 4040

secureSIP ControllersecureSIP Controller

• Controller– Automated Web-based Control Software run on SUN (Linux)

box– Connects to the Pair of End Points (Loaders and Handlers)

• Supplies external traffic generation over Private Channel (6252)

– Launches attack traffic• Changes type of traffic on the fly

• External stress on SUT– SIPp in Array Form supplies traffic from 16 SUN (Linux) boxes

in various configurations for SIP DoS experiments– SIPUA in Array Form supplies traffic from 16 SUN (Linux)

boxes for pinhole experiments

• Results Analyzer– Gathers, analyzes and correlates results

• Handler/Loaders update results to database in real-time• Controller analyzes results from databases and aggregates them

to get the number of initiated and torn-down calls and their rates

Page 41: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 4141

secureSIP Control ArchitecturesecureSIP Control Architecture

Page 42: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 4242

secureSIP Test Results for DoS & PinholessecureSIP Test Results for DoS & Pinholes

Firewall Filters OFF Firewall Filters ON

Traffic Composition

Good

CPS

Attack

CPS

CPU

Load

Good

CPS

Attack

CPS

CPU

Load

Non-Auth Traffic 690 0 87.81 690 0 88.04

Auth Good Traffic

240 0 19.83 240 0 39.64

480 0 81.20 480 0 81.75

Auth Good Traffic +

Spoof Traffic

240 2950 83.64 240 16800 41.39

480 195 85.40 480 14400 82.72

Auth Good Traffic +

Flood of Requests

240 3230 84.42 240 8400 40.83

480 570 86.12 480 7200 82.58

Auth Good Traffic +

Flood of Responses

240 2970 87.2 240 8400 41.33

480 330 86.97 480 7200 82.58

Auth Good Traffic +

Flood of Out-of-State

240 2805 86.24 240 8400 40.29

480 290 84.81 480 7200 82.19

Concurrent

Calls

Call rate

(CPS)

Delay due to Firewall

Pinhole opening

ms

Pinhole closing

ms

20000 300 14.6 0

25000 300 15 0

30000 300 16.6 155.1

30000 200 16 0.2

SIP DoS MeasurementsSIP DoS Measurements(showing max supported (showing max supported

call rates)call rates)Dynamic PinholeDynamic Pinhole

Page 43: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 4343

The Bigger Picture - Columbia VoIP TestbedThe Bigger Picture - Columbia VoIP Testbed

• Columbia VoIP test bed is collection of various open-source, commercial and home-grown SIP components– provides a unique

platform for validating research

• Columbia-Verizon Research partnership has addressed major security problems– signalling, media and

social threats

• Researched DoS solutions verified against powerful test setup at very high traffic rates

• ToS successfully validated integrity of different setups of test bed

Page 44: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 4444

Value to VerizonValue to Verizon

• Enhanced VoIP security via standards and vendor involvement– Columbia requirements valid for VoIP, Presence and Multimedia

architectures – Rolled the requirements and lessons learned into the Verizon

security architecture and new element requirements database for procurement

– Working with Verizon vendors to mitigate exposures• Setup “one-of-its-kind” laboratory facilities for VoIP security

evaluations and product development– At Columbia, prototype rapid development incubator– At Verizon, Columbia/Verizon collaborative test tools set up for a

more realistic complex IP-routed laboratory environment • Intellectual Property with Six Patent Applications

– Taken research quickly into marketplace with rapid commercialization

– Licensing Agreement with equipment manufacturers• Several vendors interested • Exclusive vs. Non-exclusive

– Verizon Intellectual Property contact: Gwen Thaxter ([email protected], 845-620-5156)

Page 45: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 4545

Intellectual Property - Patent ApplicationsIntellectual Property - Patent Applications

• “Fine Granularity Scalability and Performance of SIP Aware Border Gateways: Methodology and Architecture for Measurements”

– Inventors: Henning Schulzrinne, Kundan Singh, Eilon Yardeni (Columbia), Gaston Ormazabal (Verizon)

• “Architectural Design of a High Performance SIP-aware Application Layer Gateway”

– Inventors: Henning Schulzrinne, Jonathan Lennox, Eilon Yardeni (Columbia), Gaston Ormazabal (Verizon)

• “Architectural Design of a High Performance SIP-aware DOS Detection and Mitigation System”

– Inventors: Henning Schulzrinne, Eilon Yardeni, Somdutt Patnaik (Columbia), Gaston Ormazabal (Verizon)

