Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

SIP security vulnerabilities are as explained in the project. It is

advertisement 
The study and
demonstration
on SIP
security
vulnerabilities
Voice Communication Final
Project Report
Vamsi Krishna Karnati, Mahidhar Penigi
Introduction
SIP, Session Initiation Protocol, is a text based protocol that is widely used over for voice
transmission over the IP network. VoIP (Voice over Internet Protocol) is a one such standard
that uses SIP as a signaling protocol to initiate, manage and terminate voice sessions occurring
over an IP infrastructure. In VoIP, voice transmissions occur with the help of IP packets that are
designed and designated to carry voice. This process requires another under laying protocol to
function as a session manager, SIP in one such protocol. SIP, like HTTP (Hyper Text Transfer
Protocol) is a text based protocol that could be easily understood and very less complex.
SIP functions to initiate a session by alerting the end user devices or VoIP devices on the
network. There are other similar protocols like BICC, H.323, MGCP and MEGACO that exist that
function as SIP itself, but SIP is a very widely trusted and used protocol nowadays for any voice
transmissions over the IP network.
A simple Illustration of SIP functions is as below and the detailed functioning follows:
Figure 1: Functioning of SIP, The Handshake and flow diagram1
As shown in the above diagram when an end user ‘SIP phone A’ (A) sends request to call
another peer ‘SIP phone B’(B), it is SIP that is responsible for exchanging the in white messages
between two devices. This SIP invite initiated by A is first sent to the proxy server which in turn
acts as a mediator to forward this invite to the desired user B, in the mean while the SIP proxy
server sends a reply packet to A indicating that the packet has been send to B. It is in the very
next step upon successful response by B this session initiated by SIP is in progress. Also it is
important to remember that the process between the SIP INVITE and SIP ACKNOLEDGEMENT is
a 3 way hand shake. Post the acknowledgement period the RTP/RTCP stream is in progress. This
1
http://www.packetizer.com/ipmc/sip/papers/understanding_sip_voip/sip_call_flow.png
initiated voice session is then terminated by SIP: BYE messages initiated by the user that hangs
up first and alters the impedance of the network.
Advantages of SIP:
-
-
SIP is a text based protocol as well it is very simple to comprehend
SIP deployment in VoIP is a highly simple process with very little resource consumption
i.e. SIP could run from anything as small as a virtual machine to something as large as a
ISP network.
Trouble shooting with SIP is greatly simplified with the presence of asterisk.
Major Drawback of SIP:
Sip being a text based protocol works without any kind of layered encryption, authentication
and reliability. The fundamental operation of SIP is very simple to comprehend due to its plain
text nature. SIP lacks inbuilt security and relies on the effectiveness of telephony solution in
place and also the level of security it provisions for. Vulnerabilities in SIP eventually translate to
security issues relating to VoIP. It is hence very necessary to recognize the issues with SIP
security and design possible solution for it. Almost all security issues related to SIP are due to
lack of 3 main previously mentioned items.
Encryption is one major element absent in SIP. SIP does not offer any kind of encryption
standard for all packets routed by it, due to this malicious users and hackers are easily able to
intercept and decode SIP messages retrieved using the simple networking tools widely available
on the internet today. An encryption standard required to be defined if SIP has to be secure
from this front. Authentication is another absent standard that makes SIP more vulnerable.
Due to this, no user on the SIP deployed network is completely authenticated as authorized. In
other words there is no other way of telling through the analysis of sip whether a certain device
on the network is authorized or unauthorized. Yet again, authentication claims greater
requirement than encryption with in a standard like sip. Reliability or information security is a
major and upraising aspect of any IP network. Reliability and information security collectively
works towards protecting content exchanged between two user or end devices during any kind
of exchange over an IP network. In the premise of the project which is SIP, both reliability and
information security are elements of SIP that are yet to be deployed. It is very important for
end to end voice delivery to be reliable and secure to avoid a major section of attacks that are
classified by the attacker being able to recognize and understand an ongoing target session.
1
http://www.packetizer.com/ipmc/sip/papers/understanding_sip_voip/sip_call_flow.png
The lack of above mentioned three elements lead to as a consequence as mentioned below.
Attacks due to lack of encryption:
1) Malformed message attacks: Every SIP message has a certain grammar standard to adhere
to. In malformed message attacks the attacker is able to easily retrieve and modify the contents
of the packet in a way so as to ensure that the packet does not match grammar standards. Due
to this the attacker is able to convince the end devices that this is a malicious packet. It is during
this process that the end devices are in a state of confusion and hence are denied network
services temporarily during which time the attacker claims superiority on the network. This
attack occurs mainly due to SIP being a simple text based protocol.
