unregister attack in sip
DESCRIPTION
Unregister Attack in SIP. Jussi Kangasharju Darmstadt University of Technology. Anat Bremler-Barr Ronit Halachmi-Bekel Interdisciplinary center Herzliya . Unregister Attack. VoIP Denial Of Service attack - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/1.jpg)
Unregister Attack in SIP
Anat Bremler-Barr Ronit Halachmi-Bekel
Interdisciplinary center Herzliya
Jussi Kangasharju
Darmstadt University of Technology
![Page 2: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/2.jpg)
Unregister Attack
• VoIP Denial Of Service attack• Attacker cancels the registration of the
phone number in the system• The victim can no longer be reached• The victim has no idea that he cannot be
reached
![Page 3: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/3.jpg)
• Introduction to Telephony• VoIP• SIP• Unregister Attack• SOHA Solution• Conclusion
![Page 4: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/4.jpg)
Introduction to Telephony
• Manual switchboards• Electronic switchboards • VoIP phones• The technology is still changing
dramatically
![Page 5: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/5.jpg)
Circuit Switching• Two sides of the call creates an electric circuit
between them.• All the communication of the call travels this
circuit, and the channels are fully dedicated to the call
• Waste of resources when there is silence• Designated specifically to phone calls• Considered secure
![Page 6: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/6.jpg)
Packet Switching
• No physical link between source and destination, the path between them varies
• Resources are shared by all users (Internet)
• No meaning to physical location• Vulnerable
![Page 7: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/7.jpg)
• Introduction to Telephony• VoIP• SIP• Unregister Attack• SOHA Solution• Conclusion
![Page 8: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/8.jpg)
Voice Over Internet Protocol (VoIP)• A technology that allows phone calls to be made
over the internet• Packet switching• Use of • Two Phases:
– Registration (dynamic / static)– Calls
• Signaling: SIP, MGCP, H323• Media: RTP
![Page 9: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/9.jpg)
VoIP Advantages• Resources are shared by all users.
• Mobility
• Functionality– Forking – Advanced call flows
• Cost– Uses existing platforms– Decreased price of domestic and international
calls
![Page 10: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/10.jpg)
• Introduction to Telephony• VoIP• SIP• Unregister Attack• SOHA Solution• Conclusion
![Page 11: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/11.jpg)
Session Initiation Protocol (SIP)
• A text based signaling protocol
• Works mostly over UDP
• Used for internet telephony, instant messaging and presence services
![Page 12: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/12.jpg)
SIP (Cont.)
• Client-server model– Client: telephone (endpoint)– Server: proxy
• Messages– Request– Responses
![Page 13: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/13.jpg)
User
1000
ServerServer
User
2000
Call 2000
Look for 2000 location
No record for 2000
Look for 2000 location
Found address
Can you accept the call?
Do you know 2000?
Call accepted
yes
Call accepted
Call 2000
Call accepted
Record list:1xxx
Record list:2xxx
media
![Page 14: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/14.jpg)
Registration• Set of messages that eventually forms a record
at the server
• Record: a foursome of the typeName, Number, IP, Port
• Authorization and authentication are possible:– Handled per request– A challenge/response mechanism– The server SHOULD authenticate the
endpoint (RFC 3261)
![Page 15: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/15.jpg)
Registration (Cont.)• Expiry field - indicates how long the record
will be valid for
• Call-id – unique identifier that groups together a series of messages
• Cseq - identify and order transactions
![Page 16: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/16.jpg)
Registration server without authentication
User 1000
server
Initialization
Periodically
Register
OK
Record list: 1000
![Page 17: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/17.jpg)
Registration server with authentication
User 1000
server
Initialization
Periodically
Register
407 Proxy authentication required
Register Proxy authorization
OKRecord list: 1000
![Page 18: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/18.jpg)
Endpoint removal
• Endpoint removal:– Record expires according to the expiry
value– User sent unregister packet – a register
message with expiry value of zero.
• Server SHOULD support the unregister message (RFC 3261).
