Columbia - Verizon Research Collaboration Secure SIP: Scalable DoS and ToS Prevention Mechanisms for SIP-based VoIP Systems, and Validation Test Tools - PowerPoint PPT Presentation

1 / 33
About This Presentation

Columbia - Verizon Research Collaboration Secure SIP: Scalable DoS and ToS Prevention Mechanisms for SIP-based VoIP Systems, and Validation Test Tools


Columbia - Verizon Research Collaboration Secure SIP: Scalable DoS and ToS Prevention Mechanisms for SIP-based VoIP Systems, and Validation Test Tools – PowerPoint PPT presentation

Number of Views:227
Avg rating:3.0/5.0
Slides: 34
Provided by: Christin609


Transcript and Presenter's Notes

Title: Columbia - Verizon Research Collaboration Secure SIP: Scalable DoS and ToS Prevention Mechanisms for SIP-based VoIP Systems, and Validation Test Tools

Columbia - Verizon Research CollaborationSecure
SIP Scalable DoS and ToS Prevention Mechanisms
for SIP-based VoIP Systems, and Validation Test
Gaston Ormazabal Verizon Laboratories
Sarvesh Nagpal, Eilon Yardeni, Henning
Schulzrinne Columbia University
July 26, 2015
  • Discussion A successful collaboration
  • Value to Verizon
  • Project Overview
  • Background, Research Focus, and Goals
  • DoS
  • DoS Detection and Mitigation Strategy
  • DoS Validation Methodology - DoS Automated Attack
  • ToS
  • ToS Integrity Verification Tool and Validation
  • Intellectual Property
  • Next Steps
  • Conclusions

Discussion A successful collaboration
A Successful Collaboration
  • Want a realistic perspective on what makes
    projects succeed and what is unlikely to work
  • Industry must see value or need to pursue IP
  • Rapid commercialization/productization in house
    or with an external industry partner
  • Agreement on fair distribution of
  • Typical arrangement GRA professor
  • Who typically needs to supervise multiple
    projects at the same time
  • Often companies seem to have the illusion that
    they get the faculty's full attention...
  • Require full attention of industry SME
  • Student mentoring/coaching
  • Industry perspective
  • Writing/Presentation skills
  • Manage Deliverables

Deliverables Management
  • Convert collective research insights into
    industry deliverables
  • Clear understanding of deliverables
  • Standards
  • Reports
  • Systems/Prototypes
  • Timelines
  • Start time and academic calendar
  • MS GRA vs. PhD

Value to Verizon
  • Intellectual Property with SIX Patent
  • Licensing Agreement
  • Taken research quickly into marketplace
  • Five vendors interested
  • Enhanced VoIP security through standards and
    vendor involvement
  • Worked with Verizon vendors to mitigate exposures
  • Rolled the requirements and lessons learned into
    the Verizon security architecture and new element
    requirements database for procurement
  • Columbia requirements valid for VoIP, Presence
    and Multimedia architectures
  • Setup laboratory facilities for VoIP security
    evaluations and product development
  • In Columbia, prototype rapid development
  • In Verizon, incorporated Columbia/Verizon
    collaborative test tools for a more realistic
    complex IP-routed laboratory environment

Verizon Business Impact
  • SIP DoS work impact on Verizon Business
  • Network Information Security Organization
  • Better Security Reviews of Advantage VoIP
  • Global Customer Service Provisioning
  • Sales Engineering Premier Accounts Team
  • Global Network Engineering Planning
  • Support Technology organization to define new
    security architecture for VoIP Services
  • SIP ToS work impact on Verizon Business
  • Office of Chief Financial Officer
  • CreditCollections

Background Research Focus
  • SIP is the VoIP protocol of choice for both
    wireline and wireless telephony
  • Control protocol for the Internet Multimedia
    Systems (IMS) architecture
  • VoIP services migrating to IP fast becoming
    attractive DoS and ToS targets
  • DoS attack traffic traversing network perimeter
    reduces availability of signaling and media for
  • Theft of Service must be prevented to maintain
    service integrity
  • Reduces ability to collect revenue and providers
    reputation both are at stake
  • Attack targets
  • SIP infrastructure elements (proxy, softswitch,
    SBC, CSCF-P/I/S)
  • End-points (SIP phones)
  • Supporting services (e.g., DNS, Directory, DHCP,
    HSS, DIAMETER, Authorization Servers)
  • Verizon needs to solve security problem for VoIP
  • Protocol-aware application layer gateway for RTP
  • SIP DoS/DDoS detection and prevention for SIP
  • Theft of Service Architectural Integrity
    Verification Tool
  • Need to verify performance scalability at
    carrier class rates
  • Security and Performance are a zero sum game
  • Columbia likes to work in real life problems
    analyze large data sets
  • Goal of improving generic architectures and
    testing methodologies
  • Columbia has world-renowned expertise in SIP