2) Message Tampering: Message tampering is different from malformed message attacks in a
sense that, message tampering alters the content and information present with in an SIP packet
rather that modifying the grammar standards.
Attacks due to lack of authentication:
1) Denial of service attacks: Broadly classified into DOS and DDOS. These are the types of
attacks that are aimed to keep the target user from utilizing network resources. This is a not
only a target based attack but also a group based attack. In DOS the attacker chooses from
various available hacking options but all are intended for the same purpose of denying service.
One such example is when the attacker chooses to flood packets to keep the target user busy
on a link level disallowing for any kind of outgoing communication that could occur out of the
device. During the duration of attack the target user remains idle and the extended issue over
here becomes authentication because in the most cases the attacker penetrates the network
acting as idle device which is temporarily not on the network. There are key relations and
interconnections between various attacks explained in this project and they will be highlighted.
In DOS attacks, the hacker based on network difficulty, chooses to operate from one location
(geographically or on the network or from multiple different locations) when the attacker has
the intention of making the attack untraceable or less traceable towards the source it is often
seen that a new type of called distributed DOS attacks are used. In this case typical DDOS will
have multiple origins on the network with varying n bouncing IP addresses. It can often be
noted that hackers used bounced back routers to cover up their attacks.
1
http://www.packetizer.com/ipmc/sip/papers/understanding_sip_voip/sip_call_flow.png
2) IP spoofing: Just alike DOS IP spoofing attacks are also very brought and extensively used for
various other types of attacks. The IP address could be spoofed with limited but available
scripts and software online. IP spoofing attacks could be used for the following reasons –
-> IP spoofing could be used to infringe on a network specially in the case of SIP specially where
they lacks authentication and there on performed desired attacks.
-> It could also be used as a foundation for packet flooding within a network to cause denial of
service towards the target user.
-> IP spoofing is often related to as one of the most efficient methods to eavesdrop or sniff on a
network. When a hacker spoofs an IP and becomes the part of network oriented with SIP, the
lack of authentication makes the attacker and makes the IP and the attacker an authorized user
on the network provided the IP addressing schemes are matched. This is called an attack where
the hacker “hides in plane site”.
3) Man in middle attacks: With repetitive characteristics this type of attack is used widely as a
foundation for other attacks like eavesdropping, DOS, DDOS, registration hacking, message
tampering, etc.
1
http://www.packetizer.com/ipmc/sip/papers/understanding_sip_voip/sip_call_flow.png
Figure 1.1: Man-In-The –Middle Attack; www.backtrack-linux.org
This is turned man in the middle because the attacker is virtually present in between the two
peers interacting with each other. In either case it can be noted that it is sometimes important
for the attacker/malicious user/ hacker to prefer to use this man in the middle attack as
foundation for greater and more specific attacks.
4) Eavesdropping: The simple and straight forward purpose of this attack is to overhear in
secrecy to an going session between two end users and it is very important to note that this
kind of attack is performed on the foundation built by IP spoofing and man in the middle
attacks.
The issues due to lack of reliability and information security relate to the functioning of RTP TCP
and/or UDP post the process of SIP session initialization and to keep with the project within the
premise these issues are not discussed.
1
http://www.packetizer.com/ipmc/sip/papers/understanding_sip_voip/sip_call_flow.png
Other widely discussed issues about SIP
-> Registration hacking: In this the attacker pretends as a registered user and replaces the
original user to take over. This process occurs on the network with the malicious device
registering on the network with the server as the original device.
Figure 2: Registration hacking, created by Paint
-> IP spoofing and proxy impersonation often are confused as one. The difference lies in the
elements being spoofed in either case. IP spoofing as the name suggests and as explained
earlier is an attack where by the IP address of an authenticated device is borrowed temporarily
to utilize the services of the network. This eventually puts the device whose IP is spoofed in an
idle state of a network grid for a while. Proxy impersonation on the other hand is where the
attacker claims the identity of the proxy server taking temporary control over all ongoing
sessions (voice) and devices interacting with it.
The need for better security in SIP
An interesting aspect of SIP is its widely accepted use in the VOIP world. With the advent of
VOLTE the demands for layered security and inbuilt protocol security is on the raise. It is often
concluded that laying an upper layer telephonic solution over the deployment of SIP is the best
solution to avoid the various issues discussed in this project. But seldom is the fact highlighted
that the telephonic solution in placed will then highly affect security parameters of SIP which
could be avoid by developing a concise inbuilt standard on SIP.
