Protecting VoIP networks against denial of service and service theft

1
Protecting VoIP networks against denial of
service and service theft

• Henning Schulzrinne
• with Gaston Ormazabal (Verizon) and IRT graduate
  students
• Dept. of Computer Science
• Columbia University
• March 30, 2007

2
VoIP is Different

• No retransmission for voice data --gt no recovery
  of lost data
• Real time application --gt delay must be below 150
  ms
• Merges traditional PSTN networks with IP --gt new
  avenues for attacks on IP networks and PSTN
• Optimize security overhead such that it doesnt
  impact delays
• Billing in VoIP services is different from PSTN
• flat rate billing
• multiple extensions

Diagram from http//www.sipera.com
3
VoIP Threat Taxonomy
Scope of our research
Refer to http//www.voipsa.org for more details
on this taxonomy
4
Scope of Our Research
Scope of current work
5
Previous Work

• Successfully implemented a large scale SIP-aware
  Firewall (using dynamic pinhole filtering)
• The filter is used as a first-line of defence
  against DoS attacks at the network perimeter and
  it enforces the following
• Only signalled media channels can traverse the
  perimeter
• End systems are protected against flooding of
  random RTP or other attacks.
• The RTP pinhole filtering approach is a good
  first-line of defense but
• The signalling port (5060) is subject to attack
  on the signalling infrastructure
• This lead us to define the new problem...

6
Mitigation Solution Overview
Untrusted
Trusted
Untrusted
Trusted
Filter II
sipd
Filter I
Filter II
sipd
Filter I
DPPM
DPPM
SIP
SIP
SIP
SIP
SIP
SIP
VoIP Traffic Attack Traffic
VoIP Traffic Attack Traffic
RTP
RTP
RTP
RTP
7
Testing Results With the Return Routability
filter
Call Rate (calls/sec) No. of Concurrent calls (load) Number of calls setup Number of calls dropped calls dropped
1 12,000 12,000 0 0.0
50 12,000 12,000 0 0.0
100 12,000 1,331 10,669 88.9
100 6,000 1,252 4,748 79.1
100 4,000 1,344 2,656 66.4
100 2,000 1,922 78 3.9
200 2,000 1,884 116 5.8
300 2,000 1,800 200 10
8
Theft of Service

• Theft of service causes lost revenue and bad
  reputation
• resources are abused causing monetary losses
• unauthorized usage can degrade whole systems
  performance
• Related theft of services attacks
• distributed denial of service on billing system
• spoofing, content alteration, intrusion, platform
  attacks
• Checks to perform before establishing session
• enough funds, 800 numbers, emergency number
• multimedia services, messages, etc.
• Possible theft of service scenarios
• using services without paying
• illegal resource sharing for unlimited plans
• compromised systems -- use third-party services
• call spoofing and vishing
• Currently developing a test tool to identify
  weaknesses in deployed systems and lab prototypes

9
Benefits to Verizon and Columbia

• Technology Transfer to Verizon Labs
• Set up a replica of Columbia testbed in Silver
  Spring VoIP lab for rapid SBC evaluation
• Licensing Agreement with CloudShield
• Currently negotiating a Royalty Agreement to take
  technology to market
• Intellectual Property
• Patents and Publications (NANOG)