• “Architectural Design of a High Performance SIP-aware DOS Detection and Mitigation System - Rate Limiting Thresholds”

– Inventors: Henning Schulzrinne, Somdutt Patnaik (Columbia), Gaston Ormazabal (Verizon)

• “System and Method for Testing Network Firewall for Denial of Service (DoS) Detection and Prevention in Signaling Channel”

– Inventors: Henning Schulzrinne, Eilon Yardeni, Sarvesh Nagpal (Columbia), Gaston Ormazabal (Verizon)

• “Theft of Service Architectural Integrity Validation Tools for Session Initiation Protocol (SIP) Based Systems”

– Inventors: Henning Schulzrinne, Sarvesh Nagpal (Columbia), Gaston Ormazabal (Verizon)

Page 46: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 4646

Publications, Presentations, RecognitionPublications, Presentations, Recognition

• Importance of rapid dissemination of results in industry and academia– For knowledge diffusion and ubiquity among research practitioners – For PR reasons (licensing agreements and potential sales)

• Presentation at NANOG 38 – Oct. 10 2006 (HS/GO) – Paper published in NANOG 38 2006 Proceedings - “Scalable Mechanisms for Protecting SIP-

Based VoIP Systems”– Made a headline in VON Magazine on October 11, 2006:

http://www.vonmag.com/webexclusives/2006/10/10_NANOG_Talks_Securing_SIP.asp • Presentation to at Global 3G Evolution Forum – Tokyo, Japan, Jan. 2007 (GO)• Presentation/demo at IPTComm 2007 – New York City, July, 2007 (GO)• Presentation at OSS/BSS Summit – Tucson, AZ, September, 2007 (GO)• Presentation at Columbia Science and Technology Ventures Symposium: “From

Signal to Information Displayed in a Wireless World”, April 2008 (HS/GO)• Presentation at IPTComm 2008 – Heidelberg, July, 2008 “Secure SIP: A scalable

prevention mechanism for DoS attacks on SIP based VoIP systems” (GO)• Presentation at IIT VoIP Conference and Expo IV – Chicago, October, 2008 (GO)• Paper published by Springer Verlag - “Principles, Systems and Applications of IP

Telecommunications” in October 2008: http://www.springerlink.com/content/r5t1652v3572/

• Work incorporated in a new Masters level course on VoIP Security taught at Columbia since Fall 2006, every year

– COMS 4995-1: Special Topics in Computer Science : VoIP Security (HS)• CATT Technological Impact Award - 2007 • Invited presentation at FBI-sponsored International Conference on Cyber Security

–”A Global Solution to Emerging Cyber Threats”, New York City, January, 2009: http://www.iccs.fordham.edu/program.htm

Page 47: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 4747

Next Steps for VerizonNext Steps for Verizon

• New vulnerability require a new mitigation technology for VoIP products– VoIP should not be deployed without protection

• SIP proxies are vulnerable to crash• Attack tool is easy to build and use

• Carriers (e.g., Verizon) will need new network elements– RFP will include these requirements– Vendors must have a ready solution

• Conversion of research into a product that carriers can use– Need to determine optimal architecture for DoS prevention functionality

for VoIP• Security vs. Performance• Hardware vs. Software Implementation

– Proxy/Softswitch (SW)– SBC or New network element (HW/SW), Router?

– Use internally (protect VZ Network)– Use externally (sell new security services to large customers)– Get other companies interested to synergize resources and share

results

Page 48: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 4848

Next Steps for VerizonNext Steps for Verizon

• Cisco has just joined project funding research at NYU Polytechnic Institute to develop hardware prototype

– Objective is to research the optimal hardware platform to implement Columbia-Verizon SIP algorithms

– Use Cisco experimental cards that will eventually become router blades

• Continue relationship with Columbia– Cisco is funding maintenance of the Verizon testbeds

• For further research in distributed computing and traffic generation enhancements

• To assist NYU Poly in testing and validation of new prototype against previous benchmarks

• To assist in eventual product development during product testing cycle– Feedback loop of research and product cycle

– Other research in related areas• Proposal to study SRTP/RTSP

• What can we do to make the working relationship even more productive?– Have the synergistic combination of both CATT components (NYU Polytech

and Columbia) and two major industry players (Cisco and Verizon)

– A model worth emulating!

