Title: Secure IP Telephony using Multilayered Protection
1Secure IP Telephony using Multi-layered Protection
- Brennen Reynolds
- Off-Piste Consulting, LLC
- (formally of University of California, Davis)
- Dipak Ghosal
- University of California, Davis
2Motivation
- What is IP Telephony?
- Packetized voice over IP
- PSTN access through Media/Signal Gateways (MSG)
- Benefits
- Improved network utilization
- Next generation services
- Growth
- Revenues 1.7 billion in 2001, 6 of
international traffic was over IP, growing Frost
2002 Telegeography 2002 - Standardized, deployed protocols (TRIP, SIP,
H.323)
3Security Is Essential
- IP Telephony inherits all properties of the IP
protocol including security weaknesses - Ensuring the security of a critical service must
be a top priority - Convergence of two global and structurally
different networks introduces new security
weaknesses
4Agenda
- IP Telephony Enabled Enterprise Networks
- IP Telephony Call Setup
- Vulnerability Analysis
- Detection and Control of Flood-based DoS Attacks
- Preliminary Experimental Results
- Future Work
5IP Telephony Enabled Enterprise Network
Architecture
6Net-to-Net Call Setup
The Location Service is queried to check that the
destination IP address represents a valid
registered device, and for its IP Address
DNS Query for the IP Address of the SIP Proxy of
the Destination Domain
The INVITE is forwarded
4
2
3
A request is sent (SIP INVITE) to ESTABLISH a
session
5
The request is forwarded to the End-Device
1
6
Media Transport
Destination device returns its IP Address to the
originating device and a media connection is
opened
7Vulnerability Analysis
- Property oriented approach
- Access control to use IP telephony service
- Integrity and authenticity of IP telephony
signaling messages - Resource availability and fairness in providing
IP telephony service - Confidentiality and accountability
8Access Control
- Deny unauthorized users access to IP telephony
service - Central authentication servers
- E.g. RADIUS server
- Enable various network elements to query
authentication server
9Integrity and Authenticity of Signaling Messages
- Call Based Denial of Service
- CANCEL messages, BYE message, Unavailable
responses - Call Redirection
- Re-registering with bogus terminal address, user
moved to new address, redirect to additional
proxy - User Impersonation
10Payload Encryption
- Capture and decoding of voice stream
- Can be done in real-time very easily
- Capture of DTMF information
- Voice mail access code, credit card number, bank
account - Call profiling based on information in message
headers
11Resource Fairness and Availability
- Flood based attacks
- Network bandwidth between enterprise and external
network - Server resources at control points
- SIP Proxy Server
- Voice ports in Media/Signaling Gateway
- Signaling link between Media/Signaling Gateway
and PSTN - End user
12Internet Originated Attack
- Enterprise network connection can be flooded
using techniques like SYN flooding - Resources on SIP proxy can be exhausted by a
large flood of incoming calls - End user receives large number of SIP INVITE
requests in a brief period of time
13PSTN Originated Attack
- Signaling link between M/S gateway and PSTN STP
becomes saturated with messages - Voice ports on the M/S gateway are completely
allocated - Large number of PSTN endpoints attempt to contact
a single individual resulting in a high volume of
INVITE messages
14Secure IP Telephony Architecture
15Application Layer Attack Sensor (ALAS)
- Monitors the number of SIP INVITE requests and
the SIP OK (call acceptance) responses - URI level monitor
- Aggregate level monitor
- Detection Algorithm
- Response Algorithm
- Proxy or M/S gateway returns temporally busy
messages
16Transport Layer Attack Sensor (TLAS)
- Monitors the number of TCP SYN and ACK packets
- Traffic is monitored at an aggregate level
- Upon detection of an attack, throttling is
applied by perimeter devices (e.g. firewall) - If attack persists, traceback technologies can be
used to drop malicious traffic at an upstream
point
17RTP Stream Attack Sensor (RSAS)
- To detect malicious RTP and RTCP streams
- Parameters of the RTP streams are known at
connection setup time - Police individual streams
- Statistical techniques to determine large flows
- Packets corresponding to the malicious streams
are dropped at the firewall - Need cooperation of upstream routers to mitigate
link saturation
18Detection Algorithm for ALAS
- Monitoring the volume of connection attempts vs.
volume of complete connection handshakes can be
used to detect an attack - Based on the sequential change point detection
method proposed by Wang, Zhang and Shin (Infocom
2002) to detect TCP SYN attacks
19Detection Algorithm
- All connection setup attempts and complete
handshakes are counted during the observation
period - During each sampling period the difference is
computed and normalized
20Detection Algorithm Cont.
- Under normal operation, the resulting value
should be very close to 0 - In the presence of an attack, the result is a
large positive number - A cumulative sum method is applied to detect
short high volume attacks as well as longer low
volume attacks
21Recovery Algorithm
- Linear Recovery
- This is the default behavior of the detection
algorithm - Exponential Recovery
- The cumulative sum decreases multiplicatively
once the attack has ceased - Reset after Timeout
- The cumulative sum decays linearly decays until a
timer expires at which point it is reset to 0
22Preliminary Results
- Types of attack
- Limited DoS attack
- Single user targeted by one or more attackers
- Stealth DoS attack
- Multiple users targeted by one or more attackers
each with a low volume of call requests - Aggressive DoS attack
- Multiple users targeted with high call requests
- Ability to detect both aggregate level attacks as
well as attack to individual URIs
23Preliminary Results
Limited DoS Attack with 10 calls/min to a single
URI
24Summary of Detection and Recovery Results
25Future Work
- Detailed analysis
- Tradeoff between detection time and false alarm
rate - Formal vulnerability analysis
- Additional vulnerabilities with ENUM
- Routing layer issues
- Vulnerabilities of multihomed networks
26Additional Information
- Masters Thesis
- Enabling Secure IP Telephony in Enterprise
Networks - http//www.off-pisteconsulting.com/research/pubs/r
eynolds-ms_thesis.pdf - Presentation Slides
- http//www.off-pisteconsulting.com/research/pubs/n
dss03-slides.ppt - Contact Information
- Brennen Reynolds
- Off-Piste Consulting, LLC
- brennen_at_off-pisteconsulting.com
-
- Dipak Ghosal, PhD.
- University of California, Davis
- ghosal_at_cs.ucdavis.edu