Session Initiation Session Initiation Protocol (SIP)Protocol (SIP)
Features of SIPFeatures of SIP
SIP is a lightweight, transport-independent, SIP is a lightweight, transport-independent, text-based protocol. SIP has the following text-based protocol. SIP has the following features:features:
Lightweight, in that SIP has only four Lightweight, in that SIP has only four methods, reducing complexity methods, reducing complexity
Transport-independent, because SIP can Transport-independent, because SIP can be used with UDP, TCP, ATM & so on. be used with UDP, TCP, ATM & so on.
Text-based, allowing for low overhead Text-based, allowing for low overhead SIP is primarily used for VOIP callsSIP is primarily used for VOIP calls
Functions of SIPFunctions of SIP
Location of an end pointLocation of an end point Signal of a desire to communicateSignal of a desire to communicate Negotiation of session parameters to Negotiation of session parameters to
establish the sessionestablish the session And teardown of the session once And teardown of the session once
established. established.
How SIP worksHow SIP works
SIP user agentsSIP user agents: like cell phones, PCs etc. : like cell phones, PCs etc. They initiate message writing.They initiate message writing.
SIP Registrar serversSIP Registrar servers: They are databases : They are databases containing User Agent locations; they send containing User Agent locations; they send agents IP address information to SIP proxy agents IP address information to SIP proxy servers.servers.
SIP Proxy serversSIP Proxy servers: accepts session request : accepts session request made by UA and queries SIP registrar server made by UA and queries SIP registrar server to find recipient UA address.to find recipient UA address.
SIP Redirect serversSIP Redirect servers: they help : they help communicating outside the domaincommunicating outside the domain
Continued..Continued..
Continued..Continued..
Our user A tries to call user B (1)Our user A tries to call user B (1) Domain SIP proxy server now queries Domain SIP proxy server now queries
Registrar server in the same domain to Registrar server in the same domain to know about user B’s address (2)know about user B’s address (2)
Registrar responds with the address (3)Registrar responds with the address (3) SIP proxy server calls B (4)SIP proxy server calls B (4) User B responds to SIP proxy (5)User B responds to SIP proxy (5) SIP proxy answers to User A (6)SIP proxy answers to User A (6) Now multimedia session is established on Now multimedia session is established on
RTP protocol (7)RTP protocol (7)
More about SIP..More about SIP..
SIP relies on SDP and RTP protocolsSIP relies on SDP and RTP protocols
SIP proxy is a server in a SIP-based IP SIP proxy is a server in a SIP-based IP telephony environment telephony environment
The SIP proxy takes over call control from The SIP proxy takes over call control from the terminals and serves as a central the terminals and serves as a central repository for address translation (name to repository for address translation (name to IP address) IP address)
SIP AdvantagesSIP Advantages
SIP is a based on HTTP and MIME, which SIP is a based on HTTP and MIME, which makes it suitable for integrated voice-data makes it suitable for integrated voice-data applications applications
SIP is designed for real time transmissionSIP is designed for real time transmission
SIP AdvantagesSIP Advantages
Uses fewer resources Uses fewer resources
Is Less complex than H.323 protocolIs Less complex than H.323 protocol
SIP uses URLs and is human readable SIP uses URLs and is human readable
SIP DisadvantagesSIP Disadvantages
First one: One SIP challenge is that SIP First one: One SIP challenge is that SIP message contain information that Client message contain information that Client and/or server will like to keep private but and/or server will like to keep private but SIP header as well as message in the open SIP header as well as message in the open and distributed architecture of VOIP and distributed architecture of VOIP systems makes it difficult to keep this systems makes it difficult to keep this information confidential. information confidential.
