dynamic sip security - kamailio · enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011...
TRANSCRIPT
![Page 1: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/1.jpg)
Dynamic SIP Security
![Page 2: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/2.jpg)
Me Simon Woodhead CEO, Simwood eSMS Limited
Director, LINX
https://simwood.comhttp://blog.simwood.com
http://woody.is@simwoodesms
![Page 3: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/3.jpg)
3things
![Page 4: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/4.jpg)
1idea
![Page 5: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/5.jpg)
Contention
“The majority of you will be controlling your IP network in
code within 5 years, most likely 3.”
![Page 6: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/6.jpg)
VoIP Fraud Update
![Page 7: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/7.jpg)
Enumeration
0
17,500,000
35,000,000
52,500,000
70,000,000
2011 2012 2013 2014 2015
Even
ts p
er H
oney
pot (avg)
_
Where have they all gone?
SIP REGISTER attempts
![Page 8: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/8.jpg)
OPTIONS to enumerate users
Enumeration
![Page 9: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/9.jpg)
Enumeration
SIP/2.0 200 OKVia: SIP/2.0/UDP XXX.XXX.XXX.XXX:5060 ;branch=z9hG4bK-25245-1-0;received=XXX.XXX.XXX.XXX;rport=5060From: sipp <sip:[email protected]:5060>;tag=1To: <sip:[email protected]>;tag=as6bcdbe08Call-ID: [email protected]: 1 OPTIONSServer: Asterisk PBX 10.5.1Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISHSupported: replaces, timerContact: <XXX.XXX.XXX.XXX:5060>Accept: application/sdpContent-Length: 0
Reply where user exists.
![Page 10: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/10.jpg)
Enumeration
SIP/2.0 404 Not FoundVia: SIP/2.0/UDP XXX.XXX.XXX.XXX:5060 ;branch=z9hG4bK-25231-1-0;received=XXX.XXX.XXX.XXX;rport=5060From: sipp <sip:[email protected]:5060>;tag=1To: <sip:[email protected]>;tag=as4c0176b1Call-ID: [email protected]: 1 OPTIONSServer: Asterisk PBX 10.5.1Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISHSupported: replaces, timerAccept: application/sdpContent-Length: 0
Reply where user does not exist.
![Page 11: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/11.jpg)
fail2ban won’t help you here
Enumeration
![Page 12: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/12.jpg)
Our SIP IPS IDS*
* The P comes later!
![Page 13: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/13.jpg)
FreeSWITCH
Splunk
http://mirror.simwood.com/honeypot
Honeypot architecture
![Page 14: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/14.jpg)
ElasticSearch cluster
Edge span port
Kamailio
Edge span port
Edge span port
Kamailio Kamailio
Fast worker
Redis Redis RedisSlow
workerFast
workerSlow
workerFast
workerSlow
worker
IDS architecture
![Page 15: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/15.jpg)
Kamailio# ----------------- setting module-specific parameters ---------------
modparam("sipcapture", "raw_socket_listen", "10.0.0.1:5060-5090")modparam("sipcapture", "raw_socket_listen", "10.0.0.2:5060-5090")modparam("sipcapture", "raw_moni_capture_on", 1)modparam("sipcapture", "capture_on", 1)#Note typo. Doesn't appear to do anything - promiscuous forced in rc.localmodparam("sipcapture", "promiscious_on", 1) #db not used but necessarymodparam("sipcapture", "db_url", “mysql://homer_user:homer_password@localhost/homer_data")modparam("sipcapture", "table_name", "sip_capture_call")modparam("ndb_redis", "server", “name=local;addr=000.000.000.000;port=6379”)
![Page 16: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/16.jpg)
