VoIP 安全機制實務討論
-
Upload
catharine24 -
Category
Documents
-
view
1.007 -
download
4
Transcript of VoIP 安全機制實務討論
VoIP 安全金字塔
Policies and procedure
Physical security
Network security
Supporting services security
OS security
VoIP protocol/app security
密碼太短,外撥權限問題
硬體問題,不預期重開機
SYN flow, DDoS
SQL, dhcp…
Buffer underrun,worms…
INVITE/BYE 攻擊 , call 攔截
VoIP攻擊態勢
• 由外部的直接攻擊• 先侵入內部的一台主機
–可以有更多空間 /方法進行攻擊– 2005 CSI/FBI computer crime survey
• 攻擊者通常有一定層級的網路存取權限– Employee, contractor, customer, partner
Protocols in VoIP SolutionProtocol Types:
Signaling – Protocols in which Establish, Locate, Setup, Modify and Teardown sessions.
Media Transport – Protocols which transmit the voice samples.
Supporting (Services) – DNS, Location Servers, QoS, Routing Protocols, AAA…
Protocols Combining a VoIP Solution
SIP IP Phone
SIP IP Phone
Location Service
SIP Proxy
SIP Proxy
DNS Server
Media Transport
1
2
3
4
5
6
A request is sent (SIP INVITE) to ESTABLISH a
session
DNS Query for the IP Address of the SIP Proxy of the Destination
Domain The INVITE is forwarded
The Location Service is being queries to check that the destination IP address
represents a valid registered device, and for its IP
Address
The request is forwarded to the End-Device
Destination device returns its IP Address to the
originating device and a media connection is opened
Signaling SIP (IETF) H.323 (ITU-T) MGCP (IETF) MEGACO
Media Transport RTP and RTCP (IETF) SCTP (IETF)
Supporting Services DNS Routing - TRIP (Telephony Routing over IP) Quality of Service – RSVP, 802.1q
Examples for Protocols
SIP Design & Methods A client-server based protocol modeled after HTTP Building Blocks are Requests and Responses
The Methods are:
INVITE – Session Setup Initiate Sessions Re-INVITEs used to change session state
ACK – Confirms INVITE sessions BYE – Terminate Sessions CANCEL –Pending session cancellation OPTIONS – Capability and options Query REGISTER – Binds Address to Location
Clinet Server
Request
Response
SIP ComponentsSIP UAC – SIP User Agent Client
SIP UAS – SIP User Agent Server
UA – UAC + UAS
SIP Proxy – Relays the Call Signaling without maintaining a state (although able to). Receives a request from a UA or another Proxy Server, and forwards or proxies the request to another location (The ACK and BYE are not required to go through the SIP Proxy Server).
SIP Redirect – Receives a request from a UA or a Proxy. The Redirect Server will return a 3xy response stating the IP address the request should be sent to.
SIP Registrar – Receives Registration requests, and keeps the user’s whereabouts using a Location Server.
SIP Response CodesCharacteristics similar to HTTP:
1xy Information or Provisional (Request in progress but not yet completed):
100 Trying 180 Ringing 181 Call Forwarded
2xy Success (the request has completed successfully):
200 OK3xy Redirection (another location should be tried for the request):
300 Multiple Options 301 Moved Permanently 302 Moved Temporarily
SIP Response Codes4xy Client Error (due to an error in the request, the request was not completed . Can be retried at another location):
400 Bad Request 401 Unauthorized 482 Loop Detected 486 Busy Here
5xy Server Failure (the request was not completed due to error in recipient. Can be retried at another location):
500 Server Internal Error6xy Global Failure (request was failed and should not be retried again):
600 Busy Everywhere
外部攻擊
由 web找
• 難易度:低• 普遍性:高• 影響度:高
• 網站通常是對外資訊窗口,容易為攻擊點
公開資訊
• 組織架構或地理位置• FAQ/Tech support
– IP-phone type, default VM password….
• Job
• 總機語音
• inurl:”ccmuser/logon.asp”
• intitle:”Sipura SPA configuration”
• intitle:”Grandstream Device”
• 對策:自我檢查– Site:
• http://www.cyveilance.com/
SIP IP Phone
SIP IP Phone
DNS Server
SIP Proxy
SIP Proxy
Location Service
SIP IN
VITE
DNS Query for the IP Address of the SIP Proxy of the Destination
DomainFW: SIP INVITE
100 Try
ing
100 Trying
The Location Service is being queries to check that the destination IP address
represents a valid registered device, and for its IP
Address
FW: SIP INVITE
180 Ringing
180 Ringing
180
Ringin
g
200 OK
200 OK
200 OK
ACK
ACKACK
Both Way RTP Media
BYE
200 OK
SIP Architecture
SIP Security – INVITE Example
INVITE sip:[email protected] SIP/2.0 Via: SIP/2.0/UDP here.com:5060 From: BigGuy <sip:[email protected]> To: LittleGuy <sip:[email protected]> Call-ID: [email protected] CSeq: 1 INVITE Contact: <sip:[email protected]> Content-Type: application/sdp Content-Length: 147
v=0 o=UserA 2890844526 2890844526 IN IP4 here.com s=Session SDP c=IN IP4 100.101.102.103 t=0 0 m=audio 49172 RTP/AVP 0 a=rtpmap:0 PCMU/8000
Predicted Values
Another hard to guess value
SIP Security – Denial-of-Service
Simple Denial-of-Service against SIP when Using UDP Since UDP is asynchronous protocol, if one can guess the target network a caller is sending its SIP signaling over UDP to, sending an ICMP Error Message such as Port Unreachable, Protocol Unreachable, Network Unreachable or even Host Unreachable will terminate the signaling and the call in any state.
