Professional Documents
Culture Documents
Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 2, Issue 2, March April 2013 ISSN 2278-6856
Abstract:
Session Initiation Protocol (SIP) today is considered the standard protocol for multimedia signaling, and the result is a very generic protocol. SIP is specified by the IETF in RFC 3261. From a structural and functional perspective, SIP is application layer signaling text-based protocol used for creating, modifying, and terminating multimedia communications sessions among Internet endpoints. Unfortunately, SIP-based application services can suffer from various security threats as denial of service (DoS) attacks. The existing security solutions of IP network (IPsec, TLS, ) cannot detect new SIP specified network attacks because they do not reflect characteristics of SIP. In this paper we present a new misuse detection algorithm, which detects large number of SIP faked response attacks. The proposed algorithm is tested using multimedia network, and compared with a three well known misuse detection algorithms. The test results show that the new algorithm has high detection accuracy and excellent completeness.
Keywords: Session Initiation Protocol (SIP), Denial of Service (DoS), Intrusion Detection System (IDS), SIP faked response attacks.
1. INTRODUCTION
SIP-based systems are gaining in popularity as the technology for transmitting voice and video traffic over IP networks. SIP is used for many session-oriented applications, such as calls, multimedia distributions, video conferencing, and instant messaging. The deployment of various SIP-based systems services raises much security challenges, they are being subjected to different kinds of intrusions, some of which are specific to such systems, and some of which follow a general pattern of attacks against an IP infrastructure. SIP can be used to attack systems, denial of service (DoS) attacks are the main concerns causing loss of SIP-based systems availability. DoS attacks can consume memory, CPU, and network resources and damage or shut down the operation of the resource under attack (victim). The aim of a DoS attack is to steal network resources, or to degrade the service perceived by users, where this attack focuses on rendering a network of service unavailable. Cross protocol detection technique was presented in [10][11] to detect some types of SIP signaling attacks. This technique is based on observing the SIP messages to extract the session information, then, it investigates Volume 2, Issue 2 March April 2013
media traffic after observing BYE message. If RTP traffic is observed after BYE message, it could be highly considered that this is BYE attack. The retransmission detection scheme was used in [12] to detect deregistration, BYE, and CANCEL attacks. When SIP server receives one of the mentioned attack's messages, the detection algorithm asks the user to retransmit its last message that is sent to the server. If the retransmitted message is identical to the message that the server had received, it is recognized as normal message. Otherwise, the server knows that the message was sent from an unauthorized user. Conflict Based Attack Detection Algorithm (CBADA) is proposed in [13], it is relying on state conflict and message conflict to detect some of SIP signaling attack (deregistration, BYE, call hijacking attack, and CANCEL attack). This paper introduces new misuse algorithm to SIP faked response attacks. Section 2 presents SIP overview. Section 3 addresses the possible DoS attacks against SIP-based systems. Section 4 focuses on SIP faked response attacks. Section 5 presents the proposed algorithm to detect SIP faked response attacks, while section 6 concludes the paper and gives some of pointers about future work.
2. SIP OVERVIEW
SIP is an application-layer protocol designed to support the setup of bidirectional communication sessions. It is text-based, has a request-response structure, and uses a user authentication mechanism based on the HTTP Digest Authentication. It can operate over UDP, TCP, and SCTP [1] although it is more commonly operating over UDP. SIP is a client-server protocol, the main SIP entities are endpoints (soft phones or physical devices), a proxy server, a registrar, a redirect server, and a location server. Endpoints communicate with a registrar to indicate their presence. This information is stored in the location server. All SIP messages are either requests from a client or responses to the request from the server [1]. For each request SIP server generates SIP response to indicate the status of the request. IETF in RFC 3261 defines the essential six SIP methods Page 201
SIP
multimedia
connection
-Flooding message attacks: Server is overloaded with a high amount of processing and computation of requests generated by the attacker, which result in making the system unavailable for requests from other users. If the targeted system is able to continue to process requests, it can become too slow, that applications cease to function correctly [3]. - Malformed message attacks: These attacks rely on sending large numbers of malformed message to a SIP application server. At best, the servers resources are tied up in processing these bogus messages, at worst; the message triggers a failure in the server or leaves it in an unstable state [4]. - Distributed denial of service (DDoS) attacks: These attacks utilize multiple compromised network hosts to conduct a coordinated DoS attack in order to amplify its effect [5]. - Spoofed message attacks: These attacks happens during call establishment, where, SIP agents exchange series of message, an attacker can impersonate himself as legal SIP client to modify, deny, or hijack SIP-multimedia calls. In this category, we can see six types of attacks, as shown in figure (2):
Figure 2 Important SIP spoofed message attacks In this paper we focus on the detection of the SIP faked response attacks for three seasons: - These attacks have a big effectiveness on SIP session establishment. They instantly terminate the call progress without any sense by legal user. - Attacker can easily launch such attacks, where the legal user considers any incoming response by server is authenticated. - Little number of researches is done in this type of attacks, most of researchers are interested in known SIP spoofed attacks (for example: BYE attack, CANCEL attack, and Deregistration attack). The following sections handle in more details this kind of attacks along with the proposed misuse detection algorithm.
