Columbia - Verizon Research Secure SIP: Scalable DoS Prevention Mechanisms for SIP-based VoIP Systems, and Validation Test Tools - PowerPoint PPT Presentation

Loading...

PPT – Columbia - Verizon Research Secure SIP: Scalable DoS Prevention Mechanisms for SIP-based VoIP Systems, and Validation Test Tools PowerPoint presentation | free to download - id: 6a0149-MTI4M



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Columbia - Verizon Research Secure SIP: Scalable DoS Prevention Mechanisms for SIP-based VoIP Systems, and Validation Test Tools

Description:

Columbia - Verizon Research Secure SIP: Scalable DoS Prevention Mechanisms for SIP-based VoIP Systems, and Validation Test Tools Gaston Ormazabal – PowerPoint PPT presentation

Number of Views:33
Avg rating:3.0/5.0
Date added: 16 March 2020
Slides: 86
Provided by: Christin609
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Columbia - Verizon Research Secure SIP: Scalable DoS Prevention Mechanisms for SIP-based VoIP Systems, and Validation Test Tools


1
Columbia - Verizon Research Secure SIP Scalable
DoS Prevention Mechanisms for SIP-based VoIP
Systems, and Validation Test Tools
Gaston Ormazabal Verizon Laboratories
July 26, 2015
2
Agenda
  • A successful collaboration
  • Verizon and CATT Professor Schulzrinne - three
    year program
  • Project Overview
  • Background, Research Focus, and Goals
  • DoS
  • VoIP Threat Model
  • DoS Detection and Mitigation Strategy
  • DoS Validation Methodology - DoS Automated Attack
    Tool
  • Value to Verizon
  • Intellectual Property/Technology Licensing
  • Next Steps
  • Conclusions

3
Verizon CATT Program
  • Collaboration between Verizon and Center of
    Advanced Technology Telecommunications
  • Verizon
  • PI Gaston Ormazabal
  • CATT
  • Columbia University
  • PI Prof. Henning Schulzrinne
  • Graduate Students
  • Currently Milind Nimesh
  • Previously Sarvesh Nagpal, Eilon Yardeni
  • New York University
  • Polytechnic Institute

4
Background Research Focus
  • SIP is the VoIP protocol of choice for both
    wireline and wireless telephony
  • Control protocol for the Internet Multimedia
    Systems (IMS) architecture
  • VoIP services fast becoming attractive DoS and
    ToS targets
  • DoS attack traffic traversing network perimeter
    reduces availability of signaling and media for
    VoIP
  • Theft of Service must be prevented to maintain
    service integrity
  • Reduces ability to collect revenue and providers
    reputation both are at stake
  • Attack targets
  • SIP infrastructure elements (proxy, softswitch,
    SBC, CSCF-P/I/S)
  • End-points (SIP phones)
  • Supporting services (e.g., DNS, Directory, DHCP,
    HSS, DIAMETER, Authorization Servers)
  • Verizon needs to solve security problem for VoIP
    services
  • Protocol-aware application layer gateway for RTP
  • SIP DoS/DDoS detection and prevention for SIP
    channel
  • Theft of Service Architectural Integrity
    Verification Tool
  • Need to verify performance scalability at
    carrier class rates
  • Security and Performance are a zero sum game
  • Columbia likes to work on real life problems
    analyze large data sets
  • Goal of improving generic architectures and
    testing methodologies
  • Columbia has world-renowned expertise in SIP

5
Goals
  • Study VoIP DoS and ToS for SIP
  • Definition define SIP specific threats
  • Detection how do we detect an attack?
  • Mitigation defense strategy and implementation
  • Validation validate our defense strategy
  • Generate requirements for future security network
    elements and prototypes
  • Share these requirements with vendors
  • Generate the test tools and strategies for their
    validation
  • Share these tools with vendors

6
Approach
  • Definition
  • Detection
  • Mitigation
  • Validation

7
VoIP Threat Taxonomy
Scope of our research - 2007
Scope of our research - 2006
- VoIP Security and Privacy Threat Taxonomy,
VoIP Security Alliance Report, October, 2005
(http//www.voipsa.org)
8
Denial of Service Theft of Service
  • Denial of Service preventing users from
    effectively using the target services
  • Service degradation to a not usable point
  • Complete loss of service
  • Distributed Denial of Service attacks represent
    the main threat facing network operators
  • Most attacks involve compromised hosts (bots)
  • botnets sized from a few thousands to over a
    million
  • 25 of all computers on Internet may be botnets
  • Theft of Service any unlawful taking of an
    economic benefit from a service provider
  • With intention to deprive of lawful revenue or
    property

- Worldwide ISP Security Report, September 2005,
Arbor Networks - Criminals 'may overwhelm the
web', 25 January, 2007. BBC
9
SIP DoS Attack Taxonomy
  • DoS
  • Implementation flaws
  • Application level
  • Flooding

10
DoS Implementation Flaws
Attacker sends carefully crafted packet(s) to
exploit a specific implementation flaw
  • Vulnerability target origin
  • Different levels of the network protocol stack
  • Underlying OS/firmware
  • Result
  • Excessive consumption
  • Memory
  • Disk
  • CPU
  • System reboot or crash
  • Potential for TOS

