[VOIPSEC] Actual Attacks

[Geoff Devine]

Ari Takanen writes:

> Any and every protocol has always enough freedom in the headers
> and content that you can even implement tunnelling protocols
> using them. Passing information like real IP addresses is just
> the beginning. I am sure someone will implement IP-over-SDP-s-field
> when the evildoers notice that SIP is open in all firewalls from
> anywhere to anywhere. This is what happened to every protocol
> that has been granted access through firewalls. There is not
> much you can do to avoid this, is there?

I cite ISDN as an example of a protocol where this is typically
operationally impossible.  The Q.931 spec defines an object called
User-User Information that is the catch-all for passing opaque
information from end to end.  It turned out that in real world
deployments, people were using this feature to steal service and
operators disabled passing the object through.  Australia had the worst
problem.  Users started using User-User-Info in SETUP messages as an IP
datagram transport and the flood of call setup messages ended up
bringing down their network.  Basic Rate ISDN endpoints were, in
essence, mounting a distributed denial of service attack against the
signaling network.

In the SIP environment, if you implement a Back 2 Back User Agent model
where an intelligence in the middle of the network has policy to only
allow signaling content it understands; and if you anonymize the
endpoints so they can't communicate to each other directly, you can
prevent these kinds of tunneling protocols and theft of service via
bypass.

Geoff