I will talk about a technique to address it I will talk about a technique to address it later…later…
Registration hijackingRegistration hijacking
When a SIP user is registering with SIP When a SIP user is registering with SIP Registrar server the attacker can hijack the Registrar server the attacker can hijack the registration:registration:1.By disabling the legitimate user's 1.By disabling the legitimate user's registration using DOS attack on user registration using DOS attack on user machinemachine2.Send a REGISTER request with the 2.Send a REGISTER request with the attacker's IP address instead of the attacker's IP address instead of the legitimate user's legitimate user's
Contact header information is changed by Contact header information is changed by attacker by replacing its own IP in place of attacker by replacing its own IP in place of original usersoriginal users
Registration hijackingRegistration hijacking
This leads to the attacker getting the SIP This leads to the attacker getting the SIP messages intended for our original user- a messages intended for our original user- a clearly undesirable conditionclearly undesirable condition
Two main reasons for this attack are: SIP Two main reasons for this attack are: SIP messages being sent in clear and no SIP messages being sent in clear and no SIP message authentication built into the message authentication built into the protocolprotocol
EavesdroppingEavesdropping
EavesdroppingEavesdropping is a big problem for SIP is a big problem for SIP based VOIP traffic. Many internet tools like based VOIP traffic. Many internet tools like Ethereal do thatEthereal do that
Eavesdropping….how Eavesdropping….how ethereal worksethereal works Eavesdropping in VoIP requires Eavesdropping in VoIP requires
intercepting the signaling and associated intercepting the signaling and associated media streams of a conversationmedia streams of a conversation
Media streams typically are carried over Media streams typically are carried over UDP using the RTP UDP using the RTP
How ethereal worksHow ethereal works
Capture and decode RTP packetsCapture and decode RTP packets
Analyzing session : here we reassemble Analyzing session : here we reassemble the packetsthe packets
We store this data in audio files We store this data in audio files (like .wav, .au)(like .wav, .au)
Some remedies….Some remedies….
IPSEC security for IP packets can be one IPSEC security for IP packets can be one solutionsolution
A more common solution is to use Ethernet A more common solution is to use Ethernet switches to restrict broadcasting data to all switches to restrict broadcasting data to all and sundry on the network.and sundry on the network.
SpoofingSpoofing
Spoofing is another issue where someone Spoofing is another issue where someone can pose as a user and gets unauthorized can pose as a user and gets unauthorized accessaccess
Address authentication between callers built Address authentication between callers built in the underlying transport protocols can in the underlying transport protocols can resolve thisresolve this
DOSDOS
Denial of serviceDenial of service can be caused if the can be caused if the Proxy/registrar servers are somehow Proxy/registrar servers are somehow floodedflooded
The solution lies in configuring servers to The solution lies in configuring servers to tackle this problem in their configuration tackle this problem in their configuration settingssettings
SIP Security MechanismsSIP Security Mechanisms
IPSECIPSEC is another way to protect IP packets is another way to protect IP packets the secure encryption making them safe the secure encryption making them safe from unauthorized access/modificationfrom unauthorized access/modification
So with shared keys between parties So with shared keys between parties IPSEC can provide the secure path for IPSEC can provide the secure path for communication between SIP partnerscommunication between SIP partners
TLSTLS
TLSTLS is another answer for security here is another answer for security here networked parties during handshake can networked parties during handshake can share their certificates which can be used share their certificates which can be used for the secure transfer later.for the secure transfer later.
It is widely in use in the wired internet It is widely in use in the wired internet marketmarket
TLS lies below FTP(ALP) but above TCP TLS lies below FTP(ALP) but above TCP thus obviating the need for TCP header thus obviating the need for TCP header encryption.encryption.
Session Border Controller for SIPSession Border Controller for SIP
A Firewall typically helps in the simple browser requesting for some information by ensuring that only the requested content gets transferred back to the browser and not the other information this is not so in a typical SIP using VOIP transfer where there are two holes on the firewall for public access: one for signaling and other for media packets.
Also the firewall in say two LANs connected via internet will otherwise reject the other LANS traffic thinking it malicious.
