advanced flooding attack on a sip server xianglin deng, canterbury university malcolm shore,...
TRANSCRIPT
Advanced Flooding Attack on a SIP Server
Xianglin Deng, Canterbury UniversityMalcolm Shore, Canterbury University & Telecom NZ
SIP Protocol
SIP is used as the connection mechanism for IP-based multimedia services, including VoIP
SIP is normally deployed as a service not requiring user authentication
SIP can be configured to operate in authenticated mode
SIP Flooding
SIP is vulnerable to flooding attacks. A typical attack would be an INVITE flood.
Attacker SIP Proxy SIP Client
INVITE
INVITE
INVITE
INVITE
INVITE
INVITE
RINGING
Busy here
Busy here
Busy here
Busy here
Busy here
TRYING
TRYING
TRYING
TRYING
TRYING
TRYING
SIP Flooding
SIP with authentication is more vulnerable to flooding attacks.
Attacker SIP Proxy SIP Client
INVITE
INVITE
INVITE
INVITE
INVITE
INVITE
407
407
407
407
407
407
…nonce generate and store
…nonce generate and store
…nonce generate and store
…nonce generate and store
…nonce generate and store
…nonce generate and store
SIP Flooding
Firewalls can provide SIP anti-flooding protection.
INVITE
INVITE
INVITE
INVITE
INVITE
INVITE
INVITE
INVITE
INVITE
INVITE
INVITE
INVITE
INVITE
INVITE
Blocked…
Call setup delay vs. number of attack packets
0
2
4
6
8
10
12
14
16
18
20
0 5000 10000 15000 20000 25000
Number of attack packets
ca
ll s
etu
p d
ela
y (
s)
Call setup delay
SIP Flooding
We can defeat the firewall anti-flooding mechanism
INVITE
INVITE
INVITE
INVITE
INVITE
INVITE
INVITE
INVITE
INVITE
INVITE
INVITE
INVITE
INVITE
INVITE
INVITE
INVITE
Call setup delay
0
1
2
3
4
5
6
7
8
0 10000 20000 30000 40000 50000 60000 70000
Number of attack packets
Ca
ll s
etu
p d
ela
y (
s)
Call setup delay
SIP Flooding
We propose an Security Enhanced SIP System (SESS) Non authenticated SIP Proxy with optional firewall
authentication Involves enhancement of the firewall with predictive
nonce checking (Rosenberg) Involves priority queues (Ohta) The SIP proxy maintains known user lists (D’Souza) Incorporates a synchronisation protocol (KASP) We enhance the predictive nonce checking, priority
queues and user lists
Predictive Nonce Checking
Rosenberg 2001Client SIP proxy
serverINVITE/REGISTER
Generate predictive nonce
407/401
Nonce, realmCompute response=
F(nonce,username,password,realm)
INVITE/REGISTERnonce,realm, username,response
Authentication: Compute F(nonce,username,password,realm)
And compare with response
Improved Nonce Checking
Priority Queues
Ohta 2006 Assign different priority to SIP INVITE messages
Improved Priority Queues
Assign priorities based on the source IP address. VoIP service provider would benefit from giving
frequent users higher priorities
User Lists
D’Souza 2004 Assigns high priority to known hosts
Improved User Lists
Enforce authentication on unknown hosts Defines a dual-stage list Adds expiry to the lists
KASP
IP Header UDP Header KASP:+fu10.0.0.34
Packet Structure
SESS
Extract SourceIP addr
In fu?
Yes
Reset Timer, update received time
Is ACK?
YesNo
ProcessSIP message
NoIn nu? Yes
No
Last call made in time t?
Yes
No
Promote user to fu, update received time
Add user to nu,
Send Update firewall info
No
Is a fu?
Reset Timer,
Timer expire interrupt
Yes
Remove user from fu
Remove user from nu
nu = userlistfu = frequent userlist
Listen on incoming packets
JAIN SLEE
Advantages: it is designed for telecommunications low latency and high
throughput environments (10-20 calls per second per CPU; ~10 events per call; <200ms RTT)
Its container-based infrastructure enables easy integration of new services and technologies
Better availability and scalability through clustering A high-level programming language-JAVA is used – reduce the
time to market
JAIN SLEE
JAIN SLEE main operation When a message arrives at SLEE, it will first go through a
resource adapter; The resource adapter wraps the message, and sends it to an
activity context; SBBs that have subscribed to the activity context will receive
the event, and process it.
SESS implementation
Modified the SIP proxy SBB Observations on Use of JAIN SLEE
Enhancement was possible with existing knowledge of Java Modifications easy/low risk due to component architecture
resulting from JAIN SLEE approach Enhancement completed and tested in 3 days High level of confidence in the resulting server Much simpler and so more reliable than C No opportunity to trial throughput or availability claims Existence of many Java Libraries provides rich source of re-
useable code
Experimental Results
Average setup delays: = 9.39;(7.06)7.14;0.675;0.487 seconds
Call setup delays for users under various security levels
-10
0
10
20
30
40
50
60
70
0 10000 20000 30000 40000 50000 60000 70000
Number of attack packets
Ca
ll s
etu
p d
ela
ys
(s)
Frequent users in SESS Normal users in SESS New users in SESS
All users in Stateless firewall All users under no security
Experimental Results
No discernable impact on the SIP proxy CPU … no INVITE flood attack packets penetrate
SIP ACK flooding
Call setup delay during ACK flood
-10
0
10
20
30
40
50
60
70
0 5000 10000 15000 20000 25000 30000 35000 40000 45000 50000
number of attack packets sent
ca
ll s
etu
p d
ela
y (
s)
Call setup delay
Average setup delay = 5.9 seconds
500 Server Internal error occured
Temporary User List
ACK Flood can still penetrate the SESS protection We use a temporary user list to ensure that ACKs
cannot be accepted without an INVITE
INVITE
INVITE
407
INVITE
KASP+nu
OK
INVITE
OKOK
ACK ACKACK
ISESS
Internet
Firewall SIP Proxy Internal client
INVITE
= Improved Predictive nonce checking process
INVITE
INVITE
200OK
= Security-enhanced SIP proxy process
User 2000 makes 1st call
200OK
INVITE
User 2000 makes 2nd call
INVITEINVITE
200OK200OK
ACK
Temp.Allow User
ACK
ACK
Voice stream
Update user list
ACKACK
Voice stream
Experimental results
Call setup delays for users under no security and in ISESS
0
10
20
30
40
50
60
70
0 10000 20000 30000 40000 50000 60000 70000
Number of attack packets sent
Cal
l se
tup
del
ay (
s)
No security New user in ISESS Normal user in ISESS Frequent user in ISESS
Average setup delays: = 9.39; 8.356; 1.147; 0.975 seconds
SIP ACK FLOODING
Call setup delay during ACK flood
0
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
0 10000 20000 30000 40000 50000 60000
Numner of attack packetes
call
set
up
del
ay (
s)
Call setup delay
Average setup delays: = 0.815 seconds
Experimental Results
With ISESS, no ACK flood packets penetrate
Conclusion
SIP is vulnerable to flooding attack Commercial anti-flooding mechanisms can be
defeated Current research provides some mitigation but is
incomplete ISESS synthesises and extends current research into
a substantially more complete solution to the problem of SIP flooding
Questions?