11
DoS Application Level Attacks
A feature of SIP is manipulated to cause a DoS
attack
  • Registration Hijacking
  • Attacker registers his device with another user's
    URI
  • Call Hijacking
  • Attacker injects a 301 Moved Permanently
    message to an active session
  • Amplification attacks
  • Attacker creates bogus requests with falsified
    Via header field that identifies a target host
  • UAs/proxies generate a DDoS against that target

12
DoS Application Level Attacks
  • Session teardown attacks
  • Attacker spoofs a BYE message
  • Injects it to an active session
  • Tears down the session
  • Tricks billing server to stop billing, call
    continues
  • Modification of media sessions
  • Attacker spoofs re-INVITE messages causing
  • QoS reduction
  • Media redirection
  • Security attributes modification
  • Media streams attacks
  • Attacker injects spoofed RTP packets with high
    SEQ numbers into the media streams
  • Changes the play-out sequence

13
DoS Flooding Attacks
Attacker floods a network link or overwhelms the
target host
  • IP variants
  • UDP floods
  • ICMP echo attacks
  • SYN floods
  • VoIP variants
  • Floods of INVITE or REGISTER messages
  • Cause excessive processing at a SIP proxy
  • Floods of RTP
  • Cause excessive processing at Media Gateway
  • Requires more resources from the attacker
  • Harder to defend against
  • Even the best maintained networks can become
    congested

14
Goals
  • Definition
  • Detection
  • Mitigation
  • Validation

15
Mitigation Strategy
  • Implementation flaws are easier to deal with
  • Systems can be tested before used in production
  • Systems can be patched when a new flaw is
    discovered
  • Attack signatures can be integrated with a
    firewall
  • Application level and flooding attacks are harder
    to defend against
  • SIP infrastructure element defense
  • Commercially available solutions for general
    UDP/SYN flooding but none for SIP
  • ? Address application level and flooding attacks
    specifically for SIP

16
Strategy Focus
  • VULNERABILITY Most security problems are due
    to
  • flexible grammar ? syntax-based attacks
  • Plain text ? interception and modification
  • SIP over UDP ? ability to spoof SIP requests
  • Registration/Call Hijacking
  • Modification of Media sessions
  • SIP Method vulnerabilities
  • Session teardown
  • Request flooding
  • Error Message flooding
  • RTP flooding
  • STRATEGY Two DoS detection and mitigation
    filters
  • SIP Two types of rule-based detection and
    mitigation filters
  • Media SIP-aware dynamic pinhole filtering

17
Previous Work on SIP DoS
  • Implemented a large scale SIP-aware firewall
    using dynamic pinhole filtering
  • First-line of defense against DoS attacks at the
    network perimeter
  • Only signaled RTP media channels can traverse it
  • End systems are protected against flooding of
    random RTP
  • The RTP pinhole filtering approach is a good
    first-line of defense but
  • The signaling port (5060) is still subject to
    attack on the signaling infrastructure
  • ? hence SIP specific filtering was implemented
    for the first time

18
Mitigation Solution Overview
Untrusted
Trusted
Untrusted
Trusted
Filter II
sipd
Filter I
Filter II
sipd
Filter I
DPPM
DPPM
SIP
SIP
SIP
SIP
SIP
SIP
RTP
RTP
RTP
RTP
19
SIP Detection and Mitigation Filters
  • Authentication Based - Return Routability Check
  • Require SIP built-in digest authentication
    mechanism
  • Authentication with shared secret
  • Filter out spoofed sources
  • Method Specific Based Rate Limiting
  • Transaction based
  • Thresholding of message rates
  • INVITE
  • Errors
  • State Machine sequencing
  • Filter out-of-state messages
  • Allow in-state messages
  • Dialog based
  • Only useful in BYE and CANCEL messages
  • Dynamic Pinhole Filtering for RTP
  • Only signaled RTP media channels can traverse
    perimeter
  • Obtain from SDP interception
  • End systems are protected against flooding of
    random RTP

20
CloudShield CS-2000 System
System Level Port Distribution
Application Server Module Pentium 1GHz
21
SIP Digest Authentication
User Agent Client (UAC)
Proxy Server
Generate the nonce value
407 Proxy Authentication
Required (nonce, realm..)
nonce a uniquely generated string used for one
challenge only and has a life time of 60 seconds
INVITE
(nonce, response)
22
SIP Digest Authentication Statistics
  • Digest authentication accounts for
  • nearly 80 of processing cost of a call for a
    stateless server
  • 45 of a call for a stateful server
  • Additional cost
  • 70 for message processing
  • 30 for authentication computation (hashing)

SIP Security Issues The SIP Authentication
Procedure and its Processing Load, Salsano et
al., IEEE Network, November 2002
23
Return-Routability Implementation Succeeds
Untrusted
Trusted
DPPM
sipd
SIP UA
NPU
RAM
CAM
IP 128.59.21.70
(128.59.21.70, nonce"6ydARDP51P8Ef9H4iiHmUc7iFDE
" )
24
Return-Routability Implementation Fails
Untrusted
Trusted
DPPM
sipd
SIP UA
NPU
X
CAM
RAM
IP 1.2.3.4
(1.2.3.4, nonce"6ydARDP51P8Ef9H4iiHmUc7iFDE" )
25
SIP Session Analysis
SIP sessions/calls can be broken down to 4 levels
of granularity
  • A call contains one or more Dialogs
  • A Dialog contains one or more Transactions
  • Request/response
  • Typically 2 in case of an INVITE-200 OK BYE-OK
    type of session
  • Transactions are of two types
  • Client
  • INVITE Transactions
  • Non-INVITE Transactions
  • Server
  • INVITE Transactions
  • Non-INVITE Transactions

