deployment of snort ids in sip based voip environments jiří markl jaroslav dočkal
TRANSCRIPT
Deployment of Snort IDS in SIP based VoIP environments
Jiří Markl
Jaroslav Dočkal
Motivation and targets
Evident advantages of VoIPThe same level of availability as in
PSTNDoS attacks on SIP infrastructureAttacks identificationApplicability of Snort IDS for attacks
detection
Identified attacks
Attacks to SIP proxies Common TCP/IP attacks
Direct attacks (Teardrop, Ping of Death, SYN Flood) Indirect attacks (Smurf attack) Other TCP floods (STREAM attack, Null flood) Distributed denial of service
Attacks using specific SIP vulnerabilities
Attacks to contributing services DNS, ENUM Application servers
SIP specific attacks
Brute force attack using Invite messages
Denial of service utilizing Register message
alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \(msg:"INVITE message flooding"; content:"INVITE"; depth:6; \threshold: type both, track by_src, count 200, seconds 60; \ sid:1000100; rev:1;)
#Suppresion of alerting for known proxy 147.32.121.12suppress gen_id 1, sig_id 1000100, track by_src, ip 147.32.121.12
SIP specific attacks – continuation
Tearing down sessionsBye, Cancel
Denial of service utilizing responses3xx, 4xx, 5xx, 6xx
Using message amplification to cause the DoS loops forking
SIP specific attacks – continuation
Brute force authentication attack401 Unauthorized407 Proxy Authentication Required
alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \(msg:"INVITE message flooding"; \content:"SIP/2.0 401 Unauthorized"; depth:24; \threshold: type both, track by_src, count 100, seconds 60; \ sid:1000600; rev:1;)
SIP specific attacks – continuation
Attacks using SQL injectionUsing unresolvable DNS namesalert udp $DNS_SERVERS 53 -> $SIP_PROXY_IP any \msg:"DNS No such name treshold"; \content:"|83|"; offset:3; depth:1; \threshold: type both , track by_src, count 2000, seconds 60; \sid:1000400; rev:1;)
Snort usage conclusions
Advantages Based on existing OpenSource solution SIP proxy independent Can be used for detection of various attacks and
known exploits – lots of rules available Can be used for detection of misconfigurations in
SIP network
Drawbacks Problems with secured connections (TLS) Usable only for simple detection
SIP rules published on Snort.org
Developed rules can be obtained from Snort.org within current Community Rules set.
http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/
Community-Rules-CURRENT.tar.gz
Thanks.