Date post: | 28-Dec-2015 |
Category: |
Documents |
Upload: | andrea-sims |
View: | 219 times |
Download: | 0 times |
Session Initiation Protocol SIP
Session Initiation Protocol (SIP) is a standard signaling protocol for VoIP, and is appropriately coined as the “SS7 of future telephony.”
It was developed by the Internet Engineering Task Force (IETF) in RFC 2543 which was updated by RFC 3261.
SIP was designed to address some important issues in setting up and tearing down sessions such as user location, user availability, and session management.
Selected Topics in Information Security – Bazara Barry
Session Initiation Protocol SIP
The simplicity and versatility of SIP make it the choice of instant messaging, video conferencing, and multiplayer game applications among others.
SIP uses other protocols to perform various functions during a session such as Session Description Protocol (SDP) to describe the characteristics of end devices, Resource Reservation Setup Protocol (RSVP) for voice quality, and Real-time Transport Protocol (RTP) for real-time transmission.
Selected Topics in Information Security – Bazara Barry
SIP Message Format
The SIP message is made up of three parts: the start line, message headers, and body. The start line contents vary depending on whether the SIP message is a request or a response. For requests it is referred to as a request line and for responses it is referred to as a status line.
Selected Topics in Information Security – Bazara Barry
Start Line
Header 1Header 2
…..
Body
SIP Message Format
The base SIP specifications define six types of request: the INVITE request, CANCEL request, ACK request, BYE request, REGISTER request, and the OPTIONS request.
Response types or codes are also classified into six classes. 1xx for provisional/informational responses, 2xx for success responses, 3xx for redirection responses, 4xx for client error responses, 5xx for server error responses, and 6xx for global failure responses.
Selected Topics in Information Security – Bazara Barry
SIP Architecture
Elements in SIP can be classified into user agents (UAs) and intermediaries (servers). In an ideal world, communications between two endpoints (or UAs) happen without the need for servers.
However, this is not always the case as network administrators and service providers would like to keep track of traffic in their network.
Selected Topics in Information Security – Bazara Barry
SIP Architecture
A SIP UA or terminal is the endpoint of dialogs: it sends and receives SIP requests and responses, it is the endpoint of multimedia streams, and it is usually the user equipment (UE) which is an application in a terminal or a dedicated hardware appliance.
SIP servers are logical entities where SIP messages pass through on their way to their final destination. These servers are used to route and redirect requests. These servers include: Proxy server, Redirect server, Location server, Registrar server, Application server.
Selected Topics in Information Security – Bazara Barry
SIP Session
Selected Topics in Information Security – Bazara Barry
Caller
Callee
SIP Proxy Server
Registrar Server
INVITE
Query
Response to Query
INVITEOK
OKACK
ACK
RTP packets
REGISTER
REGISTER
RTP Message Format
Real-time Transport Protocol (RTP) is an application layer protocol that provides end-to-end delivery services for real-time audio and video. It was developed by the Internet Engineering Task Force (IETF) in RFC 1889 which was updated by RFC 3550.
Selected Topics in Information Security – Bazara Barry
Version Padding Extension Contributing Source Count (CC) Marker Payload
TypeSequence Number
Timestamp
Synchronization Source (SSRC) identifier
Contributing Source (CSRC) identifier
SIP Threat Model
• Denial of service• Eavesdropping• Tearing down sessions• Session hijacking• Man in the middle
Selected Topics in Information Security – Bazara Barry
RTP Threat Model
Attackers can inject artificial packets with higher sequence numbers that will cause the injected packets to be played in place of the real ones. Flooding with RTP packets not only deteriorates the perceived quality of service (QoS) but also may cause phones dysfunctional and reboot operations.
Selected Topics in Information Security – Bazara Barry
Intrusion Detection Systems
Anderson, who introduced the concept of intrusion detection in 1980, defined an intrusion attempt or a threat to be the potential possibility of a deliberate unauthorized attempt to:1.Access information,2.Manipulate information, or3.Render a system unreliable or unusable.
The role of an Intrusion Detection System (IDS) is to detect such attempts, and to inform system administrators about such threats in order to take countermeasures.
Selected Topics in Information Security – Bazara Barry
Classification of ID Principles
• Anomaly-based: explores issues in intrusion detection associated with deviation from normal system or user behavior.
• Signature-based: models intrusive behaviors in the form of patterns or signatures.
