Session Initiation Session Initiation Protocol (SIP)Protocol (SIP)

Features of SIPFeatures of SIP

SIP is a lightweight, transport-independent, SIP is a lightweight, transport-independent, text-based protocol. SIP has the following text-based protocol. SIP has the following features:features:

Lightweight, in that SIP has only four Lightweight, in that SIP has only four methods, reducing complexity methods, reducing complexity

Transport-independent, because SIP can Transport-independent, because SIP can be used with UDP, TCP, ATM & so on. be used with UDP, TCP, ATM & so on.

Text-based, allowing for low overhead Text-based, allowing for low overhead SIP is primarily used for VOIP callsSIP is primarily used for VOIP calls

Functions of SIPFunctions of SIP

Location of an end pointLocation of an end point Signal of a desire to communicateSignal of a desire to communicate Negotiation of session parameters to Negotiation of session parameters to

establish the sessionestablish the session And teardown of the session once And teardown of the session once

established. established.

How SIP worksHow SIP works

SIP user agentsSIP user agents: like cell phones, PCs etc. : like cell phones, PCs etc. They initiate message writing.They initiate message writing.

SIP Registrar serversSIP Registrar servers: They are databases : They are databases containing User Agent locations; they send containing User Agent locations; they send agents IP address information to SIP proxy agents IP address information to SIP proxy servers.servers.

SIP Proxy serversSIP Proxy servers: accepts session request : accepts session request made by UA and queries SIP registrar server made by UA and queries SIP registrar server to find recipient UA address.to find recipient UA address.

SIP Redirect serversSIP Redirect servers: they help : they help communicating outside the domaincommunicating outside the domain

Continued..Continued..

Continued..Continued..

Our user A tries to call user B (1)Our user A tries to call user B (1) Domain SIP proxy server now queries Domain SIP proxy server now queries

Registrar server in the same domain to Registrar server in the same domain to know about user B’s address (2)know about user B’s address (2)

Registrar responds with the address (3)Registrar responds with the address (3) SIP proxy server calls B (4)SIP proxy server calls B (4) User B responds to SIP proxy (5)User B responds to SIP proxy (5) SIP proxy answers to User A (6)SIP proxy answers to User A (6) Now multimedia session is established on Now multimedia session is established on

RTP protocol (7)RTP protocol (7)

More about SIP..More about SIP..

SIP relies on SDP and RTP protocolsSIP relies on SDP and RTP protocols

SIP proxy is a server in a SIP-based IP SIP proxy is a server in a SIP-based IP telephony environment telephony environment

The SIP proxy takes over call control from The SIP proxy takes over call control from the terminals and serves as a central the terminals and serves as a central repository for address translation (name to repository for address translation (name to IP address) IP address)

SIP AdvantagesSIP Advantages

SIP is a based on HTTP and MIME, which SIP is a based on HTTP and MIME, which makes it suitable for integrated voice-data makes it suitable for integrated voice-data applications applications

SIP is designed for real time transmissionSIP is designed for real time transmission

SIP AdvantagesSIP Advantages

Uses fewer resources Uses fewer resources

Is Less complex than H.323 protocolIs Less complex than H.323 protocol

SIP uses URLs and is human readable SIP uses URLs and is human readable

SIP DisadvantagesSIP Disadvantages

First one: One SIP challenge is that SIP First one: One SIP challenge is that SIP message contain information that Client message contain information that Client and/or server will like to keep private but and/or server will like to keep private but SIP header as well as message in the open SIP header as well as message in the open and distributed architecture of VOIP and distributed architecture of VOIP systems makes it difficult to keep this systems makes it difficult to keep this information confidential. information confidential.

