Denial of service attacks targeting a SIP VoIP infrastructure: attack scenarios and prevention mechanisms

D. Sisalem, J. Kuthan, S. Ehlert
2006 IEEE Network  
ecurity threats are considered minimal in current circuit-switched networks. This is achieved by using a closed networking environment dedicated to a single application (namely voice). In an open environment such as the Internet, mounting an attack on a telephony server is, however, much simpler. This is due to the fact that voice over IP (VoIP) services are based on standardized and open technologies (i.e., SIP, H.323, MEGACO) using servers reachable through the Internet, implemented in
more » ... e and provided often over general-purpose computing hardware. Therefore, such services can suffer from similar security threats as HTTP-based services. Instead of generating thousands of costly voice calls, the attacker can easily send thousands of VoIP invitations in a similar manner to attacks on Web servers. These attacks are simple to mount and, with flat rate Internet access, are also cheap. Denial of service (DoS) attacks aim at denying or degrading a legitimate user's access to a service or network resource, or at bringing down the servers offering such services. According to a 2004 CSI/FBI survey report 17 percent of respondents detected DoS attacks directed against them, with the respondents indicating that DoS was the most costly cyberattack for them, even before theft of proprietary information [1]. To make things worse, attackers have developed tools to coordinate distributed attacks from many separate sites, also known as distributed denial of service (DDoS) attacks. Besides launching brute force attacks by generating a large number of useless VoIP calls, attackers can use certain features of the used VoIP protocol to incur higher loads at the servers. This might involve issuing requests that must be authenticated, require database lookups by the VoIP servers, or cause an overhead at the servers in terms of saved state information or incurred calculations. Furthermore, the VoIP infrastructure can be corrupted by launching DoS attacks on components used by the VoIP infrastructure, or the protocols and layers on top of which the VoIP infrastructure is based, such as routing protocols or TCP. For an extensive overview on DoS attacks in the Internet refer to [2] . The Session Initiation Protocol (SIP) [3] is establishing itself as the de facto standard for VoIP services in the Internet and next generation networks. Therefore, this article is dedicated to investigating possibilities of launching denial of service attacks on SIP servers and ways for preventing and reducing the effects of such attacks. SIP is a text-based protocol designed to establish or terminate a session between two partners. The message format is similar to HTTP [4], with message headers and corresponding values, such as "From: user@sip.org" to denote the sender of a message. Several entities form a SIP network, including user agents that generate or terminate SIP requests, registrars, where users log in and announce their availability in the SIP network, and proxies that forward requests in the SIP networks. For a detailed overview of SIP refer to [5] . This article is organized as follows. First, we describe the resources and functionalities of a SIP server that can be targeted by an attacker in order to incur an overload situation at the server and reduce its availability. We then review attacks on memory, CPU, and bandwidth as well as countermeasures, followed by a detailed description of parser and DNS attacks. Finally, a list of operational guidelines for deploying secure SIP services is provided. Exploitable SIP Resources The majority of DoS attacks are based on exhausting some of a server's resources and causing the server not to operate properly due to lack of resources. With SIP servers, there are three resources needed for operation: memory, CPU and bandwidth. S S Abstract In this article we address the issue of denial of service attacks targeting the hardware and software of voice over IP servers or by misusing specific signaling protocol features. As a signaling protocol we investigate here the Session Initiation Protocol. In this context we mainly identify attacks based on exhaustion of the memory of VoIP servers, or attacks that incur high CPU load. We deliver an overview of different attack possibilities and explain some attacks in more detail, including attacks utilizing the DNS system and those targeting the parser. A major conclusion of the work is the knowledge that SIP provides a wide range of features that can be used to mount DoS attacks. Discovering these attacks is inherently difficult, as is the case with DoS attacks on other IP components. However, with adequate server design, efficient implementation, and appropriate hardware, the effects of a large portion of attacks can be reduced.
doi:10.1109/mnet.2006.1705880 fatcat:v4yxywscu5b4pei56aalgkoiny