Secure IP Telephony using Multilayered Protection - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

Secure IP Telephony using Multilayered Protection

Description:

... for the IP Address of the SIP Proxy of the Destination Domain. The INVITE is ... Resources on SIP proxy can be exhausted by a large flood of incoming calls ... – PowerPoint PPT presentation

Number of Views:47
Avg rating:3.0/5.0
Slides: 27
Provided by: brennenr
Category:

less

Transcript and Presenter's Notes

Title: Secure IP Telephony using Multilayered Protection


1
Secure IP Telephony using Multi-layered Protection
  • Brennen Reynolds
  • Off-Piste Consulting, LLC
  • (formally of University of California, Davis)
  • Dipak Ghosal
  • University of California, Davis

2
Motivation
  • What is IP Telephony?
  • Packetized voice over IP
  • PSTN access through Media/Signal Gateways (MSG)
  • Benefits
  • Improved network utilization
  • Next generation services
  • Growth
  • Revenues 1.7 billion in 2001, 6 of
    international traffic was over IP, growing Frost
    2002 Telegeography 2002
  • Standardized, deployed protocols (TRIP, SIP,
    H.323)

3
Security Is Essential
  • IP Telephony inherits all properties of the IP
    protocol including security weaknesses
  • Ensuring the security of a critical service must
    be a top priority
  • Convergence of two global and structurally
    different networks introduces new security
    weaknesses

4
Agenda
  • IP Telephony Enabled Enterprise Networks
  • IP Telephony Call Setup
  • Vulnerability Analysis
  • Detection and Control of Flood-based DoS Attacks
  • Preliminary Experimental Results
  • Future Work

5
IP Telephony Enabled Enterprise Network
Architecture
6
Net-to-Net Call Setup
The Location Service is queried to check that the
destination IP address represents a valid
registered device, and for its IP Address
DNS Query for the IP Address of the SIP Proxy of
the Destination Domain
The INVITE is forwarded
4
2
3
A request is sent (SIP INVITE) to ESTABLISH a
session
5
The request is forwarded to the End-Device
1
6
Media Transport
Destination device returns its IP Address to the
originating device and a media connection is
opened
7
Vulnerability Analysis
  • Property oriented approach
  • Access control to use IP telephony service
  • Integrity and authenticity of IP telephony
    signaling messages
  • Resource availability and fairness in providing
    IP telephony service
  • Confidentiality and accountability

8
Access Control
  • Deny unauthorized users access to IP telephony
    service
  • Central authentication servers
  • E.g. RADIUS server
  • Enable various network elements to query
    authentication server

9
Integrity and Authenticity of Signaling Messages
  • Call Based Denial of Service
  • CANCEL messages, BYE message, Unavailable
    responses
  • Call Redirection
  • Re-registering with bogus terminal address, user
    moved to new address, redirect to additional
    proxy
  • User Impersonation

10
Payload Encryption
  • Capture and decoding of voice stream
  • Can be done in real-time very easily
  • Capture of DTMF information
  • Voice mail access code, credit card number, bank
    account
  • Call profiling based on information in message
    headers

11
Resource Fairness and Availability
  • Flood based attacks
  • Network bandwidth between enterprise and external
    network
  • Server resources at control points
  • SIP Proxy Server
  • Voice ports in Media/Signaling Gateway
  • Signaling link between Media/Signaling Gateway
    and PSTN
  • End user

12
Internet Originated Attack
  • Enterprise network connection can be flooded
    using techniques like SYN flooding
  • Resources on SIP proxy can be exhausted by a
    large flood of incoming calls
  • End user receives large number of SIP INVITE
    requests in a brief period of time

13
PSTN Originated Attack
  • Signaling link between M/S gateway and PSTN STP
    becomes saturated with messages
  • Voice ports on the M/S gateway are completely
    allocated
  • Large number of PSTN endpoints attempt to contact
    a single individual resulting in a high volume of
    INVITE messages

14
Secure IP Telephony Architecture
15
Application Layer Attack Sensor (ALAS)
  • Monitors the number of SIP INVITE requests and
    the SIP OK (call acceptance) responses
  • URI level monitor
  • Aggregate level monitor
  • Detection Algorithm
  • Response Algorithm
  • Proxy or M/S gateway returns temporally busy
    messages

16
Transport Layer Attack Sensor (TLAS)
  • Monitors the number of TCP SYN and ACK packets
  • Traffic is monitored at an aggregate level
  • Upon detection of an attack, throttling is
    applied by perimeter devices (e.g. firewall)
  • If attack persists, traceback technologies can be
    used to drop malicious traffic at an upstream
    point

17
RTP Stream Attack Sensor (RSAS)
  • To detect malicious RTP and RTCP streams
  • Parameters of the RTP streams are known at
    connection setup time
  • Police individual streams
  • Statistical techniques to determine large flows
  • Packets corresponding to the malicious streams
    are dropped at the firewall
  • Need cooperation of upstream routers to mitigate
    link saturation

18
Detection Algorithm for ALAS
  • Monitoring the volume of connection attempts vs.
    volume of complete connection handshakes can be
    used to detect an attack
  • Based on the sequential change point detection
    method proposed by Wang, Zhang and Shin (Infocom
    2002) to detect TCP SYN attacks

19
Detection Algorithm
  • All connection setup attempts and complete
    handshakes are counted during the observation
    period
  • During each sampling period the difference is
    computed and normalized

20
Detection Algorithm Cont.
  • Under normal operation, the resulting value
    should be very close to 0
  • In the presence of an attack, the result is a
    large positive number
  • A cumulative sum method is applied to detect
    short high volume attacks as well as longer low
    volume attacks

21
Recovery Algorithm
  • Linear Recovery
  • This is the default behavior of the detection
    algorithm
  • Exponential Recovery
  • The cumulative sum decreases multiplicatively
    once the attack has ceased
  • Reset after Timeout
  • The cumulative sum decays linearly decays until a
    timer expires at which point it is reset to 0

22
Preliminary Results
  • Types of attack
  • Limited DoS attack
  • Single user targeted by one or more attackers
  • Stealth DoS attack
  • Multiple users targeted by one or more attackers
    each with a low volume of call requests
  • Aggressive DoS attack
  • Multiple users targeted with high call requests
  • Ability to detect both aggregate level attacks as
    well as attack to individual URIs

23
Preliminary Results
Limited DoS Attack with 10 calls/min to a single
URI
24
Summary of Detection and Recovery Results
25
Future Work
  • Detailed analysis
  • Tradeoff between detection time and false alarm
    rate
  • Formal vulnerability analysis
  • Additional vulnerabilities with ENUM
  • Routing layer issues
  • Vulnerabilities of multihomed networks

26
Additional Information
  • Masters Thesis
  • Enabling Secure IP Telephony in Enterprise
    Networks
  • http//www.off-pisteconsulting.com/research/pubs/r
    eynolds-ms_thesis.pdf
  • Presentation Slides
  • http//www.off-pisteconsulting.com/research/pubs/n
    dss03-slides.ppt
  • Contact Information
  • Brennen Reynolds
  • Off-Piste Consulting, LLC
  • brennen_at_off-pisteconsulting.com
  • Dipak Ghosal, PhD.
  • University of California, Davis
  • ghosal_at_cs.ucdavis.edu
Write a Comment
User Comments (0)
About PowerShow.com