  • Study VoIP DoS and ToS for SIP
  • Definition define SIP specific threats
  • Detection how do we detect an attack?
  • Mitigation defense strategy and implementation
  • Validation validate our defense strategy
  • Generate requirements for future security network
    elements and prototypes
  • Share these requirements with vendors
  • Generate the test tools and strategies for their
  • Share these tools with vendors

VoIP Threat Taxonomy
Scope of our research - 2007
Scope of our research - 2006
- VoIP Security and Privacy Threat Taxonomy,
VoIP Security Alliance Report, October, 2005
Denial of Service Theft of Service
  • Denial of Service preventing users from
    effectively using the target services
  • Service degradation to a not usable point
  • Complete loss of service
  • Distributed Denial of Service attacks represent
    the main threat facing network operators
  • Most attacks involve compromised hosts (bots)
  • botnets sized from a few thousands to over
  • 25 of all computers on Internet may be botnets
  • Theft of Service any unlawful taking of an
    economic benefit of a service provider
  • With intention to deprive of lawful revenue or

- Worldwide ISP Security Report, September 2005,
Arbor Networks - Criminals 'may overwhelm the
web', 25 January, 2007. BBC
DoS Mitigation Strategy
  • Implementation flaws are easier to deal with
  • Systems can be tested before used in production
  • Systems can be patched when a new flaw is
  • Attack signatures can be integrated with a
  • Application level and flooding attacks are harder
    to defend against
  • SIP infrastructure element defense
  • Commercially available solutions for general
    UDP/SYN flooding but none for SIP
  • ? Address application level and flooding attacks
    specifically for SIP
  • ? Identify and address architectural weaknesses
    before they are exploited to commit ToS

DoS Mitigation Solution Overview
Filter II
Filter I
Filter II
Filter I
Hardware Platform
System Level Port Distribution
Application Server Module Pentium 1GHz
Integrated DDOS and Dynamic Pinhole Filter

Linux server
Integrated Testing and Analysis Environment
Call Handlers SIPUA/SIPp
Legitimate Loaders SIPUA/SIPp
Attack Loaders SIPStone/SIPp
GigE Switch
GigE Switch
Controller secureSIP
SIP Proxy
Theft of Service Overview
  • VoIP is different
  • Not a static but a real-time application
  • Direct comparisons with PSTN
  • According to Subex Azure 3 of total revenue is
    subject to fraud
  • VoIP can be expected to be at least twice as
    large a proportion of revenue
  • Theft of Service is more daunting problem in VoIP
  • Implications of ToS
  • Lost revenue and bad reputation
  • Abused resources cause monetary losses to network
  • Unauthorized usage degrades whole systems
  • Scenarios
  • Using services without paying
  • Illegal Resource Sharing (unlimited-plans)
  • Compromised Systems
  • Call Spoofing and Vishing

Billing World and OSS Magazine Top Telco
Frauds and How to Stop Them, January 2007, by
Geoff Ibett
The Bigger Picture - Columbia VoIP Testbed
  • Columbia VoIP test bed is collection of various
    open-source, commercial and home-grown SIP
  • provides a unique platform for validating
  • Columbia-Verizon Research partnership has
    addressed major security problems
  • signalling, media and social threats
  • Researched DoS solutions verified against
    powerful test setup at very high traffic rates
  • ToS successfully validated integrity of different
    setups of test bed

Intellectual Property Six Patent Applications
  • Fine Granularity Scalability and Performance of
    SIP Aware Border Gateways Methodology and
    Architecture for Measurements
  • Inventors Henning Schulzrinne, Kundan Singh,
    Eilon Yardeni (Columbia), Gaston Ormazabal
  • Architectural Design of a High Performance
    SIP-aware Application Layer Gateway
  • Inventors Henning Schulzrinne, Jonathan Lennox,
    Eilon Yardeni (Columbia), Gaston Ormazabal
  • Architectural Design of a High Performance
    SIP-aware DOS Detection and Mitigation System
  • Inventors Henning Schulzrinne, Eilon Yardeni,
    Somdutt Patnaik (Columbia), Gaston Ormazabal
  • Architectural Design of a High Performance
    SIP-aware DOS Detection and Mitigation System -
    Rate Limiting Thresholds
  • Inventors Henning Schulzrinne, Somdutt Patnaik
    (Columbia), Gaston Ormazabal (Verizon)
  • System and Method for Testing Network Firewall
    for Denial of Service (DoS) Detection and
    Prevention in Signaling Channel
  • Inventors Henning Schulzrinne, Eilon Yardeni,
    Sarvesh Nagpal (Columbia), Gaston Ormazabal
  • Theft of Service Architectural Integrity
    Validation Tools for Session Initiation Protocol
    (SIP) Based Systems
  • Inventors Henning Schulzrinne, Sarvesh Nagpal
    (Columbia), Gaston Ormazabal (Verizon)