![Page 19: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/19.jpg)
• Introduction to Telephony• VoIP• SIP• Unregister Attack• SOHA Solution• Conclusion
![Page 20: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/20.jpg)
The Unregister Attack
• A new kind of Denial of Service attack on SIP servers
• The attacker sends a spoof unregister packet
• As a result the server removes the victim’s record
• The victim has no indication that he is not registered at the server
![Page 21: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/21.jpg)
Experiments
• Tested on 3 different common servers• Servers with/without authentication• Attacker with/without traffic knowledge• The attacker uses a simple script written in C
Attacker without traffic knowledge
Attacker with traffic knowledge
Server without
authenticationServer with
authentication
![Page 22: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/22.jpg)
Traffic knowledge – possible to receive
• Frustrated employee scenario• Wireless
– Public services without authentication– Some of wireless encryption is possible to
decrypt
![Page 23: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/23.jpg)
Server without authenticationAttacker without traffic knowledge
• Pre knowledge: – IP address of the victim– Phone number of the victim– IP address of the server
• Prevention:– Verification call-id and cseq fields
• In practice the attack succeeded on two different common servers
![Page 24: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/24.jpg)
Victim phone number
1000
server
Attacker
Worried mother
OKFrom: 1000Expiry: 1800Call-id: abcdefgCseq: 5
Register From: 1000Expiry: 0Call-id: ffffffffCseq 1
OKFrom: 1000Expiry : 0Call-id: ffffffffCseq: 1
Invite To: 1000
404 not found
Register From: 1000Expiry: 1800Call-id: abcdefgCseq 5
Record list: 1000
![Page 25: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/25.jpg)
AttacksAttacker without traffic
knowledgeAttacker with traffic
knowledge
Server without
authentication
Permissive definition
call – id and cseq verification
Server with authentication
SolutionProblem
![Page 26: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/26.jpg)
Server without authenticationAttacker with traffic knowledge
• Pre knowledge: – IP address of the victim– Phone number of the victim– IP address of the server– Call-id and Cseq
• Without encryption of the packet there is no way to prevent the attack
![Page 27: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/27.jpg)
Victim phone number
1000
server
Attacker
Worried mother
OKFrom: 1000Expiry: 1800Call-id: abcdefgCseq: 5
Register From: 1000Expiry: 0Call-id: abcdefgCseq 6
OKFrom: 1000Expiry : 0Call-id: abcdefgCseq: 6
Invite To: 1000
404 not found
Register From: 1000Expiry: 1800Call-id: abcdefgCseq 5
Record list: 1000
![Page 28: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/28.jpg)
Attacks
Attacker without traffic knowledge
Attacker with traffic knowledge
Server without authentication
Permissive definitionNot covered in the RFC
call – id and cseq verification
SOHA solution (our solution)
Server with authentication
SolutionProblem
![Page 29: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/29.jpg)
Server with authenticationAttacker without traffic knowledge
• No way to perform the attack
![Page 30: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/30.jpg)
Victim phone number
1000
server
Attacker
407 Proxy authentication required
Register From: 1000Expiry: 0Call-id: ffffffffCseq 1
Proxy-authorization: fgkhlfdkfkd…
Register From: 1000Expiry: 1800Call-id: abcdefgCseq 5
Register From: 1000
Call-id: abcdefg…Cseq 6
Proxy-authorization: xyzxyz…Expiry: 1800OKFrom: 1000Expiry: 1800Call-id: abcdefgCseq: 6
407 Proxy authentication required
Record list: 1000
Worried mother
Invite To: 1000
OK
![Page 31: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/31.jpg)
Attacks
Attacker without traffic knowledge
Attacker with traffic knowledge
Server without authentication
Permissive definitionNot covered in the RFC
call – id and cseq verification
SOHA solution (our solution)
Server with authentication
Impossible to attack
------------------
SolutionProblem
![Page 32: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/32.jpg)
Server with authenticationAttacker with traffic knowledge
• Replay attack – – Attacker uses the authentication data from the captured
packet• Pre knowledge:
– IP address of the victim– Phone number of the victim– IP address of the server– Call-id and Cseq– Previous authorization field value