Page 49: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 49

Potential Value to Cisco

• New vulnerability require a new mitigation technology for VoIP products– Verizon and other carriers will need new network elements– Eventually an RFP will include these requirements– Vendors must have a ready solution

• Incorporation of new technology/functionality into Cisco products, e.g.,– Service Edge Routers (e.g., 6909/7609)– Enterprise Routers (e.g., 4000 series)

• Testbed support for product development– Setup unique laboratory facilities for VoIP security evaluations

and product development testing• In Columbia, prototype rapid development incubator• In Verizon, incorporated Columbia/Verizon collaborative test

tools for a more realistic complex IP-routed laboratory environment

49

Page 50: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 50

Potential Value to Cisco

• Typical Verizon VoIP wireline architecture

• Possible use in wireless VoIP architectures– LTE plan contemplates migration to SIP

VerizonIP/DataNetwork

ALF SBCOLT

ONTPhone AS

SIP2SIP1

GWR

SoftswitchPlatform

IDP

EnterpriseLAN

Private IP Network

VoIP Server

50

Page 51: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 5151

ConclusionsConclusions

• Research Results– Demonstrated SIP vulnerabilities for VoIP resulting in new DoS susceptibility

for both wireline and wireless• Work is fully reusable to secure a “Presence” and IMS infrastructure

– Implemented some “carrier-class” mitigation strategies• Prototype is first of its kind in the world• Removed SIP DoS traffic at carrier class rates• Developed new generic requirements

– Built a validation testbed to measure performance• Developed customized test tools• Built a high powered SIP-specific Dos Attack tool using parallel computing

– Crashed a SIP Proxy in seconds

• Intellectual Property– Research activity resulted in six patent applications

• Commercialization– Licensing agreements currently under negotiation– Have socialized new requirements and test tools with vendor community to

address rapid field deployment• Major Vendors interested in new opportunities• Rapid implementation is now expected

• Have created a partnership among both CATT university components and two major industry players

Page 52: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009.

Thank you

Questions?

[email protected]

Paper published by Springer Verlag - “Principles, Systems and Applications of IP Telecommunications” in October 2008: http://www.springerlink.com/content/r5t1652v3572/

Book available at:http://www.amazon.com/Principles-Applications-Telecommunications-Services-Generation/dp/354089053X/ref=sr_1_1?ie=UTF8&s=

books&qid=1226098298&sr=1-1

Page 53: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 5353

Next Steps - Next Steps - Possible New Projects

• Address Interception/Modification and Eavesdropping – Study of SRTP and associated protocols (SDES)– Comparison study of IPSec and TLS

• Study of SPIT prevention as a possible new service offering– Filtering of unwanted phone calls

• Intrusion Detection– Large scale call logs data analysis for DoS and ToS

• SIP DoS Testbed Maintenance and ongoing research– New machines (200 +)

Page 54: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 5454

Backup Slides…Backup Slides…

Page 55: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 5555

The SIP Threat Model The SIP Threat Model

• Eavesdropping

• Impersonation of a SIP entity

• Interception and Modification of SIP messages

• Service Abuse

• Denial of Service

Page 56: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 5656

SIP Threat Model details (1)SIP Threat Model details (1)

• Eavesdropping

– Attacker can monitor signalling/media streams, but cannot or does not alter data itself

– Signalling channel is not confidential– Call Pattern Tracking

• Discovery of identity, affiliation, presence

– Traffic Capture• Packet recording

– Number harvesting• Unauthorized collection of numbers, emails, SIP URIs

Page 57: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 5757

SIP Threat Model details (2)SIP Threat Model details (2)

• Impersonating of a SIP entity– Impersonate a UA

• Absense of assurance of a request's originator• Registration Hijacking – attacker deregisters a legitimate

contact and registers its own device for that contact

– Impersonate a Server• UAs should authenticate the server to whom they send

requests• Attacker impersonates a remote server and intercepts the

UA's request

Page 58: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 5858

SIP Threat Model details (3)SIP Threat Model details (3)

• Interception and modification of SIP messages

– Man-in-the-middle attack• UA is using SIP to communicate media session keys

– Call Re-routing• Attacker might modify the SDP in order to route media

streams to a wire-tapping device

– Conversation Degradation• Attacker might cause intentional reduction in QoS

– False Call Identification• Change “Subject” so message considered Spam

Page 59: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 5959

SIP Threat Model details (4)SIP Threat Model details (4)

