advanced flooding attack on a sip server xianglin deng, canterbury university malcolm shore,...

Advanced Flooding Attack on a SIP Server

Xianglin Deng, Canterbury UniversityMalcolm Shore, Canterbury University & Telecom NZ

SIP Protocol

SIP is used as the connection mechanism for IP-based multimedia services, including VoIP

SIP is normally deployed as a service not requiring user authentication

SIP can be configured to operate in authenticated mode

SIP Flooding

SIP is vulnerable to flooding attacks. A typical attack would be an INVITE flood.

Attacker SIP Proxy SIP Client

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

RINGING

Busy here

Busy here

Busy here

Busy here

Busy here

TRYING

TRYING

TRYING

TRYING

TRYING

TRYING

SIP Flooding

SIP with authentication is more vulnerable to flooding attacks.

Attacker SIP Proxy SIP Client

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

407

407

407

407

407

407

…nonce generate and store

…nonce generate and store

…nonce generate and store

…nonce generate and store

…nonce generate and store

…nonce generate and store

SIP Flooding

Firewalls can provide SIP anti-flooding protection.

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

Blocked…

Call setup delay vs. number of attack packets

0

2

4

6

8

10

12

14

16

18

20

0 5000 10000 15000 20000 25000

Number of attack packets

ca

ll s

etu

p d

ela

y (

s)

Call setup delay

SIP Flooding

We can defeat the firewall anti-flooding mechanism

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

INVITE

Call setup delay

0

1

2

3

4

5

6

7

8

0 10000 20000 30000 40000 50000 60000 70000

Number of attack packets

Ca

ll s

etu

p d

ela

y (

s)

Call setup delay

SIP Flooding

We propose an Security Enhanced SIP System (SESS) Non authenticated SIP Proxy with optional firewall

authentication Involves enhancement of the firewall with predictive

nonce checking (Rosenberg) Involves priority queues (Ohta) The SIP proxy maintains known user lists (D’Souza) Incorporates a synchronisation protocol (KASP) We enhance the predictive nonce checking, priority

queues and user lists

Predictive Nonce Checking

Rosenberg 2001Client SIP proxy

serverINVITE/REGISTER

Generate predictive nonce

407/401

Nonce, realmCompute response=

F(nonce,username,password,realm)

INVITE/REGISTERnonce,realm, username,response

Authentication: Compute F(nonce,username,password,realm)

And compare with response

Improved Nonce Checking

Priority Queues

Ohta 2006 Assign different priority to SIP INVITE messages

Improved Priority Queues

Assign priorities based on the source IP address. VoIP service provider would benefit from giving

frequent users higher priorities

User Lists

D’Souza 2004 Assigns high priority to known hosts

Improved User Lists

Enforce authentication on unknown hosts Defines a dual-stage list Adds expiry to the lists

KASP

IP Header UDP Header KASP:+fu10.0.0.34

Packet Structure

SESS

Extract SourceIP addr

In fu?

Yes

Reset Timer, update received time

Is ACK?

YesNo

ProcessSIP message

NoIn nu? Yes

No

Last call made in time t?

Yes

No

Promote user to fu, update received time

Add user to nu,

Send Update firewall info

No

Is a fu?

Reset Timer,

Timer expire interrupt

Yes

Remove user from fu

Remove user from nu

nu = userlistfu = frequent userlist

Listen on incoming packets

JAIN SLEE

Advantages: it is designed for telecommunications low latency and high

throughput environments (10-20 calls per second per CPU; ~10 events per call; <200ms RTT)

Its container-based infrastructure enables easy integration of new services and technologies

Better availability and scalability through clustering A high-level programming language-JAVA is used – reduce the

time to market

JAIN SLEE

JAIN SLEE main operation When a message arrives at SLEE, it will first go through a

resource adapter; The resource adapter wraps the message, and sends it to an

activity context; SBBs that have subscribed to the activity context will receive

the event, and process it.

SESS implementation

Modified the SIP proxy SBB Observations on Use of JAIN SLEE

Enhancement was possible with existing knowledge of Java Modifications easy/low risk due to component architecture

resulting from JAIN SLEE approach Enhancement completed and tested in 3 days High level of confidence in the resulting server Much simpler and so more reliable than C No opportunity to trial throughput or availability claims Existence of many Java Libraries provides rich source of re-

useable code

Experimental Results

Average setup delays: = 9.39;(7.06)7.14;0.675;0.487 seconds

Call setup delays for users under various security levels

-10

0

10

20

30

40

50

60

70

0 10000 20000 30000 40000 50000 60000 70000

Number of attack packets

Ca

ll s

etu

p d

ela

ys

(s)

Frequent users in SESS Normal users in SESS New users in SESS

All users in Stateless firewall All users under no security

Experimental Results

No discernable impact on the SIP proxy CPU … no INVITE flood attack packets penetrate

SIP ACK flooding

Call setup delay during ACK flood

-10

0

10

20

30

40

50

60

70

0 5000 10000 15000 20000 25000 30000 35000 40000 45000 50000

number of attack packets sent

ca

ll s

etu

p d

ela

y (

s)

Call setup delay

Average setup delay = 5.9 seconds

500 Server Internal error occured

Temporary User List

ACK Flood can still penetrate the SESS protection We use a temporary user list to ensure that ACKs

cannot be accepted without an INVITE

INVITE

INVITE

407

INVITE

KASP+nu

OK

INVITE

OKOK

ACK ACKACK

ISESS

Internet

Firewall SIP Proxy Internal client

INVITE

= Improved Predictive nonce checking process

INVITE

INVITE

200OK

= Security-enhanced SIP proxy process

User 2000 makes 1st call

200OK

INVITE

User 2000 makes 2nd call

INVITEINVITE

200OK200OK

ACK

Temp.Allow User

ACK

ACK

Voice stream

Update user list

ACKACK

Voice stream

Experimental results

Call setup delays for users under no security and in ISESS

0

10

20

30

40

50

60

70

0 10000 20000 30000 40000 50000 60000 70000

Number of attack packets sent

Cal

l se

tup

del

ay (

s)

No security New user in ISESS Normal user in ISESS Frequent user in ISESS

Average setup delays: = 9.39; 8.356; 1.147; 0.975 seconds

SIP ACK FLOODING

Call setup delay during ACK flood

0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

0 10000 20000 30000 40000 50000 60000

Numner of attack packetes

call

set

up

del

ay (

s)

Call setup delay

Average setup delays: = 0.815 seconds

Experimental Results

With ISESS, no ACK flood packets penetrate

Conclusion

SIP is vulnerable to flooding attack Commercial anti-flooding mechanisms can be

defeated Current research provides some mitigation but is

incomplete ISESS synthesises and extends current research into

a substantially more complete solution to the problem of SIP flooding

Questions?