Download - VoIP Defender The Future of VoIP Protection
Fraunhofer FOKUS 2007
VoIP Defender
The Future of VoIP Protection
Fraunhofer FOKUS Institute, Germany
Fraunhofer FOKUS 2007
VoIP-Defender – Why ?
Steadily increasing number of Customers makes VoIP a first class target for attackers.
Aimed at The Service itself (E.g. DDos, Spoofing) The Customer (SPIT, Fraud, Call-Hijacking) The Service Provider (E.g. SQL-Injection)
Already observed REGISTER / INVITE flooding Multi-Source flooding Unresolvable DNS Names Unintentional misbehavior / misconfiguration (Not an attack)
What will we see tomorrow ???
Fraunhofer FOKUS 2007
VoIP-Defender – What is it ?
VoIP-Defender is a Framework for Detection Algorithms.
Highly Scalable Cope with high bandwidth attacks, especially DoS. Multiple scalability levels plus parallel processing.
Invisible placing Attackers cannot see the presence of the VoIP-Defender.
Autonomously working No support from proxy needed, thus proxy agnostic. Traffic pass-through by default.
Intelligent monitoring and defence Especially designed for SIP networks
Includes SIP/IMS parser, SIP state machine, SIP properties See actual ongoing SIP network traffic Monitoring and defence algorithms dynamically en- / disabled Already multiple monitoring and detection algorithms User Control Interface – Terminal, GUI
Fraunhofer FOKUS 2007
VoIP-Defender – Where Is It ?
VoIP-Defender is placed between the Service provisioning Platform and the Customers.
Classical Firewall Position. Multi-Link Monitoring & Protection possible.
Legal Users
Attacker
VoIP-Defender Services
Fraunhofer FOKUS 2007
Algorithmic knowledge
VoIP-Defender – Architecture Overview
Transport Level Load Balancers (TLLB)
Filter/Scanner Nodes (FSN)
Analyzers (Algorithm’s parallel Part)
Deciders (Algorithm’s sequential Part) FSN
FSN
TLLB TLLB
Alg1 Alg2
Analyzer 1
Alg1 Alg2
Analyzer 2
Alg1 Alg2
Decider plane
Rules
Traffic
Reconstructed Messages
Internet Service
Fraunhofer FOKUS 2007
VoIP-Defender – Architecture Transport Level Load Balancing
MAC Layer Transparent Simple Load balancing
by Information from up to the Transport Layer.
Incoming packets from the same source IP address are sent out via the same Port (mapping).
Outgoing packets to unassociated IP addresses also create a mapping.
Clients Mappings
Ports
FSN1
FSN2
FSN3TLLB
Internet Side TLLB
Incoming
Outgoing
Fraunhofer FOKUS 2007
VoIP-Defender – Architecture Transport Level Load Balancing
Outgoing packets to the same source IP address are sent out via the same Port (mapping).
Incoming packets from unassociated IP addresses also create a mapping.ServiceMappings
Ports
FSN1
FSN2
FSN3 TLLB
Service Side TLLB
Incoming
Outgoing
Fraunhofer FOKUS 2007
VoIP-Defender – Architecture Filter & Scanner Node
IP defragUDP TCP
SIP extractorRule Processing
Frame Cache
FramesVerdict
Analyzer selection
User Space
Kernel Space
Bridge
User SpaceMessage Inspection
Filter RuleControl
Analyzer
Incoming
Outgoing
Decider
SIP +
Meta
Fraunhofer FOKUS 2007
VoIP-Defender – Architecture Filter & Scanner Node
A UDP Packet arrives
IP defragUDP TCP
SIP extractorRule Processing
Frame Cache
Analyzer selection
User Space
Kernel Space
Bridge
User SpaceMessage Inspection
Filter RuleControl
Analyzer
Incoming
Decider
SIP +
Meta
Fraunhofer FOKUS 2007
VoIP-Defender – Architecture Filter & Scanner Node
The Frame is forked. One copy for the Frame Cache, another one for Analysis
IP defragUDP TCP
SIP extractorRule Processing
Frame Cache
Frames
Analyzer selection
User Space
Kernel Space
Bridge
User SpaceMessage Inspection
Filter RuleControl
Analyzer Decider
SIP +
Meta
Fraunhofer FOKUS 2007
VoIP-Defender – Architecture Filter & Scanner Node
The Packet is inspected for completeness in terms of IP, UDP and SIP
IP defragUDP TCP
SIP extractorRule Processing
Frame Cache
Analyzer selection
User Space
Kernel Space
Bridge
User SpaceMessage Inspection
Filter RuleControl
Analyzer Decider
SIP +
Meta
Fraunhofer FOKUS 2007
VoIP-Defender – Architecture Filter & Scanner Node
Potentially many packets be necessary to assemble to a complete SIP message.
This one is incomplete.