• Prevention– Server should ask for new authorization value for every
packet it receives
![Page 33: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/33.jpg)
Victim phone number
1000
server
Attacker
Worried mother
OKFrom: 1000Expiry: 1800Call-id: abcdefgCseq:6
Register From: 1000Expiry: 0Call-id: abcdefgCseq 7
Proxy-authorization: xyzxyz…
OKFrom: 1000Expiry : 0Call-id: abcdefgCseq: 7
Invite To: 1000
404 not found
407 Proxy authentication required
Register From: 1000Expiry: 1800Call-id: abcdefgCseq 5
Register From: 1000
Call-id: abcdefg…Cseq 6
Proxy-authorization: xyzxyz…Expiry: 1800
Record list: 1000
![Page 34: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/34.jpg)
Attacks summaryAttacker without traffic
knowledgeAttacker with traffic
knowledge
Server without authentication
Permissive definitionNot covered in the RFC
call – id and cseq verification
SOHA solution (our solution)
Server with authentication
Impossible to attack Permissive implementation
------------------Zero duration nonce value
SolutionProblem
Attacker without traffic knowledge
Attacker with traffic knowledge
Server without authentication
Permissive definitionNot covered in the RFC
call – id and cseq verification
SOHA solution (our solution)
Server with authentication
Impossible to attack Permissive implementation
------------------Zero duration nonce value
![Page 35: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/35.jpg)
• Introduction to Telephony• VoIP• SIP• Unregister Attack• SOHA Solution• Conclusion
![Page 36: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/36.jpg)
Sip One way Hash function Algorithm - SOHA
• Provides a protection from the attack of server without authentication and attacker with traffic knowledge
• Provides protection from all other attacks as well
• Does not require configuration changes
• Based on “first is exclusive” rule - the first user to capture the phone number and name becomes the exclusive user
![Page 37: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/37.jpg)
SOHA (cont.)
• Hash function – – Takes a variable-length string as the input – Produces a fixed-length value as the output.
• One way function - a function that follows the following rules:– The description of the function is known and does not
require any secret information for its operation. – H(x) => Y– Y => H(?)
![Page 38: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/38.jpg)
n,x – random numbers
z = h(h(h(h(..h(x))..)
z’ = h(h(h(h(..h(x))..)
User
server
OKX-soha
RegisterX-hash-authenticate: z
If h(z’) = z OKX-soha
If h(z’) != z RejectX-soha
Record list: 1000,
Z = h(h(h(..(x))..) n times
Register/InviteX-hash-authenticate: z’
Record list: 1000,
Z’ = h(h(..(x)..) n-1 times
n times
n-1 times
![Page 39: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/39.jpg)
When n is close to zero or upon user’s choice user reset z value by adding x-hash-reset to x-hash-authenticate
User
server
Register/InviteX-hash-authenticate: z’
X-hash-reset : new value
OKX-soha
Record list: 1000, new val
Record list: 1000, Z
![Page 40: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/40.jpg)
SOHA (cont.)
• Does not verify the identity of the user
• Ensures that a correctly registered user will not be removed from the server by the attacker
![Page 41: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/41.jpg)
SOHA (cont.)
• Fully backward compatible• Requires an addition of header fields (supported
by SIP RFC):– x-hash-authenticate – used by the client.– x-hash-reset – used by the client.– x-soha – used by the server to indicate it
supports SOHA• SOHA similar to one time key password (RFC
2289)
![Page 42: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/42.jpg)
• Introduction to Telephony• VoIP• SIP• Unregister Attack• SOHA Solution• Conclusion
![Page 43: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/43.jpg)
Conclusion
• With advancement of telephony comes a new set of possible attacks
• The attacks are either on VoIP protocols or on supplementary protocols (UDP,DNS etc)
![Page 44: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/44.jpg)
Conclusion (cont.)• Some of the attacks can be prevented with strict
implementation of the RFC
• It is worth considering changing some of the RFC requirements from SHOULD to MUST to prevent possible attacks
• The consequence of implementing a SHOULD mechanism is not clear– non autherization in the server => unregister
attack
![Page 45: Unregister Attack in SIP](https://reader035.vdocuments.site/reader035/viewer/2022062814/56816829550346895dddbcaf/html5/thumbnails/45.jpg)
Questions ?