[VOIPSEC] VoIP vulnerabilities summarization

sukery sukerry at 126.com
Thu Dec 15 01:52:45 CST 2005 

Hi Simon,
thank you very much for giving us such a good materia, I learned a lot,
now I think I biased H.323 a little, but I still hold the opinion that SIP is going to winover H.323.

>I'm sorry Sukery, but this is largely opinion not necessarily backed by fact.
>
>Here is a couple of comparisons
>At a glance
>http://microtronix.ca/sip_vs_h323.htm
>
>More indepth
>http://www.comsoc.org/livepubs/surveys/public/2003/oct/glasmann.html
>
>Simon
>
>
>At 12:43 PM 15/12/2005, sukery wrote:
>
>>   i think the inroduction of vpn ipsec will reduce system efficienty.
>>as to the comparison of SIP and H.323,
>>1. H.323,which is defined by ITU-T, tends to be telecom application,it 
>>regards voip as an extension of telecommunication field. however, SIP 
>>,which is defined by IETF,  reuses many mechanisms from existing internet 
>>famous protocols,such as http, smtp,rtp,dns...,it regards voip as a 
>>totoally internet application. as we all know, now IP meltage is a trend, 
>>so sip is going to gain more and more acceptances.
>>2. H.323 is based on binary codec(BER PER), and is very complex in call 
>>control signals,while SIP is based on text, and its control signals are 
>>simple .further more,many existing internet protocols(such as HTTP) 
>>implementation can be used as a reference to  SIP system realization.
>>3. SIP is much more flexible and extensible compared to H.323, for that 
>>its Method ,Head field, message body can be extened and added easily. 
>>H.323 is indeed not easy to be extended.
>>4. SIP is not only a voip protocol, in fact, it has many more important 
>>uses besides voip. it is the communication protocol between softswitches 
>>and between softswitch and AS in the NGN network, it is the main protocol 
>>in IMS (3G core network).
>>
>>so ,SIP is ip oriented, simple,extensible ,flexible and broadly used, I 
>>think SIP is definitely a tendency,I will choose SIP when realize a voip 
>>system.
>>
>>but please note that SIP is immature compared to h.323.
>>
>> >Hi Sukery
>> >
>> >I think you made a good summarization of the vulnerabilities and I agree
>> >with what you say.
>> >
>> >Sukery i need your help.
>> >I′m from cuba and in this moment i′m working in an project with title 
>> "Qos
>> >in VoIP with security" as the title said my problem
>> >is relationated with have a high level of QoS on real voip networks.
>> >
>> >For example:
>> >
>> >What happend with the QoS if a used an Firewall or VPN or NAP or IPSec on
>> >voip networks.
>> >
>> >Which is better yo use on voip networks SIP or H.323???
>> >
>> >I need information about this terms if u have anything relationated with 
>> it,
>> >please send me.
>> >
>> >Best regards,
>> >Ing. Pavel González G.
>> >Administrador RED CECAT. CUJAE
>> >Telf: 2663843,2663827
>> >pavel at cecat.cujae.edu.cu
>> >
>> >
>> >----- Original Message -----
>> >From: "sukery" <sukerry at 126.com>
>> >To: <Voipsec at voipsa.org>
>> >Sent: Wednesday, December 14, 2005 8:40 AM
>> >Subject: Re: [VOIPSEC] VoIP vulnerabilities summarization
>> >
>> >
>> >>
>> >> Hi Janne:
>> >> thank you for your comment, I totally agree with what you said.
>> >> I am a graduate student , our project is focused on VoIP security, we
>> >> firstly study the vulnerabilities of voip related protocols(especially
>> >> SIP), then define some attack senarios according to these vulnerabilities
>> >> we discovered and realize all these attacks, finally we test our attack
>> >> system on real voip networks ( supplied by an international famous voip
>> >> manufacturer). the attacks includes:
>> >> exception-packet attack against server
>> >> dos attack against server
>> >> disturbance call attack against endpoints
>> >> pseudo call attack against endpoints
>> >> call leaflet attack against endpoints
>> >> sip passwork crack
>> >> voice eavesdropping (and maybe voice replacement and voice disturbance)
>> >> voice broadcast & call leaflet attack against pstn terminals(via voip
>> >> gateway)
>> >> and maybe more
>> >>
>> >> I am very very sorry to say that due to the confidentiality of this
>> >> project , I can not make our attack system public yet. that's the meaning
>> >> of the sponsor of this project .
>> >> anyway , I like to discuss with you as much as possible  :)
>> >>
>> >>
>> >>>Hi Sukery,
>> >>>
