[VOIPSEC] Analysis of a VoIP Attack

Klaus Darilion klaus.mailinglists at pernau.at
Fri Oct 24 03:53:35 CDT 2008 


Iñaki Baz Castillo schrieb:
> El Jueves, 23 de Octubre de 2008, Klaus Darilion escribió:
>> Hi there!
>>
>> Recently, several IT news websites reported VoIP attacks against home
>> users containing lots of myths and incorrect statements. Unfortunately,
>> they also give wrong security advices.
>>
>> Thus, I decided to write an article about this attack and give some
>> advices for protection. Maybe you find it interesting too - at least I
>> do ;-)
>>
>> http://www.ipcom.at/index.php?id=565
> 
> Hi, good document, but there is an error when you say:
> 
> -----------------------
> Source IP address 213.130.74.70 and source port 3808: Although the IP address 
> could be easily spoofed, in this case it may be the real address of the 
> attacker as the IP address is also present in the Via: header (used for 
> sending back responses). Further, if the attacker wants to know the result of 
> the attack, he has to receive the SIP responses meaning that he has to 
> provide his real IP address.
> ----------------
> 
> That's incorrect: in SIP responses are *always* sent to the source IP, in UDP 
> or TCP, and not to the IP indicated in Via "sent-by" field.
> It's explained "clearly" in RFC 3261 Section 18.2.2:
> 
> ------------
>       o  Otherwise (for unreliable unicast transports), if the top Via
>          has a "received" parameter, the response MUST be sent to the
>          address in the "received" parameter, using the port indicated
>          in the "sent-by" value, or using port 5060 if none is specified
>          explicitly.  If this fails, for example, elicits an ICMP "port
>          unreachable" response, the procedures of Section 5 of [4]
>          SHOULD be used to determine where to send the response.
> ------------
> 
> And note that a UAS MUST add a "received" parameter to received Via header 
> when:
> 
> --------------------
> 18.2.1 Receiving Requests
>    When the server transport receives a request over any transport, it
>    MUST examine the value of the "sent-by" parameter in the top Via
>    header field value.  If the host portion of the "sent-by" parameter
>    contains a domain name, or if it contains an IP address that differs
>    from the packet source address, the server MUST add a "received"
>    parameter to that Via header field value.  This parameter MUST
>    contain the source address from which the packet was received.  This
>    is to assist the server transport layer in sending the response,
>    since it must be sent to the source IP address from which the request
>    came.
> ----------------------
> 
> 
> This is, the attacker will receive the responses always, since they will be 
> always sent to the real source address, regardless of the Via "sent-by" 
> value.
> 
> However, this is a typical confusion, I think the problem is the SIP design, 
> in which the application level data (pure SIP) contains lower layers data 
> (network and transport protocol).


Hi Inaki!

Yes, you are right - as long as all SIP client are standard conform and 
read the RFC as precise as you  ;-)

thanks
klaus

More information about the Voipsec mailing list