SBCSBC
For these addresses to be on public side of For these addresses to be on public side of firewall the IP address based attacks firewall the IP address based attacks become a real possibility become a real possibility
The SBC works by making all The SBC works by making all communication work outwards for media communication work outwards for media and signaling even the incoming onesand signaling even the incoming ones
SBCSBC
SBCSBC
When our Client starts it registers with the When our Client starts it registers with the registration server now SBC takes over the registration server now SBC takes over the function of a PO Box so an incoming party function of a PO Box so an incoming party knows your PO Box address but only your knows your PO Box address but only your PO Box (your SBC) knows your real IP PO Box (your SBC) knows your real IP address. address.
So primarily for both signaling and media So primarily for both signaling and media exchange SBC acts as the bridge between exchange SBC acts as the bridge between outside client and us. outside client and us.
SBCSBC
SBC allows: signaling and media SBC allows: signaling and media connections to be dynamically opened and connections to be dynamically opened and outbound connected.outbound connected.
SBC hides your real IP and polices the SBC hides your real IP and polices the signaling and media connections. signaling and media connections.
SIP Denial of ServiceSIP Denial of Service
DOS attacks are based on exhausting DOS attacks are based on exhausting some server response and thus rendering some server response and thus rendering it incapable for some/all functionalitiesit incapable for some/all functionalities
SIP server copies each incoming request in SIP server copies each incoming request in its internal buffers its internal buffers
Types of SIP servers (proxy Types of SIP servers (proxy server)server) Stateless serversStateless servers: They just keep a copy : They just keep a copy
of message while message is being sent of message while message is being sent out then delete it.out then delete it.
Stateful serversStateful servers: In general, we can : In general, we can distinguish between two types of states in distinguish between two types of states in SIP:SIP:• • Transaction state: A transaction stateful Transaction state: A transaction stateful server stores a copy of the received server stores a copy of the received request as well as the forwarded requestrequest as well as the forwarded request• • Session state: In certain cases servers Session state: In certain cases servers need to maintain some information about need to maintain some information about the session throughout the lifetime of the the session throughout the lifetime of the session. session.
Continued…Continued…
Regardless the server will need to maintain Regardless the server will need to maintain the buffered data while contacting another the buffered data while contacting another entity like an authentication, authorization, entity like an authentication, authorization, and accounting (AAA) server, a Domain and accounting (AAA) server, a Domain
Name Service (DNS) serverName Service (DNS) server
CPU based DOSCPU based DOS
When a SIP message is received SIP When a SIP message is received SIP server needs to parse this message, do server needs to parse this message, do some processing (e.g., authentication) and some processing (e.g., authentication) and forward the messageforward the message
Though Server CPU is high speed still a lot Though Server CPU is high speed still a lot of parallel loads and following resource of parallel loads and following resource depletion can cause server blocks and depletion can cause server blocks and other malfunctions causing a DOSother malfunctions causing a DOS
Bandwidth based DOSBandwidth based DOS
Sometimes access links connecting a SIP Sometimes access links connecting a SIP server are so much overloaded as to cause server are so much overloaded as to cause congestion Lossescongestion Losses
So SIP messages get lost causing further So SIP messages get lost causing further delay and at least a transient DOS occursdelay and at least a transient DOS occurs
DOS attacks can both be with or without DOS attacks can both be with or without malicious intent. SIP and its supporting malicious intent. SIP and its supporting transport protocols both need protection transport protocols both need protection
and safeguarding from attack.and safeguarding from attack.
DOS based on Memory DOS based on Memory exhaustionexhaustion A Stateful server is an easy target for A Stateful server is an easy target for
flooding with many requests for different flooding with many requests for different transactions.transactions.
