[VOIPSEC] VoIP vulnerabilities summarization

Thu Dec 15 00:44:59 CST 2005

I'm sorry Sukery, but this is largely opinion not necessarily backed by fact.

Here is a couple of comparisons
At a glance
http://microtronix.ca/sip_vs_h323.htm

More indepth
http://www.comsoc.org/livepubs/surveys/public/2003/oct/glasmann.html

Simon

At 12:43 PM 15/12/2005, sukery wrote:

>   i think the inroduction of vpn ipsec will reduce system efficienty.
>as to the comparison of SIP and H.323,
>1. H.323,which is defined by ITU-T, tends to be telecom application,it 
>regards voip as an extension of telecommunication field. however, SIP 
>,which is defined by IETF,  reuses many mechanisms from existing internet 
>famous protocols,such as http, smtp,rtp,dns...,it regards voip as a 
>totoally internet application. as we all know, now IP meltage is a trend, 
>so sip is going to gain more and more acceptances.
>2. H.323 is based on binary codec(BER PER), and is very complex in call 
>control signals,while SIP is based on text, and its control signals are 
>simple .further more,many existing internet protocols(such as HTTP) 
>implementation can be used as a reference to  SIP system realization.
>3. SIP is much more flexible and extensible compared to H.323, for that 
>its Method ,Head field, message body can be extened and added easily. 
>H.323 is indeed not easy to be extended.
>4. SIP is not only a voip protocol, in fact, it has many more important 
>uses besides voip. it is the communication protocol between softswitches 
>and between softswitch and AS in the NGN network, it is the main protocol 
>in IMS (3G core network).
>
>so ,SIP is ip oriented, simple,extensible ,flexible and broadly used, I 
>think SIP is definitely a tendency,I will choose SIP when realize a voip 
>system.
>
>but please note that SIP is immature compared to h.323.
>
> >Hi Sukery
> >
> >I think you made a good summarization of the vulnerabilities and I agree
> >with what you say.
> >
> >Sukery i need your help.
> >I¡äm from cuba and in this moment i¡äm working in an project with title 
> "Qos
> >in VoIP with security" as the title said my problem
> >is relationated with have a high level of QoS on real voip networks.
> >
> >For example:
> >
> >What happend with the QoS if a used an Firewall or VPN or NAP or IPSec on
> >voip networks.
> >
> >Which is better yo use on voip networks SIP or H.323???
> >
> >I need information about this terms if u have anything relationated with 
> it,
> >please send me.
> >
> >Best regards,
> >Ing. Pavel Gonz¨¢lez G.
> >Administrador RED CECAT. CUJAE
> >Telf: 2663843,2663827
> >pavel at cecat.cujae.edu.cu
> >
> >
> >----- Original Message -----
> >From: "sukery" <sukerry at 126.com>
> >To: <Voipsec at voipsa.org>
> >Sent: Wednesday, December 14, 2005 8:40 AM
> >Subject: Re: [VOIPSEC] VoIP vulnerabilities summarization
> >
> >
> >>
> >> Hi Janne:
> >> thank you for your comment, I totally agree with what you said.
> >> I am a graduate student , our project is focused on VoIP security, we
> >> firstly study the vulnerabilities of voip related protocols(especially
> >> SIP), then define some attack senarios according to these vulnerabilities
> >> we discovered and realize all these attacks, finally we test our attack
> >> system on real voip networks ( supplied by an international famous voip
> >> manufacturer). the attacks includes:
> >> exception-packet attack against server
> >> dos attack against server
> >> disturbance call attack against endpoints
> >> pseudo call attack against endpoints
> >> call leaflet attack against endpoints
> >> sip passwork crack
> >> voice eavesdropping (and maybe voice replacement and voice disturbance)
> >> voice broadcast & call leaflet attack against pstn terminals(via voip
> >> gateway)
> >> and maybe more
> >>
> >> I am very very sorry to say that due to the confidentiality of this
> >> project , I can not make our attack system public yet. that's the meaning
> >> of the sponsor of this project .
> >> anyway , I like to discuss with you as much as possible  :)
> >>
> >>
> >>>Hi Sukery,
> >>>