External Publications, Presentations,
  • Presentation at NANOG 38 Oct. 10 2006 (HS/GO)
  • Securing SIP Scalable Mechanisms for Protecting
    SIP-Based VoIP Systems
  • Authors Henning Schulzrinne, Eilon Yardeni,
    Somdutt Patnaik (Columbia), Gaston Ormazabal
  • Paper approved for publication in NANOG 38 2006
  • Made a headline in VON Magazine on October 11,
    2006 http//
  • Presentation to at Global 3G Evolution Forum
    Tokyo, Japan, Jan. 2007 (GO)
  • Presentation at IPTComm 2007 New York City,
    July, 2007 (GO)
  • Presentation at OSS/BSS Summit Tucson, AZ,
    September, 2007 (GO)
  • Paper in development for current work (to be
    presented at IPTComm 2008)
  • Secure SIP A scalable prevention mechanism for
    DoS attacks on SIP based VoIP systems
  • Authors Henning Schulzrinne, Eilon Yardeni,
    Sarvesh Nagpal (Columbia), Gaston Ormazabal
  • Work incorporated in a new Masters level course
    on VoIP Security taught at Columbia in Fall 2006
  • COMS 4995-1 Special Topics in Computer VoIP
    Security (HS)
  • CATT Technological Impact Award - 2007

Recommended Next Steps
  • Conversion of research into a product that
    Verizon can use
  • Verizon needs to determine optimal architectural
    placement of DoS prevention functionality for
    VoIP and Presence Security
  • Security vs. Performance
  • Hardware vs. Software Implementation
  • Proxy/Softswitch (SW)
  • SBC or New network element (HW/SW)
  • Use internally (protect VZ Network)
  • Use externally (sell new security services to
    large customers)
  • Need rapid commercialization
  • Licensing Agreement with equipment manufacturers
  • Exclusive vs. Non-exclusive
  • Continue relationship with Columbia
  • Research in related areas
  • Proposal to study SRTP
  • Maintain the testbeds for further research and to
    assist in product development during product
    testing cycle
  • Feedback loop of research and product cycle
  • Get other companies interested to synergize
    resources and share results
  • What can we see doing to make the working
    relationship even more productive?

  • Research Results
  • Demonstrated SIP vulnerabilities for VoIP
    resulting in new DoS and ToS susceptibility
  • Work is fully reusable to secure a Presence
  • Implemented some carrier-class mitigation
  • Developed generic requirements
  • Remove SIP DoS traffic at carrier class rates
  • Prototype is first of its kind in the world
  • Built a validation testbed to measure performance
  • Developed customized test tools
  • Built a high powered SIP-specific Dos Attack tool
    in a parallel computing distributed testbed
  • Crashed a SIP Proxy in seconds
  • Built a Theft of Service Architectural Integrity
    Validation Tool using parallel computing
  • Intellectual Property
  • Worked resulted in six patent applications
  • Commercialization
  • Licensing agreements currently under negotiation
  • Revenue both to Columba and Verizon
  • Need to socialize new requirements and test tools
    with vendor community to address rapid field
  • Vendors generally very interested in new

Thank You
  • Thank you
  • Questions?

Backup Slides
SIP Security Overview
  • Application Layer Security
  • SIP RFC 2543 little security
  • SIP RFC 3261 security enhancements
  • Digest Authentication
  • TLS
  • IPSec
  • SRTP/ZRTP (RFC 3711)
  • Perimeter Protection
  • SIP aware Filtering Mechanisms
  • SIP aware DOS Protection
  • Detection and Mitigation

SIP Security Overview - ??
  • Application layer security
  • Digest Authentication, TLS, S/MIME, IPSec,
  • SRTP/ZRTP for media
  • Convergence leads to converged attacks
  • Data network attacks
  • DDoS, spoofing, content alteration, platform
  • Voice over IP network attacks
  • Toll fraud, session hijacking, theft of service,
  • Most security problems are due to
  • User Datagram Protocol (UDP) instead of TCP/TLS
  • Plain text instead of S/MIME
  • Message/Method vulnerability
  • Flexible grammar --gt syntax-based attacks

