[VOIPSEC] When could legitimate SIP traffic look like SPIT? (I put out an Internet-Draft about this)

Dan York dyork at voxeo.com
Wed Jan 16 16:12:48 CST 2008 

VOIPSEC readers,

Within the IETF there's been a bit of discussion in the past months  
about voice spam/SPIT and just recently RFC 5039 from Jonathan  
Rosenberg and Cullen Jennings was published that specifically  
addresses the issue of SIP and Spam:

   http://tools.ietf.org/html/rfc5039

The RFC is an excellent summary of the current thinking about the  
SPIT problem and potential solutions to address it.  If you haven't  
read the document, I would *highly* recommend it.

A concern I had, though, was that it did not appear to me that  
existing documents address the issue of what SPIT could look like at  
a network level.  For instance, if a network administrator monitoring  
network traffic suddenly saw a large flood of SIP INVITE packets  
coming into his/her network, it could be:

1. a telemarketer/spammer launching a flood of SIP connections to  
deliver SPIT;
2. an attacker launching a DoS attack through one of the various SIP  
attack tools out there; or
3. a legitimate notification system starting to notify a range of SIP  
endpoints.

I could very easily see existing network tools that look at traffic  
and perform anomaly detection (and potentially source suppression)  
being modified to suppress large flows of SIP traffic. This last case  
of legitimate traffic concerned me and so I put together an Internet- 
Draft talking about the types of legitimate systems that might  
generate a significant volume of traffic that could resemble SPIT (or  
a DoS attack).

I put the document out primarily to stimulate discussion.  Are these  
legitimate scenarios being addressed in current thinking about  
SPIT?   If not, my point really is that they need to be considered.

Comments are very definitely welcome.  Are there other scenarios I  
should include?  Am I overstating the case? or what?

Thanks,
Dan

-----------------------

Begin forwarded message:

From: Internet-Drafts at ietf.org
Date: January 16, 2008 4:40:02 PM EST
To: i-d-announce at ietf.org
Subject: I-D Action:draft-york-spit-similarity-scenarios-00.txt
Reply-To: internet-drafts at ietf.org

A New Internet-Draft is available from the on-line Internet-Drafts  
directories.

	Title           : SIP Usage Scenarios Similar to SPIT
	Author(s)       : D. York
	Filename        : draft-york-spit-similarity-scenarios-00.txt
	Pages           : 10
	Date            : 2008-01-16

This document outlines scenarios in which legitimate SIP traffic may
appear similar to traffic associated with voice spam, also known as
"SPIT" or "Spam for Internet Telephony.  This document is created to
provide input into the current discussions about how best to address
the issue of SPIT.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-york-spit-similarity- 
scenarios-00.txt

To remove yourself from the I-D Announcement list, send a message to
i-d-announce-request at ietf.org with the word unsubscribe in the body of
the message.
You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce
to change your subscription settings.

Internet-Drafts are also available by anonymous FTP. Login with the
username "anonymous" and a password of your e-mail address. After
logging in, type "cd internet-drafts" and then
	"get draft-york-spit-similarity-scenarios-00.txt".

A list of Internet-Drafts directories can be found in
http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt

Internet-Drafts can also be obtained by e-mail.

Send a message to:
	mailserv at ietf.org.
In the body type:
	"FILE /internet-drafts/draft-york-spit-similarity-scenarios-00.txt".

NOTE:   The mail server at ietf.org can return the document in
	MIME-encoded form by using the "mpack" utility.  To use this
	feature, insert the command "ENCODING mime" before the "FILE"
	command.  To decode the response(s), you will need "munpack" or
	a MIME-compliant mail reader.  Different MIME-compliant mail readers
	exhibit different behavior, especially when dealing with
	"multipart" MIME messages (i.e. documents which have been split
	up into multiple messages), so check your local documentation on
	how to manipulate these messages.

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
Content-Type: text/plain
Content-ID: <2008-01-16163746.I-D\@ietf.org>

_______________________________________________
I-D-Announce mailing list
I-D-Announce at ietf.org
https://www1.ietf.org/mailman/listinfo/i-d-announce

-- 
Dan York, CISSP, Director of Emerging Communication Technology
Office of the CTO    Voxeo Corporation     dyork at voxeo.com
Phone: +1-407-455-5859  Skype: danyork  http://www.voxeo.com
Blogs: http://blogs.voxeo.com  http://www.disruptivetelephony.com

Bring your web applications to the phone.
Find out how at http://evolution.voxeo.com

More information about the Voipsec mailing list