26
Dialogs and Transactions in SIP
27
Level Identifiers
  • Dialog Level
  • A Dialog is identified by
  • The Call-ID field
  • The From Tag
  • The To Tag
  • Rate-limiting at Dialog level is coarser ? not
    applied to keep state information
  • Transaction Level
  • A Transaction is identified by
  • The "Branch" parameter of the Via header
  • The "Method" name in the CSeq field
  • Rate-limiting is more refined and can pinpoint
    to more specific parameter thresholds ? more
    effective to keep state information
  • The Transaction-ID and Dialog-ID are generated by
    applying CRC-32 on a collection of the above
    mentioned fields.
  • The unique CRC-32 Hash generated is used as an
    index in the CAM tables

28
Method Specific Filtering
This approach involves defense against specific
method vulnerabilities
  • INVITE
  • Filter redundant INVITE messages by looking up
    its Transaction-ID and rejecting if its
    Transaction-ID already exists in State tables.
  • Responses
  • 100 Trying
  • 180 Ringing
  • 200 OK
  • Errors (300 600)
  • Out-of-State
  • Sequence of unexpected messages

29
Transaction Filtering
  • Rate limit messages based on expected Transaction
    traffic
  • 1 INVITE per transaction
  • 1 (or more) 100 Trying per transaction
  • 1 (or more) 180 Ringing per transaction
  • 1 200OK per transaction
  • 1 ACK per transaction
  • N (based on testing) errors per transaction
  • Error status message rate limiter implemented as
    high-speed counters in SRAM with granularity of 1
    second
  • Rate limits error status messages within the
    context of a valid transaction

29
30
SIP Message Relationships
  • CAM database has very low latency lookups
  • Aged lookup tables implemented to track dialog
    and transaction relationships
  • Message lookup tables
  • Dialog-ID Table
  • Transaction-ID Table
  • Messages Identified by Type and Code
  • Type Request or Response
  • Code Request Method or Response Status Code

Dialog ID
Transaction ID
30
31
Transaction Filtering
  • For every new SIP request message received, a
    Transaction-ID (TXNID) is created
  • TXNID is a 32 bit integer calculated by HASH (Top
    Via BranchID, CSEQ Command Value)
  • TXNIDs are stored in a different CAM table (from
    pinholes and nonces)
  • If TXNID is duplicate, drop the packet
  • Ideally only one SIP request message allowed
    per TXNID
  • Binary switch
  • Retransmission of same request multiple times
    require a finite retransmissions window
  • 5 packets in current network set up
  • Should be settable for more complex networks
  • Optimization to reduce false positives
  • If TXNID is not duplicate, then go on to next
    step
  • When new subsequent status messages are received
  • If status message record is valid, request
    accepted
  • If status message record is bogus, packet dropped
  • Additional check rate of requests per transaction
    per second not to exceed a selected finite number
    (6), else packet dropped

32
SIP Transaction State Validation
  • Makes an entry for first Transaction Request and
    logs subsequent status messages
  • Logs all messages on per transaction basis
  • Use of wild cards in regular expression syntax
  • All permutations of allowed states validated in a
    single operation
  • Received packet is added to status messages table
    for original Transaction
  • If received status message fits valid state
    pattern, it is accepted
  • Messages resulting in invalid state pattern are
    dropped and also removed from transaction message
    log
  • e.g. the sequence INVITE, 100, 180, 200, 180,
    200 causes filter to only allow INVITE, 100, 180,
    200, and 180/200 is struck out as 180 is out of
    state
  • Transaction state is rolled back to the last
    known good state
  • Overlays on top of other filtering mechanisms

33
SIP Transaction State Validation
34
Firewall Components
  • Static Filtering
  • Filtering of pre-defined ports (e.g., SIP, ssh,
    6252)
  • Dynamic Filtering
  • Filtering of dynamically opened RTP ports
  • Filtering of nonce and method redundancy
  • Switching Layer
  • Perform switching between the input ports
  • Firewall Control Module
  • Intercept SIP call setup messages
  • Get nonce from 407 Need Auth
  • Get RTP ports from the SDP
  • Maintain call state
  • Firewall Control Protocol
  • The way the Firewall Control Module talks with
    the firewall
  • Push filter for SIP UA authentication challenge
    (with nonce) and media ports
  • Push dynamic table updates to the data plane
  • May be used by multiple SIP Proxies that control
    one or more firewalls

Firewall Data Plane Execution
35
Integrated DDOS and Dynamic Pinhole Filter

Linux server
ASM
DPPM
FCP/UDP
Lookup
Switch
Drop
36
Goals
  • Definition
  • Detection
  • Mitigation
  • Validation