request_route {redis_cmd("local","MULTI","r");redis_cmd("local","HSET event:$(ci{s.escape.common}) @timestamp $TS","r");redis_cmd("local","HSET event:$(ci{s.escape.common}) sourceip $si","r");redis_cmd("local","HSET event:$(ci{s.escape.common}) toip $Ri","r");redis_cmd("local","HSET event:$(ci{s.escape.common}) method $(rm{s.escape.common})","r");redis_cmd("local","HSET event:$(ci{s.escape.common}) from $(fu{s.escape.common})”,"r");redis_cmd("local","HSET event:$(ci{s.escape.common}) to $(tu{s.escape.common})","r");redis_cmd("local","HSET event:$(ci{s.escape.common}) dialled '$(tU{s.escape.common})'","r");redis_cmd("local","HSET event:$(ci{s.escape.common}) ua $(ua{s.escape.common})","r");$var(user_agent)=$(ua{re.subst,/^([a-zA-Z0-9-]+)(.*)/\1/});redis_cmd("local","HSET event:$(ci{s.escape.common}) short_ua $(var(user_agent){s.escape.common})","r");redis_cmd("local","HSET event:$(ci{s.escape.common}) node $HN(n)","r");redis_cmd("local","EXPIRE event:$(ci{s.escape.common}) 10","r");redis_cmd("local","LPUSH rate_events $(ci{s.escape.common})","r");redis_cmd("local","LPUSH events $(ci{s.escape.common})","r");redis_cmd("local","EXEC","r");drop;
}
![Page 17: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/17.jpg)
Fast Worker Node.js
Updates rate counters for all SIP traffic Output to Redis only
![Page 18: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/18.jpg)
Slow Worker Node.js
Categorises & flags Queries reputation cache
Inserts relevant events to ElasticSearch
![Page 19: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/19.jpg)
Output to voice routing Real-time test number blacklist
![Page 20: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/20.jpg)
Output to IP routingReal-time source IP to block Real-time 4-tuple to block
![Page 21: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/21.jpg)
![Page 22: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/22.jpg)
Network protection
![Page 23: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/23.jpg)
How do we block them?
IPS? SBC? On host?
![Page 24: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/24.jpg)
Where?
Traditional network
Core
Aggregation
Access
Hosts
![Page 25: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/25.jpg)
None scale
All have a place in the mix but do not effectively scale to network or
international level
![Page 26: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/26.jpg)
Solution
Use the network to protect itself. Add additional measures where appropriate.
![Page 27: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/27.jpg)
Traditional networkTraditional network
Core
Aggregation
Access
Hosts
![Page 28: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/28.jpg)
How?
ACL? BGP? SDN?
![Page 29: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/29.jpg)
ACLApplied per port by console
Not feasible to change dynamically network-wide Good for relatively static config
![Page 30: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/30.jpg)
BGP Great for dynamic config at Internet scale
BGP alone = blackhole destination BGP + loose uRPF = blackhole source + destination
Control from software Nuclear option: address blocked not flow*
* Unless using FlowSpec on Juniper platforms
![Page 31: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/31.jpg)
SDNAbstracts control from forwarding (sound familiar?)
Software controller(s) Total control at layer 2+
On paper: programme your network Reality: Vendor-hyped & viewed cautiously
![Page 32: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/32.jpg)
Merchant silicon / White boxes
Linux OS Tb/s+ per U in hardware!
APIs XMPP
Your code
![Page 33: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/33.jpg)
The future!Hugely exciting.
Hopefully more at ClueCon!
![Page 34: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/34.jpg)
3 things1.VoIP Fraud evolution 2.Dynamic detection 3.Dynamic prevention
Summary
![Page 35: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/35.jpg)
1 idea
Summary
“The majority of you will be controlling your IP network in
code within 5 years, most likely 3.”
![Page 36: Dynamic SIP Security - Kamailio · Enumeration 0 17,500,000 35,000,000 52,500,000 70,000,000 2011 2012 2013 2014 2015 ypot g) _ Where have they all gone? SIP REGISTER attempts](https://reader036.vdocuments.site/reader036/viewer/2022062307/5fc15e50a2602978a94b569b/html5/thumbnails/36.jpg)
Any questions?