• Service Abuse– Call Conference Abuse

• Hide identity for the purpose of committing fraud

– Premium Rate Service Fraud• Artificially increase traffic in order to maximize

billing

– Improper Bypass or Adjustment to Billing• Avoid authorized service charge by altering

billing records

Page 60: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 6060

Scope of Our Research - VoIPScope of Our Research - VoIP

Scope of current work

Page 61: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 6161

Mitigation Prototype Implementation Mitigation Prototype Implementation

• Firewall platform filters media and SIP proxy authentication attempts, and rate-limits messages based on “Method” specific controls

– Utilizes wire-speed deep packet inspection– Thresholds are kept internal in the DPPM– State is only kept in Firewall in CAM tables

• Firewall controlling proxy model for media filtering and the authentication filter

– Columbia's SIP Proxy sipd controls the Firewall Deep Packet Inspection Server

– Utilize the Firewall Control Protocol to establish/insert filters in CAM table in real time

• SIP UAs being authentication challenged (IP, nonce) • Media ports

Page 62: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 6262

Dynamic Pinhole FilteringDynamic Pinhole Filtering

SIP/2.0 200 OKFrom: <sip:user1@handler>

c=IN IP4 128.59.19.162m=audio 56432 RTP/AVP 0

INVITE sip:[email protected]

From: <sip:user2@loader>c=IN IP4 128.59.19.163m=audio 43564 RTP/AVP 0

CAM Table

SIPUAUser2

SIPUAUser1

128.59.19.163:43564

128.59.19.163:56432

Page 63: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 6363

Pinhole Problem DefinitionPinhole Problem Definition

• Problem parameterized along two independent vectors– Call Rate (calls/sec)

• Related to performance of SIP Proxy in Pentium

– Concurrent Calls

• Related to performance of table lookup in IXP 2800

• Data Collected in Excel spreadsheet format– {Number of concurrent calls, calls/sec, Opening delay, Closing

delay, device}– SIP Proxy

– SIP RAVE

– Opening delay data provided in units of 20 ms packets

– Closing delay data provided in units of 10 ms packets

Page 64: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 6464

Pinhole Data ResultsPinhole Data Results

Concurrent calls Calls/Sec SIP Proxy SIP RAVEOpen delay Close delay Open delay Close delay

10K 300 0.75 0 0.25 015K 300 0.74 0 0.33 020K 300 0.73 0 0.34 025K 300 0.75 0 0.26 030K 300 0.8 15.51 0.26 030K 200 0.83 0.02

Page 65: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 6565

SIP Security OverviewSIP Security Overview

• Application Layer Security– SIP RFC 2543 – little security

– SIP RFC 3261 – security enhancements• Digest Authentication

• TLS

• IPSec

– SRTP/ZRTP (RFC 3711)

• Perimeter Protection– SIP aware Filtering Mechanisms

– SIP aware DOS Protection • Detection and Mitigation

Page 66: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 6666

SIP Security Overview SIP Security Overview

• Application layer security• Digest Authentication, TLS, S/MIME, IPSec, certificates

• SRTP/SDES/MIKEY/ZRTP for media

• Convergence leads to converged attacks– Data network attacks

• DDoS, spoofing, content alteration, platform attacks

– Voice over IP network attacks

• Toll fraud, session hijacking, theft of service, spam/spit

• Most security problems are due to– User Datagram Protocol (UDP) instead of TCP/TLS

– Plain text instead of S/MIME

– Message/Method vulnerability

– Flexible grammar --> syntax-based attacks

Page 67: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 6767

Pinhole Testing MethodologyPinhole Testing Methodology

• Generate external load on the firewall– SIPUA Loader/Handler in external load mode– Generates thousands of concurrent RTP sessions– For 30K concurrent calls have 120K open pinholes– CAM table length is 120K entries

• Search algorithm finds match in one cycle

• When external load is established, run the IEP analysis– SIPUA Loader/Handler in internal load mode– Port scanning and Protocol analyzer – Increment calls/sec rate

• Measure pinhole opening and closing delays

• Detect pinholes extraneously open

Page 68: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 6868

Theft of ServiceTheft of Service

Theft of ServiceTheft of Service

Page 69: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 6969

Theft of Service OverviewTheft of Service Overview

• VoIP is different– Not a static but a real-time application– Direct comparisons with PSTN