Using “CANCEL”s (see next 2 examples)
Using “BYE” (anytime)
SIP Security – Denial-of-ServiceA can not make calls
A: SIP IP Phone
B: SIP IP Phone
C:Attacker
INVITE
CA
NC
EL
“The CANCEL request cancels a pending request with the same Call-ID, TO, From, and Cseq…”
SIP Security – Denial-of-Service
A is not receiving calls
A: SIP IP Phone
B: SIP IP Phone
C:Attacker
INVITE
CANCEL
SIP Security – Call Tracking (Example)
INVITE sip:[email protected] SIP/2.0 Via: SIP/2.0/UDP here.com:5060 From: BigGuy <sip:[email protected]> To: LittleGuy <sip:[email protected]> Call-ID: [email protected] CSeq: 1 INVITE Contact: <sip:[email protected]> Content-Type: application/sdp Content-Length: 147
v=0 o=UserA 2890844526 2890844526 IN IP4 here.com s=Session SDP c=IN IP4 100.101.102.103 t=0 0 m=audio 49172 RTP/AVP 0 a=rtpmap:0 PCMU/8000
SIP Security – Call HijackingINVITE is sent, the attacker sending a 3xy message indicating that the called party has moved, and will give his own forwarding address.
A: SIP IP Phone
B: SIP IP Phone
C:Attacker
INVITE
301 Moved PermanentlyINVITE’
A: SIP IP Phone
C:Attacker
SIP Registrar
SIP Security – Call HijackingRegistering address instead of other.[If requires authentication might use another type of attack]
I am user A and here is my IP Address
SIP Security 路由隱藏
IP Phone A
IP Phone B
Target – Hide the routing information (via header)
Problem – IP Phone B will need to route back to IP Phone A. Will be able to see all routing information before it sends responses to his local proxy.
SIP Proxy
SIP Proxy
SIP Proxy
SIP Proxy
Scan VoIP network
Scan
• 結合 UDP, TCP, SNMP, ICMP
• 目標:– Firewall, routers, VoIP phone, VoIP
softphone, IP-PBX, DHCP server, TFTP server,
tools
• Nmap -sP 192.168.0.1-254
TFTP/auto provisioning
SNMP walk
• SNMP v1/v2
• Snmpwalker–可以找出許多話機連結的服務主機 ip
• SNMP v3
DOS/DDOS
Flooding attacks
• UDP, TCP flooding attacks• 網路電話使用 UDP為多
– SIP , 5060, 及 random偶數 port
• 風險度高,難易度低• H.323 使用 TCP
– SYN – SYN-ACK– ACK
影響:頻寬不足
• 頻寬不足,被病毒佔滿–病毒掃描可入侵對象,造成頻寬不足
• P2P下載
對策
• 使用 QoS– DiffServ, QoS tag
• Anti DOS/DDOS solution– 通常透過 rate control等方式,偵測攻擊
• 強化網路設備設定– Ex:http://fanqiang.chinaunix.net/a5/b7/20010625/070000655_b.html
• 強化 voip 設備設定– Default pw, guest account, 不必要的服務 , OS
patch
• VLAN
網路測錄
網路型態的測錄
• TFTP configuration file
• File sniffing
• Number harvesting
• Call pattern tracking
• Conversation
Switch
• Hub• Switch 攻擊
– Mac address flooding– VLAN– Spanning tree protocol
• (Bridge protocol data units )BPDU packet
– VLAN trunking protocol• Hacking Exposed csico Networks,2006, McGraw-Hill, ch12
• ARP poisoning (man-in-the-middle)
語音測錄 /號碼分析• Voipong,vomit
• Ethereal, Wireshark
DTMF detection from recorded call
http://www.polar-electric.com/DTMF/
傳統作法• 竊聽• DoS• 送出假的media• 改變 relay的media• 加入media• 轉送到不同的 IP
ARP poisioning
• Demo…
對治• 靜態的 arp mapping
– For voip server, GW.DHCP server…)
• Switch port security– Ip-phone移動不便
• VLAN• Session encryption• ARP poisioning detection
– http://arpon.sourceforge.net/– arpwatch
加密
VoIP security
Transport layer Network layserApplication layer
http digest authenication
TLSSRTPZRTP
IPSec
敬請指教