In this article you will find descriptions of major VoIP attacks and two ideas on securing VoIP networks. The first suggestion is dialing the network with a VoIP operator infrastructure. The second suggestion is referral to company asterisk based PBX, which is an open source switch server with limited access.
In VoIP many protocols are used. In this article we will focus on the most popular protocol, SIP. SIP is the acronym for Session Initiation Protocol (IETF RFC 3261) that is a widely utilized standard in VoIP communications to set up and control (transfer, hold, cancel, etc.) phone calls.
[SIP basic concepts]
SIP is a text-based protocol with syntax similar to that of HTTP. There are two different types of SIP messages: requests and responses. The first line of a request has a method, which defines the nature of the request, and a Request-URI, which indicates where the request should be sent. In general, a SIP message looks like the following:
- INVITE sip:firstname.lastname@example.org SIP/2.0
- Via: SIP/2.0/UDP local.hp.com
- From: OC <sip:OpenCall.SIP@hp.com>
- To: TPU <sip:email@example.com>
- Subject: Confcall
- Call-ID: firstname.lastname@example.org
- Content-Type: application/sdp
- CSeq: 1 INVITE
- Contact: <sip:email@example.com>
- Content-Length: 187
[SIP network elements]
- A proxy server is an intermediary entity that acts both as a server and as a client for the purpose of making requests on behalf of other clients.
– A SIP user agent (UA) is a logical network end-point, used to create or receive SIP messages and, thereby, manage a SIP session.
– A registrar is a server that accepts REGISTER requests and places the information it receives in those requests into the location service for the domain it handles.
– A redirect server is a user agent server that generates 3xx responses to requests it receives, directing the client to contact an alternate set of URIs.The redirect server allows SIP Proxy Servers to direct SIP session invitations to external domains.”
[Attack on VoIP network]
Message Flows Attacks.
These kinds of attacks are based on malicious messages that are affecting message parcing time or can change session parameters. These attacks may also include flooding with garbage messages.
The following are other known types of attacks :
The “BYE” Attack.
This can be accomplished by either sniffing the network or performing a man-in-the-middle attack (MITM) to insert a BYE request into the session in order to discover the current session parameters.
The “CANCEL” Attack
The attacker may utilize the CANCEL method to cancel an INVITE request generated by a legitimate user. However, the processing of an incoming CANCEL message from a different administrative SIP domain is still an open and unresolved issue. Monitoring of INVITE messages that have not already generated a final response could possibly help to identify any illegitimate CANCEL requests.
The “REFER” Attack
Refer messages are used to transfer and redirect calls.This scheme enables the referee to act as an eavesdropper, giving him the ability to launch man-in-the-middle attacks.
The “UPDATE” Attack and “Re-INVITE” Attack
The only difference between the UPDATE and Re-INVITE attack is that the “re-invite” can be utilized only after a session has
been established. UPDATE is utilized to modify session parameters before the final response to the initial invitation. Similar to the “re-invite” attack, an attacker may send a forged UPDATE message to modify the initial session parameters to cause a DoS that changes parameters like QoS or initial addresses and port.
However, there are cases (some very well known malicious messages) that cannot be identified by these generally structured rules. With these exceptions, special rules must be formed for each distinct SIP-method. For example, INVITEs which do not have a specific header (e.g. Content-Type, Call-ID) must be characterized as invalid.
Input validation procedures must be considered vital for the security of VoIP services. The lack of any validation in data in SIP messages is responsible for security flaws caused by malformed messages. The employment of gateways to filter malicious input at the Internet application level has also been studied. Current firewall technologies incorporate packet inspection for validating input data and the utilization of underlying security mechanisms (e.g. TLS, IPsec, S/MIME).
Another possible countermeasure that can restrain this attack is the authentication of OPTIONS messages.
To parse SIP messages, an efficient parser is needed which only parses messages up to the required level. An attacker can create extra-long messages with multiple header (informative header fields, e.g. Supported) fields and of increased length, plus a big-sized message-body.