• According to Subex Azure 3% of total revenue is subject to “fraud”*• VoIP can be expected to be at least twice as large a proportion of

revenue

– Theft of Service is more daunting problem in VoIP

• Implications of ToS– Lost revenue and bad reputation– Abused resources cause monetary losses to network providers– Unauthorized usage degrades whole system’s performance

• Scenarios– Using services without paying– Illegal Resource Sharing (unlimited-plans)– Compromised Systems– Call Spoofing and Vishing

*Billing World and OSS Magazine: “Top Telco Frauds and How to Stop Them”, January 2007, by Geoff Ibett

Page 70: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 7070

Simplified Billing ModelSimplified Billing Model

• End-Points– Different devices can be used to connect a SIP server

• Information Exchange– User data from end-points to SIP server should be protected

– Communication between SIP server and Authorization server should be safe from eavesdropping attacks

• Billing– DIAMETER should be secured to avoid billing attacks

• Recommended IPSec with Encryption

– Authorization server must be hardened to avoid OS attacks

Page 71: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 7171

Theft of Service Research GoalsTheft of Service Research Goals

• Verification of security implementation– Automate validation process

• Creating new tools and scripts• Modify existing tools to create a package

• Architectural Integrity Verification Tool– Identity Assurance

– Multiple End Points

– Intrusion Detection

• Black-box type abstraction

Page 72: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 7272

Theft of Service ChallengesTheft of Service Challenges

• Client-side threats– Illegal resource sharing– Compromised hardware– Weak password

• Server-side threats– Identity assurance

• Unauthorized registration, unauthenticated INVITE • Digest authentication (nonce usage, password guessing)• Transport protocol choice (TCP/UDP)• TLS crypto strength

– Spoofing to gain privileged access– DoS/DDoS attacks

• Implementation flaws• Flooding billing system

– DoS amplification prevention on Billing systems• Application level flaws

– Counter Method-based vulnerabilities– BYE attack validation

Page 73: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 7373

Theft of Service ChallengesTheft of Service Challenges

• Service threats– Distinguish between audio call, single media stream or multiple

destination signaling• Multimedia services, messages, etc.

– Launching multiple simultaneous accounts • Multiple end-points

– Authorization Safeguards• 800 numbers, emergency number• Voicemail messages checking portability ensured

• Intrusion detection• Existing call logs help find patterns and detect anomaly

Page 74: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 7474

secureSIP Identity AssurancesecureSIP Identity Assurance

• Why do we need Identity Assurance?– Digest authentication is only as strong as password

– Weak authentication false sense of security

– Without Identity Assurance, difficult to backtrack to actual offender in any planned attack on network• TLS and S/MIME are future solutions

• Password Guessing– Easy to crack weak passwords by dictionary attack

– Compromised passwords can result in legal and financial implications for network provider

– CrackLib contains 1.6 million most common passwords, available freely online

Page 75: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 7575

secureSIP Identity AssurancesecureSIP Identity Assurance

• Multiple password lists– choose password list suitable for experiment

– extend any list, or simply add new one

• Configurable speed of attack– option to launch fast, medium-paced or slow attack on

authentication server

• Utilizes distributed network power– all machines work in parallel to crack password

– 1 million passwords in 100 seconds

• Verification against standard SIP components– OpenSER used for doing identity assurance

Page 76: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 7676

secureSIP Multiple End PointssecureSIP Multiple End Points

• Single “Address of Record” but multiple URIs makes problem more challenging

• Intentional resource sharing– Problem: Users can intentionally misuse

network resources from various end-points

– Solution: Geographical co-relation across space and time• Space: E.164 TN, URI, IP address

• Temporal: timestamp (call log)

Page 77: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 7777

secureSIP Multiple End PointssecureSIP Multiple End Points

• Geographical location matching– Maps IP address to precise geographical location– Maxmind.com toolkit for accurate IP to location lookup– Area code also suggests location, IP is more precise

• SIP log parser– Parses uploaded log file containing SIP traffic– Filters data into individual fields, puts it in database

• Analyzer– Finds anomalies in call origin location and time– IP address for geographical location of a user– Statistical modelling

• temporal usage patterns, • geographical usage patterns

– Comparison of observed location patterns and time intervals to pre-defined thresholds