IP defragUDP TCP
SIP extractorRule Processing
Frame Cache
Analyzer selection
User Space
Kernel Space
Bridge
User SpaceMessage Inspection
Filter RuleControl
Analyzer Decider
SIP +
Meta
Fraunhofer FOKUS 2007
VoIP-Defender – Architecture Filter & Scanner Node
The rest of the SIP message arrives
IP defragUDP TCP
SIP extractorRule Processing
Frame Cache
Analyzer selection
User Space
Kernel Space
Bridge
User SpaceMessage Inspection
Filter RuleControl
Analyzer
Incoming
Decider
SIP +
Meta
Fraunhofer FOKUS 2007
VoIP-Defender – Architecture Filter & Scanner Node
Also duplicated, one for the Intelligence, one for the Frame Cache
IP defragUDP TCP
SIP extractorRule Processing
Frame Cache
Analyzer selection
User Space
Kernel Space
Bridge
User SpaceMessage Inspection
Filter RuleControl
Analyzer Decider
SIP +
Meta
Frames
Fraunhofer FOKUS 2007
VoIP-Defender – Architecture Filter & Scanner Node
Again checked for completeness.
IP defragUDP TCP
SIP extractorRule Processing
Frame Cache
Analyzer selection
User Space
Kernel Space
Bridge
User SpaceMessage Inspection
Filter RuleControl
Analyzer Decider
SIP +
Meta
Fraunhofer FOKUS 2007
VoIP-Defender – Architecture Filter & Scanner Node
As soon as the SIP message is complete,
1. An Analyzer is selected by determining a session ID, and the SIP message is sent to it along with meta information about the involved transport.
2. The SIP message is examined by the currently active rule set.
IP defragUDP TCP
SIP extractorRule Processing
Frame Cache
Analyzer selection
User Space
Kernel Space
Bridge
User SpaceMessage Inspection
Filter RuleControl
Analyzer Decider
SIP +
Meta
Fraunhofer FOKUS 2007
VoIP-Defender – Architecture Filter & Scanner Node
Here, the message has been found to be OK, so all its Frames (2) are allowed to be sent out.
IP defragUDP TCP
SIP extractorRule Processing
Frame Cache
Verdict: OKOK
Analyzer selection
User Space
Kernel Space
Bridge
User SpaceMessage Inspection
Filter RuleControl
Analyzer Decider
SIP +
Meta
Fraunhofer FOKUS 2007
VoIP-Defender – Architecture Rules
Rules are based on any Protocol Information. Regular Expressions enable filtering by Content. Scripting Rules allow even more complex Operations
(Requires User Space Filtering Support on the FSNs)
OK: The frames are sent out in the correct order DROP:
UDP: Frames are simply dropped. TCP: Connection is interrupted by injecting RST frames.
Fraunhofer FOKUS 2007
VoIP-Defender – Architecture Analyzer & Decider
Detection Algorithms are split into a scalable part and an non-scalable part. The scalable part is realized in the Analyzers. The non-scalable part is realized in the Decider.
Example: INVITE flooding from single source.
Parsing
INVITE ?
Extract SRCincrease counter
for this SRC
Trigger Alarm
Parsing
INVITE ?
Extract SRCincrease counter
for this SRC
Trigger Alarm
increase counter for this SRC
Trigger Alarm
Parsing
INVITE ?
Extract SRC
Parsing
INVITE ?
Extract SRC
Analyzer
Decider
Fraunhofer FOKUS 2007
VoIP-Defender – Architecture Analyzer
Analyzers implement the scalable part of detection Algorithms in VoIP-Defender.
It is granted, that every SIP message, that belongs to the same session is processed by the same Analyzer.
APIs for algorithm programmers, offering Effective SIP parsing Access to Transport Information
Protocol Fragments Transmission time and duration SRC/DST IP-Address Port Numbers
Network Communication with the Decider
Fraunhofer FOKUS 2007
VoIP-Defender – Architecture Analyzer
Report Server(listens for incoming messages
& reports from FSNs)
SIP Parser(pre-parses incoming
SIP messages )
ParsedSIP Msg
Algorithm Dispatcher
(Calls each analyzer in order with the current
parsed SIP message)
Incoming Msg
Buffer
Result Client(send individual result
information to decider layer)
stores
access
Results / Status
State
AnalyzerComponent
(Algorithm 1)
MetaData
provides
Deciderconnection
Control Interface(GUI interaction)
State
AnalyzerComponent
(Algorithm 2)
State
AnalyzerComponent
(Algorithm 3)
GUI connection
FSN connections
Fraunhofer FOKUS 2007
VoIP-Defender – Architecture Decider
The Decider implements the non-scalable (common knowledge) part of detection Algorithms in VoIP-Defender.
It receives algorithm specific reports from the Analyzers and dispatches them to the specific Decider Modules.
APIs for algorithm programmers, offering Rule Management Inter-Algorithm Communication Network Communication with Analyzers and FSNs
Fraunhofer FOKUS 2007
VoIP-Defender – Architecture Decider
Result Server(listens for incoming result reports from
analyzer layer)
Event Manager(dispatches events send to and
by algorithms)
Rule Control(send control commands to
FSN)
Incoming result
State
DeciderComponent
(Algorithm 1)
Create rules
FSN connections
Timers
Rule Cache(keeps current rules locally)
State
DeciderComponent
(Algorithm 2)
State
DeciderComponent
(Algorithm 3)
State
DeciderComponent
(Algorithm 4)
Control Interface
Results
Analyzer connections
Fraunhofer FOKUS 2007
VoIP-Defender – Next Steps
Develop and implement more detection Algorithms. Real-World Deployment at a professional VoIP Provider. Architectural Refinements. Dedicated IMS Support.
Fraunhofer FOKUS 2007
VoIP-Defender
Thanks – Questions ?