[VOIPSEC] Actual Attacks - UA handling
Craig Southeren
craigs at postincrement.com
Mon Mar 7 16:31:27 CST 2005
On Mon, 7 Mar 2005 11:11:26 -0600
Mark Collier <mark.collier at securelogix.com> wrote:
> Mark/Ari,
>
> In our testing, we also found various SIP phone UAs to be very susceptible
> to
> RTP-based attacks. Some UAs did not check sequence numbers, so audio
> could be inserted by sending RTP to active media ports.
..deleted
We've found over the years with OpenH323 that relying on monotonic
increasing RTP sequence numbers is not a good idea. One example of this
is "losing" audio when the call is answered, which we tracked down to
the gateway using one set of sequence numbers for the audio before
answer supervision (remote ring tone) and another unrelated sequence for
the audio after answer supervision starts. This issue appears to be
related to the use of RTP-capable DSPs and the difficulty in
synchronising sequence numbers across different parts of the gateway
hardware.
There are other scenarios where discontinuities can appear, such as when
codecs are changed. Even a long period of silence during which no
packets are sent can look like discontinuous sequence numbers.
RTP implementations seem to have been designed to be insecure. Checking the
RTP source ports is not interoperable, nor does checking the CSRC
identifiers. The only way to make RTP secure seems to be crypto-tokens
in the stream.
Craig
-----------------------------------------------------------------------
Craig Southeren craigs at postincrement.com / craigs at voxgratia.org
Phone: +61 243654666 ICQ: #86852844
Fax: +61 243673140 MSN: craig_southeren at hotmail.com
Mobile: +61 417231046 Jabber: craigs at jabber.voxgratia.org
Post Increment - Consulting & Services http://www.postincrement.com
Vox Gratia - The Open Source VoIP portal http://www.voxgratia.org
Raving Of A Strange Mind - the VoIP blog http://www.southeren.com/blog
More information about the Voipsec
mailing list