37
Method-based SIP DoS Attack Scenarios
Flood of Responses
Flood of Requests
Flood of Out-of-State
38
Integrated Testing and Analysis Environment
39
Test Tools
  • SIPp, SIPStone, and SIPUA are benchmarking tools
    for SIP proxy and redirect servers
  • Establish calls using SIP in Loader/Handler mode
  • A controller software module (secureSIP) wrapped
    over SIPp/SIPUA/SIPStone launches legitimate and
    illegitimate calls at a pre-configured workload
  • SIPp
  • Robust open-source test tool / traffic generator
    for SIP
  • Customizable XML scenarios for traffic generation
  • 5 inbuilt timers to provide accurate statistics
  • Customized to launch SIP DoS attack traffic
    scenarios designed to cause proxy to fail
  • SIPStone
  • Continuously launches spoofed calls which the
    proxy is expected to filter
  • For this project enhanced with
  • Null Digest Authentication
  • Optional spoofed source IP address SIP requests
  • SIPUA Test Suite
  • Built-in Digest Authentication functionality
  • Sends 160 byte RTP packets every 20ms
  • Settable to shorter interval (10ms) if needed for
    granularity
  • Starts RTP sequence numbers from zero
  • Dumps call number, sequence number, current
    timestamp and port numbers to a file

40
secureSIP Controller
  • Controller
  • Automated Web-based Control Software run on SUN
    (Linux) box
  • Connects to the Pair of End Points (Loaders and
    Handlers)
  • Supplies external traffic generation over Private
    Channel (6252)
  • Launches attack traffic
  • Changes type of traffic on the fly
  • External stress on SUT
  • SIPp in Array Form supplies traffic from 16 SUN
    (Linux) boxes in various configurations for SIP
    DoS experiments
  • SIPUA in Array Form supplies traffic from 16 SUN
    (Linux) boxes for pinhole experiments
  • Results Analyzer
  • Gathers, analyzes and correlates results
  • Handler/Loaders update results to database in
    real-time
  • Controller analyzes results from databases and
    aggregates them to get the number of initiated
    and torn-down calls and their rates

41
secureSIP Control Architecture
42
secureSIP Test Results for DoS Pinholes
SIP DoS Measurements (showing max supported call
rates)
Dynamic Pinhole
Firewall Filters OFF Firewall Filters OFF Firewall Filters OFF Firewall Filters ON Firewall Filters ON Firewall Filters ON
Traffic Composition Good CPS Attack CPS CPU Load Good CPS Attack CPS CPU Load
Non-Auth Traffic 690 0 87.81 690 0 88.04
Auth Good Traffic 240 0 19.83 240 0 39.64
Auth Good Traffic 480 0 81.20 480 0 81.75
Auth Good Traffic Spoof Traffic 240 2950 83.64 240 16800 41.39
Auth Good Traffic Spoof Traffic 480 195 85.40 480 14400 82.72
Auth Good Traffic Flood of Requests 240 3230 84.42 240 8400 40.83
Auth Good Traffic Flood of Requests 480 570 86.12 480 7200 82.58
Auth Good Traffic Flood of Responses 240 2970 87.2 240 8400 41.33
Auth Good Traffic Flood of Responses 480 330 86.97 480 7200 82.58
Auth Good Traffic Flood of Out-of-State 240 2805 86.24 240 8400 40.29
Auth Good Traffic Flood of Out-of-State 480 290 84.81 480 7200 82.19
Concurrent Calls Call rate (CPS) Delay due to Firewall Delay due to Firewall
Concurrent Calls Call rate (CPS) Pinhole opening ms Pinhole closing ms
20000 300 14.6 0
25000 300 15 0
30000 300 16.6 155.1
30000 200 16 0.2
43
The Bigger Picture - Columbia VoIP Testbed
  • Columbia VoIP test bed is collection of various
    open-source, commercial and home-grown SIP
    components
  • provides a unique platform for validating
    research
  • Columbia-Verizon Research partnership has
    addressed major security problems
  • signalling, media and social threats
  • Researched DoS solutions verified against
    powerful test setup at very high traffic rates
  • ToS successfully validated integrity of different
    setups of test bed

44
Value to Verizon
  • Enhanced VoIP security via standards and vendor
    involvement
  • Columbia requirements valid for VoIP, Presence
    and Multimedia architectures
  • Rolled the requirements and lessons learned into
    the Verizon security architecture and new element
    requirements database for procurement
  • Working with Verizon vendors to mitigate
    exposures
  • Setup one-of-its-kind laboratory facilities for
    VoIP security evaluations and product development
  • At Columbia, prototype rapid development
    incubator
  • At Verizon, Columbia/Verizon collaborative test
    tools set up for a more realistic complex
    IP-routed laboratory environment
  • Intellectual Property with Six Patent
    Applications
  • Taken research quickly into marketplace with
    rapid commercialization
  • Licensing Agreement with equipment manufacturers
  • Several vendors interested
  • Exclusive vs. Non-exclusive
  • Verizon Intellectual Property contact Gwen
    Thaxter (gwen.thaxter_at_verizon.com, 845-620-5156)

