[VOIPSEC] Analysis of a VoIP Attack

Peter Cox peter at um-labs.com
Thu Oct 23 08:38:19 CDT 2008 

Klaus,

This is a great analysis.

I have seen the same style of INVITE on a number of our SIP gateways and on
some customer systems. Most of  the attacks of this style had the same
source IP as your example, which is registered to an ISP in  Bulgaria. I
have also seen OPTIONS probes as well as INVITEs that actually target valid
PSTN numbers. One of the more targeted INVITE attacks was smart enough to
figure out which country the system was in and to use valid numbers and
prefixes for that country, although not smart enough to make some fairly
simple adjustments to that attack that might increase its chances of
success.

The OPTIONS probes are interesting, because these can identify SIP targets
for an INVITE attack.

I think the countermeasures you list are good, but I tend to go one step
further when restricting incoming calls. The restrictions apply to any
destination not just the PSTN. The approach I take in our SIP Gateway is to
allow unauthenticated callers to call only URIs within the local domain, so
there no access to the PSTN and no ability to call other domains. In many
ways this is analogous to the email open relay problem. Just as a well
configured email server will accept email for the local domain only, unless
there is some additional authentication, then a well configured SIP system
should operate in the same way.

In addition, rate limits can be applied to incoming calls (by IP, domain
etc) so any attempt to flood local users is controlled.


Regards

Peter

-------------------------------------------------------------------------
Peter Cox
CEO UM Labs Ltd
Phone: +44 20 3021 3202
Web:   www.um-labs.com


-----Original Message-----
From: voipsec-bounces at voipsa.org [mailto:voipsec-bounces at voipsa.org] On
Behalf Of Klaus Darilion
Sent: 23 October 2008 13:06
To: Voipsec
Subject: [VOIPSEC] Analysis of a VoIP Attack

Hi there!

Recently, several IT news websites reported VoIP attacks against home
users containing lots of myths and incorrect statements. Unfortunately,
they also give wrong security advices.

Thus, I decided to write an article about this attack and give some 
advices for protection. Maybe you find it interesting too - at least I 
do ;-)

http://www.ipcom.at/index.php?id=565

regards
Klaus



_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list