I will talk about a technique to address it I will talk about a technique to address it later…later…

Registration hijackingRegistration hijacking

When a SIP user is registering with SIP When a SIP user is registering with SIP Registrar server the attacker can hijack the Registrar server the attacker can hijack the registration:registration:1.By disabling the legitimate user's 1.By disabling the legitimate user's registration using DOS attack on user registration using DOS attack on user machinemachine2.Send a REGISTER request with the 2.Send a REGISTER request with the attacker's IP address instead of the attacker's IP address instead of the legitimate user's legitimate user's

Contact header information is changed by Contact header information is changed by attacker by replacing its own IP in place of attacker by replacing its own IP in place of original usersoriginal users

Registration hijackingRegistration hijacking

This leads to the attacker getting the SIP This leads to the attacker getting the SIP messages intended for our original user- a messages intended for our original user- a clearly undesirable conditionclearly undesirable condition

Two main reasons for this attack are: SIP Two main reasons for this attack are: SIP messages being sent in clear and no SIP messages being sent in clear and no SIP message authentication built into the message authentication built into the protocolprotocol

EavesdroppingEavesdropping

EavesdroppingEavesdropping is a big problem for SIP is a big problem for SIP based VOIP traffic. Many internet tools like based VOIP traffic. Many internet tools like Ethereal do thatEthereal do that

Eavesdropping….how Eavesdropping….how ethereal worksethereal works Eavesdropping in VoIP requires Eavesdropping in VoIP requires

intercepting the signaling and associated intercepting the signaling and associated media streams of a conversationmedia streams of a conversation

Media streams typically are carried over Media streams typically are carried over UDP using the RTP UDP using the RTP

How ethereal worksHow ethereal works

Capture and decode RTP packetsCapture and decode RTP packets

Analyzing session : here we reassemble Analyzing session : here we reassemble the packetsthe packets

We store this data in audio files We store this data in audio files (like .wav, .au)(like .wav, .au)

Some remedies….Some remedies….

IPSEC security for IP packets can be one IPSEC security for IP packets can be one solutionsolution

A more common solution is to use Ethernet A more common solution is to use Ethernet switches to restrict broadcasting data to all switches to restrict broadcasting data to all and sundry on the network.and sundry on the network.

SpoofingSpoofing

Spoofing is another issue where someone Spoofing is another issue where someone can pose as a user and gets unauthorized can pose as a user and gets unauthorized accessaccess

Address authentication between callers built Address authentication between callers built in the underlying transport protocols can in the underlying transport protocols can resolve thisresolve this

DOSDOS

Denial of serviceDenial of service can be caused if the can be caused if the Proxy/registrar servers are somehow Proxy/registrar servers are somehow floodedflooded

The solution lies in configuring servers to The solution lies in configuring servers to tackle this problem in their configuration tackle this problem in their configuration settingssettings

SIP Security MechanismsSIP Security Mechanisms

IPSECIPSEC is another way to protect IP packets is another way to protect IP packets the secure encryption making them safe the secure encryption making them safe from unauthorized access/modificationfrom unauthorized access/modification

So with shared keys between parties So with shared keys between parties IPSEC can provide the secure path for IPSEC can provide the secure path for communication between SIP partnerscommunication between SIP partners

TLSTLS

TLSTLS is another answer for security here is another answer for security here networked parties during handshake can networked parties during handshake can share their certificates which can be used share their certificates which can be used for the secure transfer later.for the secure transfer later.

It is widely in use in the wired internet It is widely in use in the wired internet marketmarket

TLS lies below FTP(ALP) but above TCP TLS lies below FTP(ALP) but above TCP thus obviating the need for TCP header thus obviating the need for TCP header encryption.encryption.

Session Border Controller for SIPSession Border Controller for SIP

A Firewall typically helps in the simple browser requesting for some information by ensuring that only the requested content gets transferred back to the browser and not the other information this is not so in a typical SIP using VOIP transfer where there are two holes on the firewall for public access: one for signaling and other for media packets.

Also the firewall in say two LANs connected via internet will otherwise reject the other LANS traffic thinking it malicious.

