[VOIPSEC] Analysis of a VoIP Attack

Klaus Darilion klaus.mailinglists at pernau.at
Thu Oct 23 10:43:28 CDT 2008 

Hi Peter!

Peter Cox schrieb:
> Klaus,
> 
> This is a great analysis.
> 
> I have seen the same style of INVITE on a number of our SIP gateways and on
> some customer systems. Most of  the attacks of this style had the same
> source IP as your example, which is registered to an ISP in  Bulgaria. I
> have also seen OPTIONS probes as well as INVITEs that actually target valid
> PSTN numbers. One of the more targeted INVITE attacks was smart enough to
> figure out which country the system was in and to use valid numbers and
> prefixes for that country, although not smart enough to make some fairly
> simple adjustments to that attack that might increase its chances of
> success.

I often think that these are no real attacks yet, but just some 
practicing, as they often have stupid mistakes in the requests.

> The OPTIONS probes are interesting, because these can identify SIP targets
> for an INVITE attack.
> 
> I think the countermeasures you list are good, but I tend to go one step
> further when restricting incoming calls. The restrictions apply to any
> destination not just the PSTN. The approach I take in our SIP Gateway is to
> allow unauthenticated callers to call only URIs within the local domain, so
> there no access to the PSTN and no ability to call other domains. In many
> ways this is analogous to the email open relay problem. Just as a well
> configured email server will accept email for the local domain only, unless
> there is some additional authentication, then a well configured SIP system
> should operate in the same way.

Of course that is true. I have not mentioned that because I thought it 
is clear that your SIP environment should not relay messages for other 
domains (the days of open STMP relays are luckily over)

Probably I should have stated this a little bit more. I think the 
problem is that even the SIP RFC does not tell us to do not relay. RFC 
3261 tells us that if the proxy is not authoritative for a domain it 
should forward it (=open relay)

> In addition, rate limits can be applied to incoming calls (by IP, domain
> etc) so any attempt to flood local users is controlled.

Yes. Unfortunately it is difficult to find proper limits. For example if 
  an enterprise is behind NAT, this single source IP address will cause 
much more traffic than a residential user. I once had a customer which 
had over 100 buddies on his contact list. When the client started, 
SUBSCRIBED-407-SUBSCRIBE-200-NOTIFY-200, it was like an DoS attack :-)

Further, rate limits are also dangerous if you use UDP. You can easily 
spoof UDP packets, thus the attacker can manage that a certain is is 
locked out of the system as the system thinks that this user is doing an 
attack.

Thanks for comments
Klaus


> 
> 
> Regards
> 
> Peter
> 
> -------------------------------------------------------------------------
> Peter Cox
> CEO UM Labs Ltd
> Phone: +44 20 3021 3202
> Web:   www.um-labs.com
> 
> 
> -----Original Message-----
> From: voipsec-bounces at voipsa.org [mailto:voipsec-bounces at voipsa.org] On
> Behalf Of Klaus Darilion
> Sent: 23 October 2008 13:06
> To: Voipsec
> Subject: [VOIPSEC] Analysis of a VoIP Attack
> 
> Hi there!
> 
> Recently, several IT news websites reported VoIP attacks against home
> users containing lots of myths and incorrect statements. Unfortunately,
> they also give wrong security advices.
> 
> Thus, I decided to write an article about this attack and give some 
> advices for protection. Maybe you find it interesting too - at least I 
> do ;-)
> 
> http://www.ipcom.at/index.php?id=565
> 
> regards
> Klaus
> 
> 
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>

More information about the Voipsec mailing list