Memory based exploitation can have two Memory based exploitation can have two basic types: to initiate a number of SIP basic types: to initiate a number of SIP sessions with different SIP identities and sessions with different SIP identities and broken session attacks where a receiver broken session attacks where a receiver gets an INVITE but then no response from gets an INVITE but then no response from the initiator many such pending invites can the initiator many such pending invites can cause memory exhaustioncause memory exhaustion
Some CountermeasuresSome Countermeasures
Just like for a web or email server make a Just like for a web or email server make a list of suspected users and blacklist themlist of suspected users and blacklist them
Using authentication strategies is also Using authentication strategies is also preferable. But more CPU resources are preferable. But more CPU resources are needed to tighten these security problems needed to tighten these security problems
Continued..Continued..
Also having SIP proxy server and Also having SIP proxy server and applications server on the same hardware applications server on the same hardware can really slow down the response time. can really slow down the response time. SIP proxy may need some other server’s SIP proxy may need some other server’s service and this can cause other request to service and this can cause other request to be suspended sometimes be suspended sometimes
Having dedicated hardware for servers is Having dedicated hardware for servers is importantimportant
Continued..Continued..
The first line of Defense for DOS is having The first line of Defense for DOS is having high speed CPU, big efficient memory and high speed CPU, big efficient memory and many access linksmany access links
Clean memory allocation and parsing Clean memory allocation and parsing schemes is equally importantschemes is equally important
Parallel processing can lead to many Parallel processing can lead to many request being served simultaneously and request being served simultaneously and parallel execution of message parsing and parallel execution of message parsing and forwarding of messages.forwarding of messages.
Challenges…Challenges…
Text based nature of SIP renders it Text based nature of SIP renders it vulnerable to spoofing, hijacking and vulnerable to spoofing, hijacking and message tamperingmessage tampering
SIP utilizes transport layer protocols like SIP utilizes transport layer protocols like TCP, UDP. So its vulnerable to their set of TCP, UDP. So its vulnerable to their set of attacks too like for TCP: SYN Flood and attacks too like for TCP: SYN Flood and TCP session hijackingTCP session hijacking
FOR SIP software virus/bugs are also an FOR SIP software virus/bugs are also an issue which can be dealt by using antivirus issue which can be dealt by using antivirus softwaresoftware
SIP Security MechanismSIP Security Mechanism
SIP specification does not include any SIP specification does not include any specific security mechanism but relies on specific security mechanism but relies on other internet security mechanisms like other internet security mechanisms like HTTPS Digest, TLS, and IPSEC.HTTPS Digest, TLS, and IPSEC.
How this authentication worksHow this authentication works
Continued..Continued..
SIP authentication works this way:SIP authentication works this way: SIP client sends a SIP INVITE which gets SIP client sends a SIP INVITE which gets
answered by a 407 reply which is the answered by a 407 reply which is the authenticator from the SIP Proxy server.authenticator from the SIP Proxy server.
Client now uses this authenticator to create Client now uses this authenticator to create information for its new headerinformation for its new header
With this new header attached it sends With this new header attached it sends back REINVITE to Proxy serverback REINVITE to Proxy server
Continued..Continued..
IPSEC is another way to protect IP packets IPSEC is another way to protect IP packets the secure encryption making them safe the secure encryption making them safe from unauthorized access/modificationfrom unauthorized access/modification
So in one traditional way with shared keys So in one traditional way with shared keys between communicating parties IPSEC can between communicating parties IPSEC can provide the secure path for communication provide the secure path for communication between SIP partnersbetween SIP partners
References…References…
SIP: Wikipedia
SIP Security Mechanisms: A state-of-the-art review Dimitris Geneiatakis, Georgios Kambourakis, Tasos Dagiuklas,Costas Lambrinoudakis and Stefanos Gritzalis
Newport Networks SBC Whitepaper
Denial of Service Attacks Targeting a SIP VoIP Infrastructure: Attack Scenarios and Prevention Mechanisms Dorgham Sisalem and Jiri
Kuthan, Tekelec Sven Ehlert, Fraunhofer Fokus
http://www.securityfocus.com/infocus/1862/2 Many information chunks from certain websites