SBCSBC

For these addresses to be on public side of For these addresses to be on public side of firewall the IP address based attacks firewall the IP address based attacks become a real possibility become a real possibility

The SBC works by making all The SBC works by making all communication work outwards for media communication work outwards for media and signaling even the incoming onesand signaling even the incoming ones

SBCSBC

SBCSBC

When our Client starts it registers with the When our Client starts it registers with the registration server now SBC takes over the registration server now SBC takes over the function of a PO Box so an incoming party function of a PO Box so an incoming party knows your PO Box address but only your knows your PO Box address but only your PO Box (your SBC) knows your real IP PO Box (your SBC) knows your real IP address. address.

So primarily for both signaling and media So primarily for both signaling and media exchange SBC acts as the bridge between exchange SBC acts as the bridge between outside client and us. outside client and us.

SBCSBC

SBC allows: signaling and media SBC allows: signaling and media connections to be dynamically opened and connections to be dynamically opened and outbound connected.outbound connected.

SBC hides your real IP and polices the SBC hides your real IP and polices the signaling and media connections. signaling and media connections.

SIP Denial of ServiceSIP Denial of Service

DOS attacks are based on exhausting DOS attacks are based on exhausting some server response and thus rendering some server response and thus rendering it incapable for some/all functionalitiesit incapable for some/all functionalities

SIP server copies each incoming request in SIP server copies each incoming request in its internal buffers its internal buffers

Types of SIP servers (proxy Types of SIP servers (proxy server)server) Stateless serversStateless servers: They just keep a copy : They just keep a copy

of message while message is being sent of message while message is being sent out then delete it.out then delete it.

Stateful serversStateful servers: In general, we can : In general, we can distinguish between two types of states in distinguish between two types of states in SIP:SIP:• • Transaction state: A transaction stateful Transaction state: A transaction stateful server stores a copy of the received server stores a copy of the received request as well as the forwarded requestrequest as well as the forwarded request• • Session state: In certain cases servers Session state: In certain cases servers need to maintain some information about need to maintain some information about the session throughout the lifetime of the the session throughout the lifetime of the session. session.

Continued…Continued…

Regardless the server will need to maintain Regardless the server will need to maintain the buffered data while contacting another the buffered data while contacting another entity like an authentication, authorization, entity like an authentication, authorization, and accounting (AAA) server, a Domain and accounting (AAA) server, a Domain

Name Service (DNS) serverName Service (DNS) server

CPU based DOSCPU based DOS

When a SIP message is received SIP When a SIP message is received SIP server needs to parse this message, do server needs to parse this message, do some processing (e.g., authentication) and some processing (e.g., authentication) and forward the messageforward the message

Though Server CPU is high speed still a lot Though Server CPU is high speed still a lot of parallel loads and following resource of parallel loads and following resource depletion can cause server blocks and depletion can cause server blocks and other malfunctions causing a DOSother malfunctions causing a DOS

Bandwidth based DOSBandwidth based DOS

Sometimes access links connecting a SIP Sometimes access links connecting a SIP server are so much overloaded as to cause server are so much overloaded as to cause congestion Lossescongestion Losses

So SIP messages get lost causing further So SIP messages get lost causing further delay and at least a transient DOS occursdelay and at least a transient DOS occurs

DOS attacks can both be with or without DOS attacks can both be with or without malicious intent. SIP and its supporting malicious intent. SIP and its supporting transport protocols both need protection transport protocols both need protection

and safeguarding from attack.and safeguarding from attack.

DOS based on Memory DOS based on Memory exhaustionexhaustion A Stateful server is an easy target for A Stateful server is an easy target for

flooding with many requests for different flooding with many requests for different transactions.transactions.