45
Intellectual Property - Patent Applications
  • Fine Granularity Scalability and Performance of
    SIP Aware Border Gateways Methodology and
    Architecture for Measurements
  • Inventors Henning Schulzrinne, Kundan Singh,
    Eilon Yardeni (Columbia), Gaston Ormazabal
    (Verizon)
  • Architectural Design of a High Performance
    SIP-aware Application Layer Gateway
  • Inventors Henning Schulzrinne, Jonathan Lennox,
    Eilon Yardeni (Columbia), Gaston Ormazabal
    (Verizon)
  • Architectural Design of a High Performance
    SIP-aware DOS Detection and Mitigation System
  • Inventors Henning Schulzrinne, Eilon Yardeni,
    Somdutt Patnaik (Columbia), Gaston Ormazabal
    (Verizon)
  • Architectural Design of a High Performance
    SIP-aware DOS Detection and Mitigation System -
    Rate Limiting Thresholds
  • Inventors Henning Schulzrinne, Somdutt Patnaik
    (Columbia), Gaston Ormazabal (Verizon)
  • System and Method for Testing Network Firewall
    for Denial of Service (DoS) Detection and
    Prevention in Signaling Channel
  • Inventors Henning Schulzrinne, Eilon Yardeni,
    Sarvesh Nagpal (Columbia), Gaston Ormazabal
    (Verizon)
  • Theft of Service Architectural Integrity
    Validation Tools for Session Initiation Protocol
    (SIP) Based Systems
  • Inventors Henning Schulzrinne, Sarvesh Nagpal
    (Columbia), Gaston Ormazabal (Verizon)

46
Publications, Presentations, Recognition
  • Importance of rapid dissemination of results in
    industry and academia
  • For knowledge diffusion and ubiquity among
    research practitioners
  • For PR reasons (licensing agreements and
    potential sales)
  • Presentation at NANOG 38 Oct. 10 2006 (HS/GO)
  • Paper published in NANOG 38 2006 Proceedings -
    Scalable Mechanisms for Protecting SIP-Based
    VoIP Systems
  • Made a headline in VON Magazine on October 11,
    2006 http//www.vonmag.com/webexclusives/2006/10/
    10_NANOG_Talks_Securing_SIP.asp
  • Presentation to at Global 3G Evolution Forum
    Tokyo, Japan, Jan. 2007 (GO)
  • Presentation/demo at IPTComm 2007 New York
    City, July, 2007 (GO)
  • Presentation at OSS/BSS Summit Tucson, AZ,
    September, 2007 (GO)
  • Presentation at Columbia Science and Technology
    Ventures Symposium From Signal to Information
    Displayed in a Wireless World, April 2008
    (HS/GO)
  • Presentation at IPTComm 2008 Heidelberg, July,
    2008 Secure SIP A scalable prevention mechanism
    for DoS attacks on SIP based VoIP systems (GO)
  • Presentation at IIT VoIP Conference and Expo IV
    Chicago, October, 2008 (GO)
  • Paper published by Springer Verlag - Principles,
    Systems and Applications of IP Telecommunications
    in October 2008 http//www.springerlink.com/cont
    ent/r5t1652v3572/
  • Work incorporated in a new Masters level course
    on VoIP Security taught at Columbia since Fall
    2006, every year
  • COMS 4995-1 Special Topics in Computer Science
    VoIP Security (HS)
  • CATT Technological Impact Award - 2007
  • Invited presentation at FBI-sponsored
    International Conference on Cyber Security A
    Global Solution to Emerging Cyber Threats, New
    York City, January, 2009 http//www.iccs.fordham.
    edu/program.htm

47
Next Steps for Verizon
  • New vulnerability require a new mitigation
    technology for VoIP products
  • VoIP should not be deployed without protection
  • SIP proxies are vulnerable to crash
  • Attack tool is easy to build and use
  • Carriers (e.g., Verizon) will need new network
    elements
  • RFP will include these requirements
  • Vendors must have a ready solution
  • Conversion of research into a product that
    carriers can use
  • Need to determine optimal architecture for DoS
    prevention functionality for VoIP
  • Security vs. Performance
  • Hardware vs. Software Implementation
  • Proxy/Softswitch (SW)
  • SBC or New network element (HW/SW), Router?
  • Use internally (protect VZ Network)
  • Use externally (sell new security services to
    large customers)
  • Get other companies interested to synergize
    resources and share results

48
Next Steps for Verizon
  • Cisco has just joined project funding research at
    NYU Polytechnic Institute to develop hardware
    prototype
  • Objective is to research the optimal hardware
    platform to implement Columbia-Verizon SIP
    algorithms
  • Use Cisco experimental cards that will eventually
    become router blades
  • Continue relationship with Columbia
  • Cisco is funding maintenance of the Verizon
    testbeds
  • For further research in distributed computing and
    traffic generation enhancements
  • To assist NYU Poly in testing and validation of
    new prototype against previous benchmarks
  • To assist in eventual product development during
    product testing cycle
  • Feedback loop of research and product cycle
  • Other research in related areas
  • Proposal to study SRTP/RTSP
  • What can we do to make the working relationship
    even more productive?
  • Have the synergistic combination of both CATT
    components (NYU Polytech and Columbia) and two
    major industry players (Cisco and Verizon)
  • A model worth emulating!