Dynamic Pinhole Filtering
CAM Table
SIP DoS and ToS Attack Taxonomy
  • ToS
  • Billing Threats
  • Authorization Threats
  • Service Threats
  • DoS
  • Implementation flaws
  • Application level
  • Flooding

Strategy Focus
  • VULNERABILITY Most security problems are due
  • flexible grammar ? syntax-based attacks
  • Plain text ? interception and modification
  • SIP over UDP ? ability to spoof SIP requests
  • Registration/Call Hijacking
  • Modification of Media sessions
  • SIP Method vulnerabilities
  • Session teardown
  • Request flooding
  • Error Message flooding
  • RTP flooding
  • STRATEGY Two DoS detection and mitigation
    filters and ToS tools
  • SIP Two types of rule-based detection and
    mitigation filters
  • Media SIP-aware dynamic pinhole filtering
  • ToS Architectural Integrity Verification Tool

SIP Detection and Mitigation Filters
  • Authentication Based - Return Routability Check
  • Require SIP built-in digest authentication
  • Null-authentication (no shared secret)
  • Filter out spoofed sources
  • Method Specific Based Rate Limiting
  • Transaction based
  • Thresholding of message rates
  • Errors
  • State Machine sequencing
  • Filter out-of-state messages
  • Allow in-state messages
  • Dialog based
  • Only useful in BYE and CANCEL messages
  • Dynamic Pinhole Filtering for RTP
  • Only signaled RTP media channels can traverse
  • Obtain from SDP interception
  • End systems are protected against flooding of
    random RTP

Test Tools
  • SIPp, SIPStone, and SIPUA are benchmarking tools
    for SIP proxy and redirect servers
  • Establish calls using SIP in Loader/Handler mode
  • A controller software module (secureSIP) wrapped
    over SIPp/SIPUA/SIPStone launches legitimate and
    illegitimate calls at a pre-configured workload
  • SIPp
  • Robust open-source test tool / traffic generator
    for SIP
  • Customizable XML scenarios for traffic generation
  • 5 inbuilt timers to provide accurate statistics
  • Customized to launch attack (SIP DoS) traffic
    designed to cause proxy to fail
  • SIPStone continuously launches spoofed calls
    which the proxy is expected to filter
  • For this project enhanced with
  • Null Digest Authentication
  • Optional spoofed source IP address SIP requests
  • SIPUA Test Suite
  • Has built-in Digest Authentication functionality
  • Sends 160 byte RTP packets every 20ms
  • Settable to shorter interval (10ms) if needed for
  • Starts RTP sequence numbers from zero
  • Dumps call number, sequence number, current
    timestamp and port numbers to a file

secureSIP Control Architecture
secureSIP Test Results for DoS
SIP DoS Measurements(showing max supported call
Dynamic Pinhole
Firewall Filters OFF Firewall Filters OFF Firewall Filters OFF Firewall Filters ON Firewall Filters ON Firewall Filters ON
Traffic Composition Good CPS Attack CPS CPU Load Good CPS Attack CPS CPU Load
Non-Auth Traffic 690 0 87.81 690 0 88.04
Auth Good Traffic 240 0 19.83 240 0 39.64
Auth Good Traffic 480 0 81.20 480 0 81.75
Auth Good Traffic Spoof Traffic 240 2950 83.64 240 16800 41.39
Auth Good Traffic Spoof Traffic 480 195 85.40 480 14400 82.72
Auth Good Traffic Flood of Requests 240 3230 84.42 240 8400 40.83
Auth Good Traffic Flood of Requests 480 570 86.12 480 7200 82.58
Auth Good Traffic Flood of Responses 240 2970 87.2 240 8400 41.33
Auth Good Traffic Flood of Responses 480 330 86.97 480 7200 82.58
Auth Good Traffic Flood of Out-of-State 240 2805 86.24 240 8400 40.29
Auth Good Traffic Flood of Out-of-State 480 290 84.81 480 7200 82.19
Concurrent Calls Call rate (CPS) Delay due to Firewall Delay due to Firewall
Concurrent Calls Call rate (CPS) Pinhole opening Pinhole closing
20000 300 0.73 0
25000 300 0.75 0
30000 300 0.83 15.51
30000 200 0.80 0.02
Write a Comment
User Comments (0)