Intrusion Detection Systems in VoIP

4

Intrusion Detection Systems in VoIP

Selected Topics in Information Security – Bazara Barry

Session Initiation Protocol SIP

Session Initiation Protocol (SIP) is a standard signaling protocol for VoIP, and is appropriately coined as the “SS7 of future telephony.”

It was developed by the Internet Engineering Task Force (IETF) in RFC 2543 which was updated by RFC 3261.

SIP was designed to address some important issues in setting up and tearing down sessions such as user location, user availability, and session management.


Session Initiation Protocol SIP

The simplicity and versatility of SIP make it the choice of instant messaging, video conferencing, and multiplayer game applications among others.

SIP uses other protocols to perform various functions during a session such as Session Description Protocol (SDP) to describe the characteristics of end devices, Resource Reservation Setup Protocol (RSVP) for voice quality, and Real-time Transport Protocol (RTP) for real-time transmission.


SIP Message Format

The SIP message is made up of three parts: the start line, message headers, and body. The start line contents vary depending on whether the SIP message is a request or a response. For requests it is referred to as a request line and for responses it is referred to as a status line.


Start Line

Header 1Header 2

…..

Body

SIP Message Format

The base SIP specifications define six types of request: the INVITE request, CANCEL request, ACK request, BYE request, REGISTER request, and the OPTIONS request.

Response types or codes are also classified into six classes. 1xx for provisional/informational responses, 2xx for success responses, 3xx for redirection responses, 4xx for client error responses, 5xx for server error responses, and 6xx for global failure responses.


SIP Architecture

Elements in SIP can be classified into user agents (UAs) and intermediaries (servers). In an ideal world, communications between two endpoints (or UAs) happen without the need for servers.

However, this is not always the case as network administrators and service providers would like to keep track of traffic in their network.


SIP Architecture

A SIP UA or terminal is the endpoint of dialogs: it sends and receives SIP requests and responses, it is the endpoint of multimedia streams, and it is usually the user equipment (UE) which is an application in a terminal or a dedicated hardware appliance.

SIP servers are logical entities where SIP messages pass through on their way to their final destination. These servers are used to route and redirect requests. These servers include: Proxy server, Redirect server, Location server, Registrar server, Application server.


SIP Session


Caller

Callee

SIP Proxy Server

Registrar Server

INVITE

Query

Response to Query

INVITEOK

OKACK

ACK

RTP packets

REGISTER

REGISTER

RTP Message Format

Real-time Transport Protocol (RTP) is an application layer protocol that provides end-to-end delivery services for real-time audio and video. It was developed by the Internet Engineering Task Force (IETF) in RFC 1889 which was updated by RFC 3550.


Version Padding Extension Contributing Source Count (CC) Marker Payload

TypeSequence Number

Timestamp

Synchronization Source (SSRC) identifier

Contributing Source (CSRC) identifier

SIP Threat Model

• Denial of service• Eavesdropping• Tearing down sessions• Session hijacking• Man in the middle


RTP Threat Model

Attackers can inject artificial packets with higher sequence numbers that will cause the injected packets to be played in place of the real ones. Flooding with RTP packets not only deteriorates the perceived quality of service (QoS) but also may cause phones dysfunctional and reboot operations.


Intrusion Detection Systems

Anderson, who introduced the concept of intrusion detection in 1980, defined an intrusion attempt or a threat to be the potential possibility of a deliberate unauthorized attempt to:1.Access information,2.Manipulate information, or3.Render a system unreliable or unusable.

The role of an Intrusion Detection System (IDS) is to detect such attempts, and to inform system administrators about such threats in order to take countermeasures.


Classification of ID Principles

• Anomaly-based: explores issues in intrusion detection associated with deviation from normal system or user behavior.

• Signature-based: models intrusive behaviors in the form of patterns or signatures.

• Specification-based: The system’s behavioral specifications are used to create the model and also used as a basis to detect attacks


Classification of ID Principles


Dos etc.

Past

Specification-based

False negative

False positive

Past normal behavior

intrusion

Anomaly-

based

Signature-based

Legitimate behavior

Intrusive behavior

Non-intrusive behavior

Dos etc.

Past

Specification-based

False negative

False positive

Past normal behavior

intrusion

Anomaly-

based

Signature-based

Legitimate behavior

Intrusive behavior

Non-intrusive behavior

Classification of Monitored Resources


• Host IDS (HIDS).• Network IDS (NIDS).

Internet

Firewall

Local Area Network

Local Area Network

Local Area Network

NIDS

General Classification


Intrusion Detection Systems

DetectionApproaches

StatisticalAnomaly-based

Expert Systems

Specification-based Model-based

IntrusionTypes

Effect

Origin

Passive

Active

External

Internal

MonitoredResources

Network-based

Host-based

Signature-basedDetection

Approaches

IntrusionTypes

MonitoredResources

DetectionPrinciples

IntrusionTypes

Classification of ID Techniques

The special needs of VoIP systems make it important for IDSs to adopt new detection techniques.

In the following we discuss some of theses techniques.



1. Stateful Detection: A stateless system considers every packet on its own, not recalling anything that it has derived in the past. On the other hand, a stateful intrusion detection system is one that keeps and regularly updates the state of the monitored resource. Attackers sometimes try to evade detection by splitting the attack body into multiple small packets. In such a case, the IDS is not able to detect the attack unless it reassembles the packet stream, which can only be done by stateful IDSs.



2. Cross-Layer and Cross-Protocol Detection: Many attacks cross layer and protocol boundaries. For example, an attack that tries to create an authorized access to a service at the application layer may seem perfectly legitimate to the lower layers. Cross-layer and cross-protocol IDSs coordinate intrusion detection among different protocols and aid detection decisions on one layer by using information from different layers.



3. Hybrid Detection: Hybrid intrusion detection systems may combine different intrusion detection principles such as anomaly-based and signature-based techniques for better detection capabilities. They may also combine different sources of audit data such as host-based and network-based sources to widen the range of the detectable attacks. Hybrid intrusion detection is gaining momentum in the research arena, and researchers are looking into various ways to make the combination efficient.


Sample Attacks

1. BYE Attack: An attacker can send a BYE message to either the caller or the callee to fool them into tearing down the session prematurely. The User Agent that receives the faked BYE message will immediately stop sending RTP packets, whereas the other User Agent will continue sending its RTP packets. BYE attack is common in VoIP environments and can be accomplished either by sniffing the network or performing a man-in-the-middle attack to insert a BYE request into the session. checking the status of RTP flow in the endpoint is vital in the detection process. A genuine BYE sender will stop sending RTP packets immediately after sending a BYE message.


Sample Attacks

2. Voice Injection Attack: An attacker can send artificial RTP packets with higher sequence numbers than the original ones, which causes the receiver to play the artificial ones instead. The IDS should compare the sequence number of the packet to that of the previous one. Whenever there is an increase that exceeds a certain threshold, an alarm should be raised.



References1. J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, R.

Sparks, M. Handley, and E. Schooler, “SIP: Session Initiation Protocol,” RFC 3261, IETF Network Working Group, June 2002.

2. H. Schulzrinne, S. Casner, R. Frederick, and V. Jacobson, “RTP: A transport Protocol for Real-Time Applications,” RFC 1889, IETF Network Working Group, January 1996.

3. Robin Sommer, “Viable Network Intrusion Detection in High-Performance Environments,” PhD Thesis, Computer Science Department, Technical University Munchen, Germany, September 2005.

Date post:	30-Dec-2015
Category:	Documents
Upload:	camille-vaughn
View:	31 times
Download:	2 times

Intrusion Detection Systems in VoIP

Documents