1
http://www.packetizer.com/ipmc/sip/papers/understanding_sip_voip/sip_call_flow.png
Solutions and Conclusion:
SIP could be primarily protected by the capabilities of fundamental IP and VoIP protocol
security suites/standards. An apt telephony solution in place that could resolve the specific
issue related to SIP. Most attacks are required are to be prevented rather than detected post
security attacks. Most signaling attacks as mentioned earlier are used majorly as a platform for
other attacks like denial of service and eavesdropping. In either scenario it is important to note
that the system running SIP should be protected majorly on the front of DoS attacks to improve
QoS. The most fundamental form of security and protection should be exerted on the signaling
front and in the more critical cases a secondary layer protecting transport occurring between
the two devices in session is also sometimes protected. But this again is a question of the
security of the RTP stream and this is not the premise of the project, since SIP security
vulnerabilities and suggesting apt solutions for this is purpose of this paper.
Sip could be basically secured with Ip and Voip security; a spontaneous creation might be made to
utilizeTcp/ip rather than Udp for Sip indicating which might be secured in an improved manner. Tls
(Transport Layer Security) security standard can additionally be empowered over a protected Tcp/ip
indicating instrument to enhance Sip security. By this there is a durable encryption and confirmation
empowers which builds the trouble level for an assailant on account of Sip message spoofing. Despite
the fact that similarity issues may emerge while utilizing Tls security benchmarks over Tcp/ip, it is quite
prescribed by most Sip security specialists to not trade off on the expense of framework while
acknowledging security of the framework. Likewise Sip good Firewalls can additionally be utilized to
prevent unapproved access from a source outside the system from infiltrating into the system.
Backup connections and databases are extensively used nowadays for the purpose of preventing DoS
attacks. QoS is often used for the purpose improving the priority for VoIP traffic which in turn
encompasses a layer surface security for the RTP stream and SIP. The hacker or the malicious user could
be kept at bay by using the Raw UDP transport method with ZRTP.
Conclusion
SIP security vulnerabilities are as explained in the project. It is evident that if these vulnerabilities or
issues are not acted against, it could be a big menace to the whole SIP deployed system. Individual
components and elements of the protocol could be protected separately or the elements could be
secured as a whole, in either case preventive measures as briefed earlier could be used. Now specially
with the advent of VoLTE, that provisions for a higher level integration between the PSTN, IMS and VoIP
networks is higher, and a small loophole in one segment of one of the voice based networks could
eventually lead to a bigger threat for the larger VoTLE system in place. SIP is one such loophole and it is
very necessary to recognize, understand and prevent the issues pertaining to Session Initiation Protocol
(SIP) and hence deploy a better network with better security standards.
1
http://www.packetizer.com/ipmc/sip/papers/understanding_sip_voip/sip_call_flow.png
REFERENCES:
1) http://www.packetizer.com/ipmc/sip/papers/understanding_sip_voip/sip_call_flow.png
2) www.voip-info.org/wiki/view/SIP+security
3) download.securelogix.com/library/SIP_Security030105.pdf
4) http://startrinity.com/VoIP/Resources/sip-security-mechanisms-a-state-of-the-art-review.pdf
5) http://ieeexplore.ieee.org/xpl/abstractAuthors.jsp?arnumber=1081764
6) http://searchunifiedcommunications.techtarget.com/feature/Security-in-a-SIP-network-Identifyingnetwork-attacks
7) muhammadakbar.com/files/globecom09-zubair.pdf
8) http://backtrack-linux.org
1
http://www.packetizer.com/ipmc/sip/papers/understanding_sip_voip/sip_call_flow.png
Related documents
Presentation - Achieving Impact 2014
Presentation - Achieving Impact 2014
CNA and SIT
CNA and SIT
CONTENTS Project Title Tools Used
CONTENTS Project Title Tools Used
SIP Security Testing Framework
SIP Security Testing Framework
Special Meeting May 9th 2011
Special Meeting May 9th 2011
Detection and Prevention of SIP Flooding Attacks in Voice over IP
Detection and Prevention of SIP Flooding Attacks in Voice over IP
2013-14 School Improvement Plan Presentation
2013-14 School Improvement Plan Presentation
VoIP%2BUnlimited%2B-%2BSWERN%2BUser
VoIP%2BUnlimited%2B-%2BSWERN%2BUser
VIP-172L Programming
VIP-172L Programming
Download
advertisement