[VOIPSEC] Blocking PING, and get REGISTER message
Klaus Darilion
klaus.mailinglists at pernau.at
Tue Dec 9 15:52:00 GMT 2008
What for are you blocking PING?
If
> 1. Attacker is in the middle of network between VoIP client VoIP proxy.
just wait and after some time the reREGISTER will tell you the
credentials, as the REGISTER will be sent periodically to the proxy
(typically 1 - 60 minutes).
regards
klaus
Gilbert Lee schrieb:
> Hi, all. I have a just simple question. What do you think about "Blocking
> PING packet of VoIP client"?Most of VoIP clients adopt keep alive algorithm
> to keep connection with SIP proxy(sending and receiving PING message
> periodically).
>
> Attacker would like to get VoIP client's SIP message including
> authentication value(MD5 or plain),
> but unless VoIP client reboots(REGISTER) or make a call(INVITE), it never
> sends authentication value through network.
>
> For attacker to acquire victim's SIP authentication value, suppose the
> following scenarios.
>
> 1. Attacker is in the middle of network between VoIP client VoIP proxy.
> 2. Attacker blocks only PING packet while other packets are routed in a
> normal way.
> 3. If PING packet is blocked, VoIP client should think that network is
> disconnected, and it trys to recconnect.
> 4. In reconnect procedures of VoIP client, it send REGISTER message again.
> 5. In this way, attacker can get REGISTER authentication value without any
> touching VoIP client with his hand.
>
> I've figured out that most PING message syntax is very simple that I've ever
> tested.
> Of course, if authentication message is encrypted with MD5 and password is
> long enough, it is hard for attack to hack it's original password.
>
> Any way, do you any idea, solution or mechanism that is enable to detect
> such an attack like this?
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
More information about the Voipsec
mailing list