48
49
Potential Value to Cisco
  • New vulnerability require a new mitigation
    technology for VoIP products
  • Verizon and other carriers will need new network
    elements
  • Eventually an RFP will include these requirements
  • Vendors must have a ready solution
  • Incorporation of new technology/functionality
    into Cisco products, e.g.,
  • Service Edge Routers (e.g., 6909/7609)
  • Enterprise Routers (e.g., 4000 series)
  • Testbed support for product development
  • Setup unique laboratory facilities for VoIP
    security evaluations and product development
    testing
  • In Columbia, prototype rapid development
    incubator
  • In Verizon, incorporated Columbia/Verizon
    collaborative test tools for a more realistic
    complex IP-routed laboratory environment

49
50
Potential Value to Cisco
  • Typical Verizon VoIP wireline architecture
  • Possible use in wireless VoIP architectures
  • LTE plan contemplates migration to SIP

50
51
Conclusions
  • Research Results
  • Demonstrated SIP vulnerabilities for VoIP
    resulting in new DoS susceptibility for both
    wireline and wireless
  • Work is fully reusable to secure a Presence and
    IMS infrastructure
  • Implemented some carrier-class mitigation
    strategies
  • Prototype is first of its kind in the world
  • Removed SIP DoS traffic at carrier class rates
  • Developed new generic requirements
  • Built a validation testbed to measure performance
  • Developed customized test tools
  • Built a high powered SIP-specific Dos Attack tool
    using parallel computing
  • Crashed a SIP Proxy in seconds
  • Intellectual Property
  • Research activity resulted in six patent
    applications
  • Commercialization
  • Licensing agreements currently under negotiation
  • Have socialized new requirements and test tools
    with vendor community to address rapid field
    deployment
  • Major Vendors interested in new opportunities
  • Rapid implementation is now expected
  • Have created a partnership among both CATT
    university components and two major industry
    players

52
  • Thank you
  • Questions?
  • gaston.s.ormazabal_at_verizon.com
  • Paper published by Springer Verlag - Principles,
    Systems and Applications of IP Telecommunications
    in October 2008 http//www.springerlink.com/cont
    ent/r5t1652v3572/
  • Book available at http//www.amazon.com/Principle
    s-Applications-Telecommunications-Services-Generat
    ion/dp/354089053X/refsr_1_1?ieUTF8sbooksqid1
    226098298sr1-1

53
Next Steps - Possible New Projects
  • Address Interception/Modification and
    Eavesdropping
  • Study of SRTP and associated protocols (SDES)
  • Comparison study of IPSec and TLS
  • Study of SPIT prevention as a possible new
    service offering
  • Filtering of unwanted phone calls
  • Intrusion Detection
  • Large scale call logs data analysis for DoS and
    ToS
  • SIP DoS Testbed Maintenance and ongoing research
  • New machines (200 )

54
Backup Slides
55
The SIP Threat Model
  • Eavesdropping
  • Impersonation of a SIP entity
  • Interception and Modification of SIP messages
  • Service Abuse
  • Denial of Service

56
SIP Threat Model details (1)
  • Eavesdropping
  • Attacker can monitor signalling/media streams,
    but cannot or does not alter data itself
  • Signalling channel is not confidential
  • Call Pattern Tracking
  • Discovery of identity, affiliation, presence
  • Traffic Capture
  • Packet recording
  • Number harvesting
  • Unauthorized collection of numbers, emails, SIP
    URIs

57
SIP Threat Model details (2)
  • Impersonating of a SIP entity
  • Impersonate a UA
  • Absense of assurance of a request's originator
  • Registration Hijacking attacker deregisters a
    legitimate contact and registers its own device
    for that contact
  • Impersonate a Server
  • UAs should authenticate the server to whom they
    send requests
  • Attacker impersonates a remote server and
    intercepts the UA's request

58
SIP Threat Model details (3)
  • Interception and modification of SIP messages
  • Man-in-the-middle attack
  • UA is using SIP to communicate media session keys
  • Call Re-routing
  • Attacker might modify the SDP in order to route
    media streams to a wire-tapping device
  • Conversation Degradation
  • Attacker might cause intentional reduction in QoS
  • False Call Identification
  • Change Subject so message considered Spam

59
SIP Threat Model details (4)
  • Service Abuse
  • Call Conference Abuse
  • Hide identity for the purpose of committing fraud
  • Premium Rate Service Fraud
  • Artificially increase traffic in order to
    maximize billing
  • Improper Bypass or Adjustment to Billing
  • Avoid authorized service charge by altering
    billing records

60
Scope of Our Research - VoIP
Scope of current work
61
Mitigation Prototype Implementation
  • Firewall platform filters media and SIP proxy
    authentication attempts, and rate-limits messages
    based on Method specific controls
  • Utilizes wire-speed deep packet inspection
  • Thresholds are kept internal in the DPPM
  • State is only kept in Firewall in CAM tables
  • Firewall controlling proxy model for media
    filtering and the authentication filter
  • Columbia's SIP Proxy sipd controls the Firewall
    Deep Packet Inspection Server
  • Utilize the Firewall Control Protocol to
    establish/insert filters in CAM table in real
    time
  • SIP UAs being authentication challenged (IP,
    nonce)
  • Media ports

62
Dynamic Pinhole Filtering
SIPUA User1
SIPUA User2
CAM Table
128.59.19.16343564
128.59.19.16356432
62
63
Pinhole Problem Definition
  • Problem parameterized along two independent
    vectors
  • Call Rate (calls/sec)
  • Related to performance of SIP Proxy in Pentium
  • Concurrent Calls
  • Related to performance of table lookup in IXP
    2800
  • Data Collected in Excel spreadsheet format
  • Number of concurrent calls, calls/sec, Opening
    delay, Closing delay, device
  • SIP Proxy
  • SIP RAVE
  • Opening delay data provided in units of 20 ms
    packets
  • Closing delay data provided in units of 10 ms
    packets