> >>>I think you made a good summarization of the vulnerabilities and I agree
> >>>with what you say.
> >>>
> >>>But I think several of the problems you mention can be solved by using
> >>>TLS to protect the signalling and SRTP to protect the media as described
> >>>in existing standards and drafts. These technologies may not be widely
> >>>spread among existing implementations but they exist and your list
> >>>provides some good reasons that may motivate others to follow.
> >>>
> >>>I'm also interested in what tool you used.
> >>>
> >>>Cheers
> >>>/Janne
> >>>
> >>>> 2.SIP reuses  authentication mechanism from HTTP protocol ,in fact
> >>>Http
> >>>> authentication is totally imperfect when applied to SIP protocol,for
> >>>that
> >>>> it is a single-direction authentication, which means that only the
> >>>server
> >>>> authenticates the endpoints,the endpoints do not authenticate the
> >>>> server,this situation makes it easy to deceive endpoints because they
> >>>do
> >>>> not authenticate any entity in the network. Pseudo call (call someone
> >>>with
> >>>> a false user id) ,server impersontation are dangerous attacks due to
> >>>this
> >>>> vulnerability
> >>>>
> >>>> 3. SIP communication is based on message transaction, however sip
> >>>> transaction mechanism is quite complicated.for example, when  a
> >>>stateful
> >>>> proxy server receives a sip request message, it firstly computes the
> >>>> transaction ID for this message,if the transaction ID is not existed
> >>>> before, this request message is regarded as  a new message, the server
> >>>> will do a lot things for this new message:  save this message, create
> >>>a
> >>>> finite statemachine for this message, construct a provisional response
> >>>> message and send it back, save this response message,update the finite
> >>>> statemachine, decide the next hop of this request message basing on
> >>>the
> >>>> complex routing rules,transfer the request message, create one or more
> >>>> client transactions for the request message ...these steps surely
> >>>consume
> >>>> lots of CPU and memory resources.  as a result,the server is
> >>>susceptible
> >>>> to DoS Attacks when a hacker continually sends large quantities of SIP
> >>>> request messages with different Call-ID
> >>>>
> >>>> 4.Un-encrypted media stream such as RTP data is easy to be wiretapped
> >>>>
> >>>> 5.almost all VoIP software has some code flows, in this case,even a
> >>>> malicious packet may bring down the server, we call this packet
> >>>exception
> >>>> packet, in fact we have found exception packets againtst both sip
> >>>servers
> >>>> and h.323 servers
> >>>>
> >>>> 6.voip endpoints are much more intellectualized than traditional PSTN
> >>>> terminals,however,when this capability is abused,a lot of  malicious
> >>>> network attacks appear:
> >>>>      disturbance call
> >>>> call leaflet
> >>>>      voice broadcast
> >>>>      and more...
> >>>>
> >>>>
> >>>> >Chris
> >>>> >
> >>>> >I'm pretty heavily involved in SIP standards development, and have
> >>>been
> >>>> for
> >>>> >some time.  I talk regularly with the kind of folks that I think
> >>>would
> >>>> know
> >>>> >if their stuff had been "hit".  I know about plenty of attacks on the
> >>>> >underlying infrastructure, including the platform attacks.  I have
> >>>NEVER
> >>>> >heard even a whisper of an actual attack on VoIP equipment that used
> >>>> >exploits specifically related to SIP (which I don't think is
> >>>> substantially
> >>>> >better or worse than other VoIP protocols).
> >>>> >_______________________________________________
> >>>> >Voipsec mailing list
> >>>> >Voipsec at voipsa.org
> >>>> >http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >>>>
> >>>>
> >>>>
> >>
> >>
> >>
> >>
> >>
> >
> >
> >------------------------------------------------------------------------- 
> -------
> >
> >
> >> _______________________________________________
> >> Voipsec mailing list
> >> Voipsec at voipsa.org
> >> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >>
>
>
>
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

Simon Horne
Director
Packetizer Labs
www.packetizer.com/labs