[VOIPSEC] Fw: Evaluating DoS Attacks Against SIP-Based VoIP Systems (INVITE of Death)

Wed Aug 19 05:49:40 CDT 2009

Dear Klaus,
We are currently doing  in depth code analysis of SIP proxy servers and hopefully come up with results and guide lines of secure coding  techniques that will make the SIP proxy inherintly resilient to the DoS attacks. Further more the Results of performance metrics, such as CCR, are calculated on the flooding of Benign INVITE messages (The overloading problem). The Openser parser is robust against malformed packet attack. The reasosn being that it take constant time during parsing of the string as it takes an input the length of a string along with the string. Furthermore it “uses lazy parsing to only parse those headers necessary rather than naively parsing all of them.Last but not least, it incrementally parses only needed fields within a header”
RegardsM Zubair Rafique
--- On Tue, 8/18/09, Klaus Darilion <klaus.mailinglists at pernau.at> wrote:

From: Klaus Darilion <klaus.mailinglists at pernau.at>
Subject: Re: [VOIPSEC] Fw: Evaluating DoS Attacks Against SIP-Based VoIP Systems (INVITE of Death)
To: "zubair rafique" <m_zubair_rafique at yahoo.com>
Cc: voipsec at voipsa.org
Date: Tuesday, August 18, 2009, 4:45 PM

Dear Zubair!

Did you also have evaluated why/how the attack influences the SIP proxy performance? For example, the CCR vs. Attack Rate of Openser is really bad, but you also state that Openser's parser uses "best coding practicies" - this is somehow strange.

How should the parser be changed to be more robust?

Have you also tested how the performance drops by flooding the proxy with "normal" messages in respect to the malformed messages?

regards
Klaus

zubair rafique schrieb:
> 
> 
> Evaluating DoS Attacks Against SIP-Based VoIPSystems (INVITE of
> Death) Paper accepted at IEEE-GLOBECOM
> 2009http://www.nexginrc.org/~zubair.rafique/papers/globecomm-zubair.pdf
> 
> 
> The multimedia communication is rapidly convergingtowards Voice over
> Internet – commonly known as Voiceover Internet Protocol (VoIP).
> Session Initiation Protocol (SIP) isthe standard used for session
> signaling in VoIP. Crafty attackerscan launch a number of Denial of
> Service (DoS) attacks on aSIP based VoIP infrastructure that can
> severely compromiseits reliability. In contrast, little work is done
> to analyze therobustness and reliability of SIP severs under DoS
> attacks. In thispaper, we show that the robustness and reliability of
> generic SIPservers is inadequate than commonly perceived. We have
> doneour study using a customized analysis tool that has the abilityto
> synthesize and launch different types of attacks. We haveintegrated
> the tool in a real SIP test bed environment to measurethe performance
> of SIP servers. Our measurements show that astandard SIP server can
> be easily overloaded by sending simplecall requests. We define the
> performance metrics to measurethe effects of flooding attacks on real
> time services - VoIP inSIP environment – and show the results on
> different SIP serverimplementations. Our results also provide insight
> into resources’usage by SIP servers under flooding attacks. Moreover,
> we showthat how a well known open source SIP server can be
> crashedthrough ‘INVITE of Death’ - a malformed SIP packet
> maliciouslycrafted by our tool. Regards M Zubair RafiquenexGIN RC http://www.nexginrc.org/~zubair.rafique/
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________ Voipsec mailing list Voipsec at voipsa.org http://voipsa.org/mailman/listinfo/voipsec_voipsa.org