[VOIPSEC] VoIP Attack : How feasible
Michael Slavitch
slavitch at gmail.com
Tue Jul 25 10:37:42 CDT 2006
This is the simplest form of security, which makes it good.
- At the current time it is the easiest to deploy in any IT
environment above the consumer level.
- The only requirement is for enough bandwidth in the path or codecs that are
efficent. Speex works great, and works well even over dialup.
- Algorithmic efficiency isn't needed because even low-cost processors
are already
vastly overengineered. A Nokia 770 handheld with a cheap processor can run a
VPN client and SIP over WIFI or Bluetooth just fine. Skype WIFI
phones suffer
similar algorithmic complexity but they are relatively cheap and work well.
- NAT and in certain cases end-to-end authentication are taken care of
via the VPN.
There are caveats and limits that come with VPN's however as they require
engineering and don't handle duplicate IP's at the far end very well.
The answer to this is proper end-to-end that includes NAT
traversal, ie P2PSIP
(or Skype), or tunnelling algorithms like Teredo.
- With a VPN there is never need for a cert except for the ingress
point from the
public internet. In the real world most certs are either faked or
stale and people
ignore the warnings.
Our experience is that people will abandon cellphones and the wireline
PSTN for VOIP over VPN once the sound is better than analog cellphone
quality and it is as easy or easier to make the call. For example,
click to call from a web link or a hotlink in an email message.
If sound quality is worse they will only use VOIP if tolls are
prohibitive and the social costs are low. These are primarily personal
calls or intra-organizational calls.
If it is not easy to make the call it doesn't matter what the call
costs, the user will just use the PSTN and ignore VOIP altogether.
This has been the problem at hand for well over a decade.
Given that the call is already secured by a VPN the biggest threat is
a DOS attack.
This can be adderessed by network engineering, there are well known
techniques that are simple to deploy and require no new technology on
the VOIP side.
A DOS attack can also be mitigated if the CODEC used in the call is
rugged. We notice that Speex makes a difference when the underlying
link is bad. A good CODEC and an end-to-end regime (especially P2P,
with no central servers to attack) that has session handover to other
addresses would be harder to disrupt.
M
On 7/25/06, Geoff Devine <gdevine at cedarpointcom.com> wrote:
> I make phone calls all the time from a SIP soft client on my notebook computer down a VPN to my corporate network. Both signaling and media go down the tunnel. It's secure and you can't see RTP headers. If I'm sitting in an overseas hotel room, I really don't care about header overhead of running RTP down a tunnel. As this becomes popular, vendors will start using header compression techniques to make it more efficient. The VoIP infrastructure is hidden behind the VPN box and can't be attacked from the public internet.
>
> It's simple and, with Cavium chips or other similar security processor technology, it's scalable at fairly low cost. With some minor tweaks to compress headers at the client and VPN server, it's as efficient as RTP. It traverses NAT without needing a session border controller to hack the SDP. The only drawback is that, like using an SBC, it is sometimes inefficient since the media doesn't always take the shortest path through the routed network.
>
> Geoff
>
>
> -----Original Message-----
> From: Pankaj Shroff [mailto:shroffg at gmail.com]
> Sent: Mon 7/24/2006 9:56 PM
> To: Geoff Devine
> Cc: Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] VoIP Attack : How feasible
>
> SS7 and SIGTRAN discussions aside, the biggest threat to a voip
> network provider is a DDos type attack on its network elements. I
> think the biggest variable in the effectiveness of these attacks is
> the network topology and deployment of the network elements. If a
> global corporation has offices all over the world and are networked
> together with dedicated lines, the problem is non-existent - all VoIP
> traffic is corporate traffic - but I suspect that is seldom the case.
> The enterprise VoIP network is often a separate network from the more
> secure data network. The enterprise VoIP calls may also go over public
> internet, which means there are border network elements which are
> susceptible to attacks if their identities are publicised
> (inevitably). Signalling data can be protected using the standard
> TLS/SSL/IPSec technologies but RTP is another beast. Even with SRTP
> encryption, RTP header is still in the open and hence can easily be
> observed to determine RTP endpoints and hence can be attacked. A DDos
> attack on RTP elements could be much more debilitating than an attack
> on SIP only servers.
>
> Pankaj
>
> On 7/2/06, Geoff Devine <gdevine at cedarpointcom.com> wrote:
> > Christopher A. Martin writes:
> > > SS7 may be going back inband over IP from some of the trends that I
> > > have been seeing/hearing about.
> >
> > Right. SS#7 over IP using SIGTRAN is becoming more and more common.
> > The circuit switched solution tends to have big access charges compared
> > to the IP-based solution so operators are prone deploy signaling
> > gateways to share the expensive circuit switched connection among
> > multiple media gateway controllers. The signaling gateway sometimes
> > resides at another service provider (Level3, for example.) The signaling
> > gateway has two IP network interfaces. The SCTP transport uses
> > redundant paths through the IP network that are typically statically
> > routed. Unlike TCP, SCTP is multi-threaded so a dropped packet on one
> > thread doesn't grind the transport to a halt and minor amounts of
> > dropped packets does not invoke flow control. SCTP is also
> > packet-oriented rather than TCP's byte-stream orientation. You'd
> > usually run SCTP behind a firewall on a managed IP network or on a
> > private network/VPN.
> >
> > The downside of this approach is that you dramatically increase your
> > failure group size. SS#7 networks are pretty bomb-proof so if you
> > direct-connect to them, your failure group size is your switching office
> > size (usually limited to ~100k lines). If a signaling gateway goes down
> > or if the redundant internet links go down, you take out everybody who
> > uses the signaling gateway. A service provider could have an outage
> > that impacts millions of customers.
> >
> > Geoff
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
>
>
> --
> Pankaj Shroff
> shroffG at Gmail.com
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
More information about the Voipsec
mailing list