Memory based exploitation can have two Memory based exploitation can have two basic types: to initiate a number of SIP basic types: to initiate a number of SIP sessions with different SIP identities and sessions with different SIP identities and broken session attacks where a receiver broken session attacks where a receiver gets an INVITE but then no response from gets an INVITE but then no response from the initiator many such pending invites can the initiator many such pending invites can cause memory exhaustioncause memory exhaustion

Some CountermeasuresSome Countermeasures

Just like for a web or email server make a Just like for a web or email server make a list of suspected users and blacklist themlist of suspected users and blacklist them

Using authentication strategies is also Using authentication strategies is also preferable. But more CPU resources are preferable. But more CPU resources are needed to tighten these security problems needed to tighten these security problems

Continued..Continued..

Also having SIP proxy server and Also having SIP proxy server and applications server on the same hardware applications server on the same hardware can really slow down the response time. can really slow down the response time. SIP proxy may need some other server’s SIP proxy may need some other server’s service and this can cause other request to service and this can cause other request to be suspended sometimes be suspended sometimes

Having dedicated hardware for servers is Having dedicated hardware for servers is importantimportant

Continued..Continued..

The first line of Defense for DOS is having The first line of Defense for DOS is having high speed CPU, big efficient memory and high speed CPU, big efficient memory and many access linksmany access links

Clean memory allocation and parsing Clean memory allocation and parsing schemes is equally importantschemes is equally important

Parallel processing can lead to many Parallel processing can lead to many request being served simultaneously and request being served simultaneously and parallel execution of message parsing and parallel execution of message parsing and forwarding of messages.forwarding of messages.

Challenges…Challenges…

Text based nature of SIP renders it Text based nature of SIP renders it vulnerable to spoofing, hijacking and vulnerable to spoofing, hijacking and message tamperingmessage tampering

SIP utilizes transport layer protocols like SIP utilizes transport layer protocols like TCP, UDP. So its vulnerable to their set of TCP, UDP. So its vulnerable to their set of attacks too like for TCP: SYN Flood and attacks too like for TCP: SYN Flood and TCP session hijackingTCP session hijacking

FOR SIP software virus/bugs are also an FOR SIP software virus/bugs are also an issue which can be dealt by using antivirus issue which can be dealt by using antivirus softwaresoftware

SIP Security MechanismSIP Security Mechanism

SIP specification does not include any SIP specification does not include any specific security mechanism but relies on specific security mechanism but relies on other internet security mechanisms like other internet security mechanisms like HTTPS Digest, TLS, and IPSEC.HTTPS Digest, TLS, and IPSEC.

How this authentication worksHow this authentication works

Continued..Continued..

SIP authentication works this way:SIP authentication works this way: SIP client sends a SIP INVITE which gets SIP client sends a SIP INVITE which gets

answered by a 407 reply which is the answered by a 407 reply which is the authenticator from the SIP Proxy server.authenticator from the SIP Proxy server.

Client now uses this authenticator to create Client now uses this authenticator to create information for its new headerinformation for its new header

With this new header attached it sends With this new header attached it sends back REINVITE to Proxy serverback REINVITE to Proxy server

Continued..Continued..

IPSEC is another way to protect IP packets IPSEC is another way to protect IP packets the secure encryption making them safe the secure encryption making them safe from unauthorized access/modificationfrom unauthorized access/modification

So in one traditional way with shared keys So in one traditional way with shared keys between communicating parties IPSEC can between communicating parties IPSEC can provide the secure path for communication provide the secure path for communication between SIP partnersbetween SIP partners

References…References…

SIP: Wikipedia

SIP Security Mechanisms: A state-of-the-art review Dimitris Geneiatakis, Georgios Kambourakis, Tasos Dagiuklas,Costas Lambrinoudakis and Stefanos Gritzalis

Newport Networks SBC Whitepaper

Denial of Service Attacks Targeting a SIP VoIP Infrastructure: Attack Scenarios and Prevention Mechanisms Dorgham Sisalem and Jiri

Kuthan, Tekelec Sven Ehlert, Fraunhofer Fokus

http://www.securityfocus.com/infocus/1862/2 Many information chunks from certain websites