64
Pinhole Data Results
65
SIP Security Overview
  • Application Layer Security
  • SIP RFC 2543 little security
  • SIP RFC 3261 security enhancements
  • Digest Authentication
  • TLS
  • IPSec
  • SRTP/ZRTP (RFC 3711)
  • Perimeter Protection
  • SIP aware Filtering Mechanisms
  • SIP aware DOS Protection
  • Detection and Mitigation

66
SIP Security Overview
  • Application layer security
  • Digest Authentication, TLS, S/MIME, IPSec,
    certificates
  • SRTP/SDES/MIKEY/ZRTP for media
  • Convergence leads to converged attacks
  • Data network attacks
  • DDoS, spoofing, content alteration, platform
    attacks
  • Voice over IP network attacks
  • Toll fraud, session hijacking, theft of service,
    spam/spit
  • Most security problems are due to
  • User Datagram Protocol (UDP) instead of TCP/TLS
  • Plain text instead of S/MIME
  • Message/Method vulnerability
  • Flexible grammar --gt syntax-based attacks

66
67
Pinhole Testing Methodology
  • Generate external load on the firewall
  • SIPUA Loader/Handler in external load mode
  • Generates thousands of concurrent RTP sessions
  • For 30K concurrent calls have 120K open pinholes
  • CAM table length is 120K entries
  • Search algorithm finds match in one cycle
  • When external load is established, run the IEP
    analysis
  • SIPUA Loader/Handler in internal load mode
  • Port scanning and Protocol analyzer
  • Increment calls/sec rate
  • Measure pinhole opening and closing delays
  • Detect pinholes extraneously open

67
68
Theft of Service
Theft of Service
69
Theft of Service Overview
  • VoIP is different
  • Not a static but a real-time application
  • Direct comparisons with PSTN
  • According to Subex Azure 3 of total revenue is
    subject to fraud
  • VoIP can be expected to be at least twice as
    large a proportion of revenue
  • Theft of Service is more daunting problem in VoIP
  • Implications of ToS
  • Lost revenue and bad reputation
  • Abused resources cause monetary losses to network
    providers
  • Unauthorized usage degrades whole systems
    performance
  • Scenarios
  • Using services without paying
  • Illegal Resource Sharing (unlimited-plans)
  • Compromised Systems
  • Call Spoofing and Vishing

Billing World and OSS Magazine Top Telco
Frauds and How to Stop Them, January 2007, by
Geoff Ibett
70
Simplified Billing Model
  • End-Points
  • Different devices can be used to connect a SIP
    server
  • Information Exchange
  • User data from end-points to SIP server should be
    protected
  • Communication between SIP server and
    Authorization server should be safe from
    eavesdropping attacks
  • Billing
  • DIAMETER should be secured to avoid billing
    attacks
  • Recommended IPSec with Encryption
  • Authorization server must be hardened to avoid OS
    attacks

71
Theft of Service Research Goals
  • Verification of security implementation
  • Automate validation process
  • Creating new tools and scripts
  • Modify existing tools to create a package
  • Architectural Integrity Verification Tool
  • Identity Assurance
  • Multiple End Points
  • Intrusion Detection
  • Black-box type abstraction

72
Theft of Service Challenges
  • Client-side threats
  • Illegal resource sharing
  • Compromised hardware
  • Weak password
  • Server-side threats
  • Identity assurance
  • Unauthorized registration, unauthenticated INVITE
  • Digest authentication (nonce usage, password
    guessing)
  • Transport protocol choice (TCP/UDP)
  • TLS crypto strength
  • Spoofing to gain privileged access
  • DoS/DDoS attacks
  • Implementation flaws
  • Flooding billing system
  • DoS amplification prevention on Billing systems
  • Application level flaws
  • Counter Method-based vulnerabilities
  • BYE attack validation

73
Theft of Service Challenges
  • Service threats
  • Distinguish between audio call, single media
    stream or multiple destination signaling
  • Multimedia services, messages, etc.
  • Launching multiple simultaneous accounts
  • Multiple end-points
  • Authorization Safeguards
  • 800 numbers, emergency number
  • Voicemail messages checking portability ensured
  • Intrusion detection
  • Existing call logs help find patterns and detect
    anomaly

74
secureSIP Identity Assurance
  • Why do we need Identity Assurance?
  • Digest authentication is only as strong as
    password
  • Weak authentication ? false sense of security
  • Without Identity Assurance, difficult to
    backtrack to actual offender in any planned
    attack on network
  • TLS and S/MIME are future solutions
  • Password Guessing
  • Easy to crack weak passwords by dictionary attack
  • Compromised passwords can result in legal and
    financial implications for network provider
  • CrackLib contains 1.6 million most common
    passwords, available freely online

75
secureSIP Identity Assurance
  • Multiple password lists
  • choose password list suitable for experiment
  • extend any list, or simply add new one
  • Configurable speed of attack
  • option to launch fast, medium-paced or slow
    attack on authentication server
  • Utilizes distributed network power
  • all machines work in parallel to crack password
  • 1 million passwords in 100 seconds
  • Verification against standard SIP components
  • OpenSER used for doing identity assurance

