Secure IP Telephony using Multi-layered Protection

Secure IP Telephony using Multi-layered Protection

Brennen ReynoldsOff-Piste Consulting, LLC

(formally of University of California, Davis)

Dipak GhosalUniversity of California, Davis

Motivation What is IP Telephony?

Packetized voice over IP PSTN access through Media/Signal Gateways (MSG)

Benefits: Improved network utilization Next generation services

Growth: Revenues $1.7 billion in 2001, 6% of international

traffic was over IP, growing [Frost 2002] [Telegeography 2002]

Standardized, deployed protocols (TRIP, SIP, H.323)

Security Is Essential IP Telephony inherits all properties of

the IP protocol – including security weaknesses Ensuring the security of a critical

service must be a top priority Convergence of two global and

structurally different networks introduces new security weaknesses

Agenda IP Telephony Enabled Enterprise

Networks IP Telephony Call Setup Vulnerability Analysis Detection and Control of Flood-based

DoS Attacks Preliminary Experimental Results Future Work

IP Telephony Enabled Enterprise Network Architecture

Enterprise DMZ

SIPRedirectProxy

SIPRegistrar /LocationServer

WebServer

DNSServer

EdgeRouter

ExternalFirewall

InternalFirewall

Softphone IP Phone

EnterpriseLAN

AuthenticationServer

PSTN

Media /Signal

Gateway

Internet

Net-to-Net Call Setup

Media Transport

1

2

3

4

5

6

A request is sent (SIP INVITE) to

ESTABLISH a session

DNS Query for the IP Address

of the SIP Proxy of the

Destination Domain

The INVITE is forwarded

The Location Service is queried to check that the

destination IP address represents a valid

registered device, and for its IP Address

The request is forwarded to the End-Device

Destination device returns its IP Address to the

originating device and a media connection is

opened

DNSServer

SIP IP Phone

SIP IP Phone

SIP Registrar /Location Server

SIP RedirectProxy

SIP RedirectProxy

Vulnerability Analysis Property oriented approach

Access control to use IP telephony service

Integrity and authenticity of IP telephony signaling messages

Resource availability and fairness in providing IP telephony service

Confidentiality and accountability

Access Control Deny unauthorized users access to IP

telephony service Central authentication servers

E.g.: RADIUS server Enable various network elements to

query authentication server

Integrity and Authenticity of Signaling Messages Call Based Denial of Service

CANCEL messages, BYE message, Unavailable responses

Call Redirection Re-registering with bogus terminal

address, user moved to new address, redirect to additional proxy

User Impersonation

Payload Encryption Capture and decoding of voice stream

Can be done in real-time very easily Capture of DTMF information

Voice mail access code, credit card number, bank account

Call profiling based on information in message headers

Resource Fairness and Availability Flood based attacks

Network bandwidth between enterprise and external network

Server resources at control points SIP Proxy Server

Voice ports in Media/Signaling Gateway Signaling link between Media/Signaling

Gateway and PSTN End user

Internet Originated Attack Enterprise network connection can be

flooded using techniques like SYN flooding

Resources on SIP proxy can be exhausted by a large flood of incoming calls

End user receives large number of SIP INVITE requests in a brief period of time

PSTN Originated Attack Signaling link between M/S gateway and

PSTN STP becomes saturated with messages

Voice ports on the M/S gateway are completely allocated

Large number of PSTN endpoints attempt to contact a single individual resulting in a high volume of INVITE messages

Secure IP Telephony Architecture

PSTN

Internet

Enterprise DMZ

TransportLayerAttackSensor

SIPRedirect

Proxy

SIPRegistrar /LocationServer

WebServer

DNSServer

EdgeRouter

ExternalFirewall

InternalFirewall

ApplicationLayerAttackSensor

Media /Signal

Gateway

ApplicationLayerAttackSensor

Softphone IP Phone

EnterpriseLAN

AuthenticationServer

Application Layer Attack Sensor (ALAS) Monitors the number of SIP INVITE

requests and the SIP OK (call acceptance) responses URI level monitor Aggregate level monitor

Detection Algorithm Response Algorithm

Proxy or M/S gateway returns temporally busy messages

Transport Layer Attack Sensor (TLAS) Monitors the number of TCP SYN and ACK

packets Traffic is monitored at an aggregate level Upon detection of an attack, throttling is

applied by perimeter devices (e.g. firewall) If attack persists, traceback technologies can

be used to drop malicious traffic at an upstream point

RTP Stream Attack Sensor (RSAS) To detect malicious RTP and RTCP streams Parameters of the RTP streams are known

at connection setup time Police individual streams Statistical techniques to determine large flows

Packets corresponding to the malicious streams are dropped at the firewall

Need cooperation of upstream routers to mitigate link saturation

Detection Algorithm for ALAS Monitoring the volume of connection

attempts vs. volume of complete connection handshakes can be used to detect an attack

Based on the sequential change point detection method proposed by Wang, Zhang and Shin (Infocom 2002) to detect TCP SYN attacks

Detection Algorithm All connection setup attempts and

complete handshakes are counted during the observation period

During each sampling period the difference is computed and normalized

)(

)()()( _

nC

nHSnEAnX )()1()1()(

__

nHSnCnC

Detection Algorithm Cont. Under normal operation, the resulting

value should be very close to 0 In the presence of an attack, the result

is a large positive number A cumulative sum method is applied to

detect short high volume attacks as well as longer low volume attacks

Recovery Algorithm Linear Recovery

This is the default behavior of the detection algorithm

Exponential Recovery The cumulative sum decreases multiplicatively

once the attack has ceased Reset after Timeout

The cumulative sum decays linearly decays until a timer expires at which point it is reset to 0

Preliminary Results Types of attack

Limited DoS attack Single user targeted by one or more attackers

Stealth DoS attack Multiple users targeted by one or more attackers

each with a low volume of call requests Aggressive DoS attack

Multiple users targeted with high call requests Ability to detect both aggregate level

attacks as well as attack to individual URIs

Preliminary Results

0

5

10

15

20

25

30

35

40

1 3 5 7 9 11 13 15 17 19 21 23 25 27 29Time (minutes)

Cal

cula

ted

Valu

e of

Yn

Exponential Recovery

Linear Recovery

Threshold

Limited DoS Attack with 10 calls/min to a single URI

Summary of Detection and Recovery ResultsDetection Time Recovery Time

Attack Type Detection Time

Recovery Algorithm

Recovery Time

4 calls/min – Limited DoS

4 min (URI level) 4 calls/min – Linear

3 min

10 calls/min – Limited DoS

2 min (URI level) 10 calls/min – Linear

17 min

50 URI Aggressive DoS

6 min (URI level)8 min (agg. level)

10 calls/min – Exponential

6 min

200 URI Stealth DoS

4 min (agg. level)

10 calls/min – R.a.T.

3 min

Future Work Detailed analysis

Tradeoff between detection time and false alarm rate

Formal vulnerability analysis Additional vulnerabilities with ENUM

Routing layer issues Vulnerabilities of multihomed

networks

Additional Information Master’s Thesis

Enabling Secure IP Telephony in Enterprise Networkshttp://www.off-pisteconsulting.com/research/pubs/reynolds-ms_thesis.pdf

Presentation Slideshttp://www.off-pisteconsulting.com/research/pubs/ndss03-slides.ppt

Contact Information: Brennen Reynolds Off-Piste Consulting, LLC [email protected] Dipak Ghosal, PhD. University of California, Davis [email protected]