– Minimize false positives and false negatives

Page 78: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 7878

secureSIP Intrusion DetectionsecureSIP Intrusion Detection

• Why do we need Intrusion Detection?– Unintentional resource sharing

• Botnets, zombies can cause unreasonable load

• Password authentication, encryption fails

– Spam, SPIT and identity theft• Analyze patterns of incoming calls to network

– Turing Test

• See network wide pattern to detect fraud at the outset

• Captures suspicious activity that may slip through firewall rules

Page 79: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 7979

secureSIP Intrusion DetectionsecureSIP Intrusion Detection

• Intrusion Detection– Out-of-domain SIP requests

– Suspicious BYE and INVITE

– Behavioural and knowledge-based techniques

• Minimize classic DoS attacks– Session tear down, media modification

– Billing server attack, call hijacking

• Analyze historical call logs– Synthetic vs. Real (Verizon Business)

• Need to develop a Security Event Management system– Analyze and correlate information provided by verification

tool to detect, mitigate and prevent ToS

Page 80: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 8080

secureSIP ControllersecureSIP Controller

• Controller– Automated Web-based Control Software run on SUN box– Ability to configure attack traffic on the fly

• Development Platform– Perl, MySQL and in-built web-server– Operating system independent, can be accessed remotely

• Results Analyzer– Gathers, analyzes and correlates results– Measurement progress is saved to database in real-time– Controller analyzes results from database and aggregates

them to present real-time statistics

Page 81: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 8181

Validation StrategyValidation StrategyMethodology for Anti SpoofingMethodology for Anti Spoofing

• Use the SIPp and SIPStone testing tools in a distributed environment to generate legitimate and attack SIP traffic respectively– Generate both legitimate and spoofed source address requests

• Measure the following calls/sec throughput values:– Legitimate requests, without authentication (Capacity)– Legitimate requests, with authentication (Normal)– Legitimate (Normal) and spoofed requests (SAttacknof), without filters– Legitimate (Normal) and spoofed requests (SAttackf), with filters (Defense)

• Identify the impact of spoofed addresses floods on the calls/sec rate of legitimate requests– Expect to see SAttackf << SAttacknof , and ideally, D = N– Calculate False Positive and False Negative rates from

measurements:• FP= (Normal- Defense)/Normal

• FN= SAttackf/ SAttacknof

Page 82: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 8282

Validation StrategyValidation StrategyMethodology for Rate LimitingMethodology for Rate Limiting

• Use the SIPp and SIPStone testing tools in a distributed environment to generate legitimate and attack SIP traffic respectively– Generate both legitimate and spoofed source address requests

• Measure the following calls/sec throughput values:– Legitimate requests, without authentication (Capacity)– Legitimate requests, with authentication (Normal)– Legitimate (Normal) and Method requests/response/OoS (MAttacknof), without filters– Legitimate (Normal) and Method requests/response/OoS (MAttackf), with filters

(Defense)

• Identify the impact of spoofed addresses floods on the calls/sec rate of legitimate requests– Expect to see MAttackf << MAttacknof , and ideally, D = N– Calculate False Positive and False Negative rates from measurements:

• FP= (Normal- Defense)/Normal

• FN= MAttackf/ MAttacknof

Page 83: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 8383

Dialog FilteringDialog Filtering

• Filtering based on Dialog parameters– Broader “brushstroke” than Transaction level

– Only useful with floods of CANCEL or BYE requests• Identify a BYE message by its Dialog-ID

• Maintain a database of INVITE sources (Contacts)

• Verify and accept a BYE message only from legitimate source addresses

• Reject it if it is not a part of an existing dialog

Page 84: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 8484

Transaction State Machine FilteringTransaction State Machine Filtering

• Validates the state of each SIP transaction for each message received

• Maintain state per transaction as per the state machine specified in RFC 3261 – Client and Server – INVITE and Non-INVITE transactions

• Maintain the state table

• The filter allows only “in-state” messages and not allow “out-of-state” messages

Page 85: © Verizon Copyright 2009. * Columbia - Verizon Research

© Verizon Copyright 2009. 8585

Verizon Business ImpactVerizon Business Impact

• SIP DoS work – Global Network Engineering & Planning

Organization• Support Technology organization to define new security

architecture for VoIP Services

– Network & Information Security Organization• “Better Security Reviews” of Advantage VoIP Service

– Global Customer Service & Provisioning Organization• Sales Engineering – Premier Accounts Team Briefing

• SIP ToS work – Office of Chief Financial Officer

• Credit&Collections