[VOIPSEC] Analysis of a VoIP Attack

Iñaki Baz Castillo ibc at aliax.net
Thu Oct 23 16:45:16 CDT 2008 

El Jueves, 23 de Octubre de 2008, Klaus Darilion escribió:
> Hi there!
>
> Recently, several IT news websites reported VoIP attacks against home
> users containing lots of myths and incorrect statements. Unfortunately,
> they also give wrong security advices.
>
> Thus, I decided to write an article about this attack and give some
> advices for protection. Maybe you find it interesting too - at least I
> do ;-)
>
> http://www.ipcom.at/index.php?id=565

Hi, good document, but there is an error when you say:

-----------------------
Source IP address 213.130.74.70 and source port 3808: Although the IP address 
could be easily spoofed, in this case it may be the real address of the 
attacker as the IP address is also present in the Via: header (used for 
sending back responses). Further, if the attacker wants to know the result of 
the attack, he has to receive the SIP responses meaning that he has to 
provide his real IP address.
----------------

That's incorrect: in SIP responses are *always* sent to the source IP, in UDP 
or TCP, and not to the IP indicated in Via "sent-by" field.
It's explained "clearly" in RFC 3261 Section 18.2.2:

------------
      o  Otherwise (for unreliable unicast transports), if the top Via
         has a "received" parameter, the response MUST be sent to the
         address in the "received" parameter, using the port indicated
         in the "sent-by" value, or using port 5060 if none is specified
         explicitly.  If this fails, for example, elicits an ICMP "port
         unreachable" response, the procedures of Section 5 of [4]
         SHOULD be used to determine where to send the response.
------------

And note that a UAS MUST add a "received" parameter to received Via header 
when:

--------------------
18.2.1 Receiving Requests
   When the server transport receives a request over any transport, it
   MUST examine the value of the "sent-by" parameter in the top Via
   header field value.  If the host portion of the "sent-by" parameter
   contains a domain name, or if it contains an IP address that differs
   from the packet source address, the server MUST add a "received"
   parameter to that Via header field value.  This parameter MUST
   contain the source address from which the packet was received.  This
   is to assist the server transport layer in sending the response,
   since it must be sent to the source IP address from which the request
   came.
----------------------


This is, the attacker will receive the responses always, since they will be 
always sent to the real source address, regardless of the Via "sent-by" 
value.

However, this is a typical confusion, I think the problem is the SIP design, 
in which the application level data (pure SIP) contains lower layers data 
(network and transport protocol).


Best regards.


-- 
Iñaki Baz Castillo

More information about the Voipsec mailing list