SIP messages may include bodies, even though they are not needed in every message. Longer messages also increase network utilization of CPU resources. If multiple message headers of the same field are included in a message then these headers are spread all over the message which complicates parsing. Vital header fields are all routing-specific fields, like To, Via, Route, etc. As an effect, messages which append these fields towards the end of the message are more difficult to parse. One way to overcome this, is by inserting multiple informative header fields before the routing fields, like e.g. Allow or Supported.
Even if a highly optimized parser could handle such attacks, the required processing power requirements would then be missing for performance of other SIP related tasks.
An SIP parser attack algorithm:
- Discovers the target’s SIP capabilities. The REGISTER messages and OPTIONS responses can give information about any SIP User Agent’s (UA) capabilities. This sensitive information is included in the Contact header in REGISTER message and the Allow header in response of the OPTIONS request. In every case, these messages can be utilized from the attacker in two different ways that are aimed at discovering the User Agent’s (UA’s) capabilities.
- Constructs the malformed message. SIP subsystems have been designed and developed for processing messages that are valid and conform with the SIP protocol syntax.
- Tests the derived “crafty” message against the SIP target. The main “advantage” of such an approach is that the assault cannot be easily identified in its prime stages, as the defense mechanisms in place are not usually able to promptly detect it.
SIP parser must be robust which allows implementation of a filtering rule that will find the pattern of potential malicious packets. Also it is possible to use a middle box that will enforce transport policy. The employment of these countermeasures does not mean that the aggressor cannot launch the attack, but it does insure that it is harder to begin the attack.
[DNS Blocking Attacks] (get host by name block 5 sec).
SIP agents are vulnerable to DoS attacks through invalid DNS lookups. The attack tool can generate an arbitrary number of SIP INVITE messages with a configurable delay between them. The SIP messages contain randomly generated SIP URIs. Additionally, multiple message generators can be run in parallel to flood a target with such messages.
To protect against this kind of attack SIP DNS cache may be used. The SIP DNS cache acts as an interface to handle name resolving requests from the SIP proxy. However, in case of an attack, the dedicated DNS cache does not try to resolve any unknown domain names. If no response is available in this cache an unresolvable host error is returned to the SIP proxy. It never delegates any requests to the underlying subsystem. Instead, it only returns responses from its internal cache. In this mode it is guaranteed that every request is processed in the shortest possible time which prevents the server from blocking.
[Public access VoIP networks]
Security approaches on public access VoIP networks with a large number of customers are creating a bastion of servers that will take full control on incoming traffic and will also perform basic filtering of packets. After a large number of packets are filtered and some simple attacks are prevented on this step a transparent proxy with some kind of IDS (snort etc) or firewall installed on the server may be used. The next step is to use an openser SIP proxy with IDS and DNS cache modules enabled. After this, an option is use of back to back agent servers like asterisk that are placed in DMZ zone.
Asterisk configuration tips for better security.
For small business or home usage you can use a PBX server based on open source products like asterisk. Asterisk is an open-source software capable of converting audio and video streams into different formats in real time.
By using dedicated hardware, it’s possible to integrate it with traditional telephone technologies: analog, ISDN, GSM, etc. In this case all incoming traffic is limited to well known hosts and providers. Therefore, access can be restricted or limited for all untrusted hosts and allowed only for granted traffic.
Bellow you can find some useful tips for better asterisk configuration :
- Don’t accept SIP authentication requests from all IP addresses. Use the “permit=” and “deny=” lines in SIP.conf to only allow a reasonable subset of IP addresses to reach each listed extension/user in your SIP.conf file.
- alwaysauthreject=yes, the same information as with extension leek.
- Use STRONG passwords.
- Block your AMI manager ports.
- Allow only one or two calls at a time per SIP entity, and evaluate administrative issues of password robustness and username obscurity.
In conclusion, for better protection ensure that all methods listed above are employed, this includes firewall, IDS, and SIP server solutions. If you have a large system, it will be a two-level-defense architecture consisting of a general Bastion host and a secured SIP server, and finally an attack testing tool like sipp or sipsak.