76
secureSIP Multiple End Points
  • Single Address of Record but multiple URIs
    makes problem more challenging
  • Intentional resource sharing
  • Problem Users can intentionally misuse network
    resources from various end-points
  • Solution Geographical co-relation across space
    and time
  • Space E.164 TN, URI, IP address
  • Temporal timestamp (call log)

77
secureSIP Multiple End Points
  • Geographical location matching
  • Maps IP address to precise geographical location
  • Maxmind.com toolkit for accurate IP to location
    lookup
  • Area code also suggests location, IP is more
    precise
  • SIP log parser
  • Parses uploaded log file containing SIP traffic
  • Filters data into individual fields, puts it in
    database
  • Analyzer
  • Finds anomalies in call origin location and time
  • IP address for geographical location of a user
  • Statistical modelling
  • temporal usage patterns,
  • geographical usage patterns
  • Comparison of observed location patterns and time
    intervals to pre-defined thresholds
  • Minimize false positives and false negatives

78
secureSIP Intrusion Detection
  • Why do we need Intrusion Detection?
  • Unintentional resource sharing
  • Botnets, zombies can cause unreasonable load
  • Password authentication, encryption fails
  • Spam, SPIT and identity theft
  • Analyze patterns of incoming calls to network
  • Turing Test
  • See network wide pattern to detect fraud at the
    outset
  • Captures suspicious activity that may slip
    through firewall rules

79
secureSIP Intrusion Detection
  • Intrusion Detection
  • Out-of-domain SIP requests
  • Suspicious BYE and INVITE
  • Behavioural and knowledge-based techniques
  • Minimize classic DoS attacks
  • Session tear down, media modification
  • Billing server attack, call hijacking
  • Analyze historical call logs
  • Synthetic vs. Real (Verizon Business)
  • Need to develop a Security Event Management
    system
  • Analyze and correlate information provided by
    verification tool to detect, mitigate and prevent
    ToS

80
secureSIP Controller
  • Controller
  • Automated Web-based Control Software run on SUN
    box
  • Ability to configure attack traffic on the fly
  • Development Platform
  • Perl, MySQL and in-built web-server
  • Operating system independent, can be accessed
    remotely
  • Results Analyzer
  • Gathers, analyzes and correlates results
  • Measurement progress is saved to database in
    real-time
  • Controller analyzes results from database and
    aggregates them to present real-time statistics

81
Validation Strategy Methodology for Anti Spoofing
  • Use the SIPp and SIPStone testing tools in a
    distributed environment to generate legitimate
    and attack SIP traffic respectively
  • Generate both legitimate and spoofed source
    address requests
  • Measure the following calls/sec throughput
    values
  • Legitimate requests, without authentication
    (Capacity)
  • Legitimate requests, with authentication (Normal)
  • Legitimate (Normal) and spoofed requests
    (SAttacknof), without filters
  • Legitimate (Normal) and spoofed requests
    (SAttackf), with filters (Defense)
  • Identify the impact of spoofed addresses floods
    on the calls/sec rate of legitimate requests
  • Expect to see SAttackf ltlt SAttacknof , and
    ideally, D N
  • Calculate False Positive and False Negative rates
    from measurements
  • FP (Normal- Defense)/Normal
  • FN SAttackf/ SAttacknof

82
Validation Strategy Methodology for Rate Limiting
  • Use the SIPp and SIPStone testing tools in a
    distributed environment to generate legitimate
    and attack SIP traffic respectively
  • Generate both legitimate and spoofed source
    address requests
  • Measure the following calls/sec throughput
    values
  • Legitimate requests, without authentication
    (Capacity)
  • Legitimate requests, with authentication (Normal)
  • Legitimate (Normal) and Method requests/response/O
    oS (MAttacknof), without filters
  • Legitimate (Normal) and Method requests/response/O
    oS (MAttackf), with filters (Defense)
  • Identify the impact of spoofed addresses floods
    on the calls/sec rate of legitimate requests
  • Expect to see MAttackf ltlt MAttacknof , and
    ideally, D N
  • Calculate False Positive and False Negative rates
    from measurements
  • FP (Normal- Defense)/Normal
  • FN MAttackf/ MAttacknof

83
Dialog Filtering
  • Filtering based on Dialog parameters
  • Broader brushstroke than Transaction level
  • Only useful with floods of CANCEL or BYE
    requests
  • Identify a BYE message by its Dialog-ID
  • Maintain a database of INVITE sources (Contacts)
  • Verify and accept a BYE message only from
    legitimate source addresses
  • Reject it if it is not a part of an existing
    dialog

84
Transaction State Machine Filtering
  • Validates the state of each SIP transaction for
    each message received
  • Maintain state per transaction as per the state
    machine specified in RFC 3261
  • Client and Server
  • INVITE and Non-INVITE transactions
  • Maintain the state table
  • The filter allows only in-state messages and
    not allow out-of-state messages

84
85
Verizon Business Impact
  • SIP DoS work
  • Global Network Engineering Planning
    Organization
  • Support Technology organization to define new
    security architecture for VoIP Services
  • Network Information Security Organization
  • Better Security Reviews of Advantage VoIP
    Service
  • Global Customer Service Provisioning
    Organization
  • Sales Engineering Premier Accounts Team
    Briefing
  • SIP ToS work
  • Office of Chief Financial Officer
  • CreditCollections
About PowerShow.com