Secure IP Telephony using
Multi-layered Protection
Brennen Reynolds
Off-Piste Consulting, LLC
(formally of University of California, Davis)
Dipak Ghosal
University of California, Davis
Motivation

What is IP Telephony?



Benefits:



Packetized voice over IP
PSTN access through Media/Signal Gateways (MSG)
Improved network utilization
Next generation services
Growth:


Revenues $1.7 billion in 2001, 6% of international traffic was
over IP, growing [Frost 2002] [Telegeography 2002]
Standardized, deployed protocols (TRIP, SIP, H.323)
Security Is Essential


IP Telephony inherits all properties of the IP
protocol – including security weaknesses
 Ensuring the security of a critical service
must be a top priority
Convergence of two global and structurally
different networks introduces new security
weaknesses
Agenda






IP Telephony Enabled Enterprise Networks
IP Telephony Call Setup
Vulnerability Analysis
Detection and Control of Flood-based DoS
Attacks
Preliminary Experimental Results
Future Work
IP Telephony Enabled
Enterprise Network Architecture
Net-to-Net Call Setup
DNS
Server
A request is
sent (SIP
INVITE) to
ESTABLISH a
session
1
SIP IP Phone
DNS Query for
the IP Address
of the SIP Proxy
of the
Destination
2
Domain
The INVITE is
forwarded
The Location Service is
queried to check that the
destination IP address
represents a valid
registered device, and for
its IP Address
4
3
SIP Redirect
Proxy
5
SIP Registrar /
Location Server
The request is forwarded
to the End-Device
SIP Redirect
Proxy
6
Media Transport
Destination device returns
its IP Address to the
originating device and a
media connection is
opened
SIP IP Phone
Vulnerability Analysis

Property oriented approach
 Access control to use IP telephony service
 Integrity and authenticity of IP telephony
signaling messages
 Resource availability and fairness in
providing IP telephony service
 Confidentiality and accountability
Access Control

Deny unauthorized users access to IP
telephony service
 Central authentication servers


E.g.: RADIUS server
Enable various network elements to query
authentication server
Integrity and Authenticity
of Signaling Messages



Call Based Denial of Service
 CANCEL messages, BYE message,
Unavailable responses
Call Redirection
 Re-registering with bogus terminal
address, user moved to new address,
redirect to additional proxy
User Impersonation
Payload Encryption



Capture and decoding of voice stream
 Can be done in real-time very easily
Capture of DTMF information
 Voice mail access code, credit card number,
bank account
Call profiling based on information in
message headers
Resource Fairness
and Availability

Flood based attacks


Network bandwidth between enterprise
and external network
Server resources at control points




SIP Proxy Server
Voice ports in Media/Signaling Gateway
Signaling link between Media/Signaling
Gateway and PSTN
End user
Internet Originated Attack



Enterprise network connection can be flooded
using techniques like SYN flooding
Resources on SIP proxy can be exhausted by
a large flood of incoming calls
End user receives large number of SIP
INVITE requests in a brief period of time
PSTN Originated Attack



Signaling link between M/S gateway and
PSTN STP becomes saturated with messages
Voice ports on the M/S gateway are
completely allocated
Large number of PSTN endpoints attempt to
contact a single individual resulting in a high
volume of INVITE messages
Secure IP Telephony
Architecture
Application Layer
Attack Sensor (ALAS)

Monitors the number of SIP INVITE requests
and the SIP OK (call acceptance) responses




URI level monitor
Aggregate level monitor
Detection Algorithm
Response Algorithm

Proxy or M/S gateway returns temporally busy
messages
Transport Layer
Attack Sensor (TLAS)



Monitors the number of TCP SYN and ACK
packets
Traffic is monitored at an aggregate level
Upon detection of an attack, throttling is
applied by perimeter devices (e.g. firewall)

If attack persists, traceback technologies can be
used to drop malicious traffic at an upstream point
RTP Stream Attack
Sensor (RSAS)


To detect malicious RTP and RTCP streams
Parameters of the RTP streams are known at
connection setup time




Police individual streams
Statistical techniques to determine large flows
Packets corresponding to the malicious
streams are dropped at the firewall
Need cooperation of upstream routers to
mitigate link saturation
Detection Algorithm
for ALAS


Monitoring the volume of connection
attempts vs. volume of complete connection
handshakes can be used to detect an attack
Based on the sequential change point
detection method proposed by Wang, Zhang
and Shin (Infocom 2002) to detect TCP SYN
attacks
Detection Algorithm


All connection setup attempts and complete
handshakes are counted during the
observation period
During each sampling period the difference is
computed and normalized
X ( n) 
EA(n)  HS (n)
_
C ( n)
_
_
C (n)   C (n  1)  (1   ) HS (n)
Detection Algorithm Cont.



Under normal operation, the resulting value
should be very close to 0
In the presence of an attack, the result is a
large positive number
A cumulative sum method is applied to detect
short high volume attacks as well as longer
low volume attacks
Recovery Algorithm

Linear Recovery


Exponential Recovery


This is the default behavior of the detection
algorithm
The cumulative sum decreases multiplicatively
once the attack has ceased
Reset after Timeout

The cumulative sum decays linearly decays until a
timer expires at which point it is reset to 0
Preliminary Results

Types of attack

Limited DoS attack


Stealth DoS attack


Multiple users targeted by one or more attackers each
with a low volume of call requests
Aggressive DoS attack


Single user targeted by one or more attackers
Multiple users targeted with high call requests
Ability to detect both aggregate level attacks
as well as attack to individual URIs
Preliminary Results
40
Exponential Recovery
35
Linear Recovery
Calculated Value of Yn
30
25
20
15
10
Threshold
5
0
1
3
5
7
9
11
13
15
17
19
21
23
25
27
Tim e (m inutes)
Limited DoS Attack with 10 calls/min to a single URI
29
Summary of Detection
and Recovery Results
Detection Time
Recovery Time
Attack Type
Detection Time
Recovery
Algorithm
Recovery Time
4 calls/min –
Limited DoS
4 min (URI level)
4 calls/min –
Linear
3 min
10 calls/min –
Limited DoS
2 min (URI level)
10 calls/min –
Linear
17 min
50 URI
Aggressive DoS
6 min (URI level)
8 min (agg. level)
10 calls/min –
Exponential
6 min
200 URI Stealth 4 min (agg. level)
DoS
10 calls/min –
R.a.T.
3 min
Future Work

Detailed analysis


Formal vulnerability analysis


Tradeoff between detection time and false
alarm rate
Additional vulnerabilities with ENUM
Routing layer issues

Vulnerabilities of multihomed networks
Additional Information

Master’s Thesis
Enabling Secure IP Telephony in Enterprise Networks
http://www.off-pisteconsulting.com/research/pubs/reynolds-ms_thesis.pdf

Presentation Slides
http://www.off-pisteconsulting.com/research/pubs/ndss03-slides.ppt

Contact Information:
Brennen Reynolds
Off-Piste Consulting, LLC
brennen@off-pisteconsulting.com
Dipak Ghosal, PhD.
University of California, Davis
ghosal@cs.ucdavis.edu