• Specification-based: The system’s behavioral specifications are used to create the model and also used as a basis to detect attacks
Selected Topics in Information Security – Bazara Barry
Classification of ID Principles
Selected Topics in Information Security – Bazara Barry
Dos etc.
Past
Specification-based
False negative
False positive
Past normal behavior
intrusion
Anomaly-
based
Signature-based
Legitimate behavior
Intrusive behavior
Non-intrusive behavior
Dos etc.
Past
Specification-based
False negative
False positive
Past normal behavior
intrusion
Anomaly-
based
Signature-based
Legitimate behavior
Intrusive behavior
Non-intrusive behavior
Classification of Monitored Resources
Selected Topics in Information Security – Bazara Barry
• Host IDS (HIDS).• Network IDS (NIDS).
Internet
Firewall
Local Area Network
Local Area Network
Local Area Network
NIDS
General Classification
Selected Topics in Information Security – Bazara Barry
Intrusion Detection Systems
DetectionApproaches
StatisticalAnomaly-based
Expert Systems
Specification-based Model-based
IntrusionTypes
Effect
Origin
Passive
Active
External
Internal
MonitoredResources
Network-based
Host-based
Signature-basedDetection
Approaches
IntrusionTypes
MonitoredResources
DetectionPrinciples
IntrusionTypes
Classification of ID Techniques
The special needs of VoIP systems make it important for IDSs to adopt new detection techniques.
In the following we discuss some of theses techniques.
Selected Topics in Information Security – Bazara Barry
Classification of ID Techniques
1. Stateful Detection: A stateless system considers every packet on its own, not recalling anything that it has derived in the past. On the other hand, a stateful intrusion detection system is one that keeps and regularly updates the state of the monitored resource. Attackers sometimes try to evade detection by splitting the attack body into multiple small packets. In such a case, the IDS is not able to detect the attack unless it reassembles the packet stream, which can only be done by stateful IDSs.
Selected Topics in Information Security – Bazara Barry
Classification of ID Techniques
2. Cross-Layer and Cross-Protocol Detection: Many attacks cross layer and protocol boundaries. For example, an attack that tries to create an authorized access to a service at the application layer may seem perfectly legitimate to the lower layers. Cross-layer and cross-protocol IDSs coordinate intrusion detection among different protocols and aid detection decisions on one layer by using information from different layers.
Selected Topics in Information Security – Bazara Barry
Classification of ID Techniques
3. Hybrid Detection: Hybrid intrusion detection systems may combine different intrusion detection principles such as anomaly-based and signature-based techniques for better detection capabilities. They may also combine different sources of audit data such as host-based and network-based sources to widen the range of the detectable attacks. Hybrid intrusion detection is gaining momentum in the research arena, and researchers are looking into various ways to make the combination efficient.
Selected Topics in Information Security – Bazara Barry
Sample Attacks
1. BYE Attack: An attacker can send a BYE message to either the caller or the callee to fool them into tearing down the session prematurely. The User Agent that receives the faked BYE message will immediately stop sending RTP packets, whereas the other User Agent will continue sending its RTP packets. BYE attack is common in VoIP environments and can be accomplished either by sniffing the network or performing a man-in-the-middle attack to insert a BYE request into the session. checking the status of RTP flow in the endpoint is vital in the detection process. A genuine BYE sender will stop sending RTP packets immediately after sending a BYE message.
Selected Topics in Information Security – Bazara Barry
Sample Attacks
2. Voice Injection Attack: An attacker can send artificial RTP packets with higher sequence numbers than the original ones, which causes the receiver to play the artificial ones instead. The IDS should compare the sequence number of the packet to that of the previous one. Whenever there is an increase that exceeds a certain threshold, an alarm should be raised.
Selected Topics in Information Security – Bazara Barry
Selected Topics in Information Security – Bazara Barry
References1. J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, R.
Sparks, M. Handley, and E. Schooler, “SIP: Session Initiation Protocol,” RFC 3261, IETF Network Working Group, June 2002.
2. H. Schulzrinne, S. Casner, R. Frederick, and V. Jacobson, “RTP: A transport Protocol for Real-Time Applications,” RFC 1889, IETF Network Working Group, January 1996.
3. Robin Sommer, “Viable Network Intrusion Detection in High-Performance Environments,” PhD Thesis, Computer Science Department, Technical University Munchen, Germany, September 2005.