>> >>>I think you made a good summarization of the vulnerabilities and I agree
>> >>>with what you say.
>> >>>
>> >>>But I think several of the problems you mention can be solved by using
>> >>>TLS to protect the signalling and SRTP to protect the media as described
>> >>>in existing standards and drafts. These technologies may not be widely
>> >>>spread among existing implementations but they exist and your list
>> >>>provides some good reasons that may motivate others to follow.
>> >>>
>> >>>I'm also interested in what tool you used.
>> >>>
>> >>>Cheers
>> >>>/Janne
>> >>>
>> >>>> 2.SIP reuses  authentication mechanism from HTTP protocol ,in fact
>> >>>Http
>> >>>> authentication is totally imperfect when applied to SIP protocol,for
>> >>>that
>> >>>> it is a single-direction authentication, which means that only the
>> >>>server
>> >>>> authenticates the endpoints,the endpoints do not authenticate the
>> >>>> server,this situation makes it easy to deceive endpoints because they
>> >>>do
>> >>>> not authenticate any entity in the network. Pseudo call (call someone
>> >>>with
>> >>>> a false user id) ,server impersontation are dangerous attacks due to
>> >>>this
>> >>>> vulnerability
>> >>>>
>> >>>> 3. SIP communication is based on message transaction, however sip
>> >>>> transaction mechanism is quite complicated.for example, when  a
>> >>>stateful
>> >>>> proxy server receives a sip request message, it firstly computes the
>> >>>> transaction ID for this message,if the transaction ID is not existed
>> >>>> before, this request message is regarded as  a new message, the server
>> >>>> will do a lot things for this new message:  save this message, create
>> >>>a
>> >>>> finite statemachine for this message, construct a provisional response
>> >>>> message and send it back, save this response message,update the finite
>> >>>> statemachine, decide the next hop of this request message basing on
>> >>>the
>> >>>> complex routing rules,transfer the request message, create one or more
>> >>>> client transactions for the request message ...these steps surely
>> >>>consume
>> >>>> lots of CPU and memory resources.  as a result,the server is
>> >>>susceptible
>> >>>> to DoS Attacks when a hacker continually sends large quantities of SIP
>> >>>> request messages with different Call-ID
>> >>>>
>> >>>> 4.Un-encrypted media stream such as RTP data is easy to be wiretapped
>> >>>>
>> >>>> 5.almost all VoIP software has some code flows, in this case,even a
>> >>>> malicious packet may bring down the server, we call this packet
>> >>>exception
>> >>>> packet, in fact we have found exception packets againtst both sip
>> >>>servers
>> >>>> and h.323 servers
>> >>>>
>> >>>> 6.voip endpoints are much more intellectualized than traditional PSTN
>> >>>> terminals,however,when this capability is abused,a lot of  malicious
>> >>>> network attacks appear:
>> >>>>      disturbance call
>> >>>> call leaflet
>> >>>>      voice broadcast
>> >>>>      and more...
>> >>>>
>> >>>>
>> >>>> >Chris
>> >>>> >
>> >>>> >I'm pretty heavily involved in SIP standards development, and have
>> >>>been
>> >>>> for
>> >>>> >some time.  I talk regularly with the kind of folks that I think
>> >>>would
>> >>>> know
>> >>>> >if their stuff had been "hit".  I know about plenty of attacks on the
>> >>>> >underlying infrastructure, including the platform attacks.  I have
>> >>>NEVER
>> >>>> >heard even a whisper of an actual attack on VoIP equipment that used
>> >>>> >exploits specifically related to SIP (which I don't think is
>> >>>> substantially
>> >>>> >better or worse than other VoIP protocols).
>> >>>> >_______________________________________________
>> >>>> >Voipsec mailing list
>> >>>> >Voipsec at voipsa.org
>> >>>> >http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>> >>>>
>> >>>>
>> >>>>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >
>> >
>> >------------------------------------------------------------------------- 
>> -------
>> >
>> >
>> >> _______________________________________________
>> >> Voipsec mailing list
>> >> Voipsec at voipsa.org
>> >> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>> >>
>>
>>
>>
>>
>>_______________________________________________
>>Voipsec mailing list
>>Voipsec at voipsa.org
>>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>Simon Horne
>Director
>Packetizer Labs
>www.packetizer.com/labs

More information about the Voipsec mailing list