Page 202
Figure 3 SIP faked response attacks 4.1SIP 1xx faked response attacks Zero, one or multiple provisional responses may arrive before one or more final responses are received. Provisional responses for an INVITE request can create "early dialogs". The early dialog will only be needed if the UAC (User Agent Client) needs to send a request to its peer within the dialog before the initial INVITE transaction completes [1]. An attacker can monitor an INVITE request sent to the server and impersonate the server by sending 1xx SIP faked response. For example, attacker can easily send 180 RINGING attack to legal user after capturing INVITE request to prevent him from completing his call, as shown in figure (4).
Figure 5 SIP 200 OK attack 4.3SIP 3xx faked response attacks 3xx responses give information about the user's new location, or about alternative services that might be able to satisfy the call [1]. 3xx responses include many types, we will examine two of them for attack as examples. A- SIP 305 Use Proxy attack: The requested resource is accessed through the proxy given the Contact field. The Contact field gives the URI (Uniform Resource Identifier) of the proxy. The recipient is expected to repeat this single request via the proxy. 305 Use Proxy responses must only be generated by UASs (User Agent Servers) [1]. Attacker can use this response as faked response attack. Figure (6) illustrates SIP 305 USE PROXY attack.
Figure 4 SIP 180 RINGING attack In figure (4), user1 wants to call with user 2, client (user1) sends INVITE1 request to SIP server, SIP server asks the client authentication information by 407 PROXY AUTHENTICATION REQUIRED response, then user1 acknowledges this response by ACK1 signal and calculates authentication information, then he sends INVITE2 request with information authentication to SIP server, SIP server handles this request and sends it to user2 if this request is right. In this moment, attacker captures INVITE2 request and extracts all important session parameters from it, then attacker response to INVITE2 request is 180 RINGING (faked), this response includes all session parameters, except the tag in TO header field, the attacker sets it a random value to complete the opened dialog. The client will discard all responses (180 RINGING, 200 OK) that do not match the current dialog. The client will complete the current transaction at client side by sending final ACK2 to server. The server will discard the final ACK, and the current transaction does not complete at server side. As a result, the legal user cannot do the conversation with its peer.
Figure 6 SIP 305 USE PROXY attack B- SIP 300 Multiple Choices attack: The address in the request resolved to several choices, each with its own specific location, and the user (or UA) can select a preferred communication end point and redirect its request to that location. The response may include a message body containing a list of resource Page 203
Figure 9 SIP 401 UNAUTHORIZED attack Figure 7 SIP 300 MULTIPLE CHOESIS attack 4.4SIP 4xx faked response attacks 4xx responses are failure responses from a particular server. The client should not retry the same request without modification [1] (for example, adding appropriate authorization). However, the same request to a different server might be successful. 4xx responses include many responses, we will present six of them for attack. A- SIP 400 Bad Request attack: The request could not be understood due to malformed syntax. The Reason-Phrase should identify the syntax problem in more detail [1], for example, "Missing CallID header field". Attacker can use this response as faked response attack. Figure (8) illustrates SIP 400 BAD REQUEST attack, where attacker responses to INVITE2 request by 400 BAD REQUEST (faked), this response includes all session parameters, except the tag in TO header field, the attacker sets it a random value to complete the opened dialog. The client will discard all responses that do not match the current dialog. The client will complete the current transaction at client side by sending final ACK2 to server. The server will discard the final ACK, and the current transaction does not complete at server side. As a result, the legal user is prevented from conversation with its peer. C- SIP 404 Not Found attack: The server has confirmed information that the user does not exist at the domain specified in the Request-URI. This status is also returned if the domain in the Request-URI does not match any of the domains handled by the recipient of the request [1]. Figure (10) illustrates SIP 404 NOT FOUND attack. As a result, the client is prevented from service.
Figure 10 SIP 401 NOT FOUND attack D- SIP 408 Request Timeout attack: The server could not produce a response within a suitable amount of time [1]. Attacker can use this response as faked response attack. Figure (11) illustrates SIP 408 REQUEST TIMEOUT attack. As a result, the client will is prevented from service, and will believe that the other party does not answer.
Figure 8 SIP 400 BAD REQUEST attack Figure 11 SIP 408 REQUEST TIMEOUT attack B- SIP 401 Unauthorized attack: The request requires user authentication. This response is issued by UASs (User Agent Servers) and registrars [1]. Attacker can use this response as faked response attack. Figure (9) illustrates SIP 401 UNAUTHORIZED attack. Volume 2, Issue 2 March April 2013 E- SIP 480 Temporarily Unavailable attack: The callee's end system was contacted successfully but the callee is currently unavailable (for example, is not logged in, logged in but in a state that precludes communication with the callee, or has activated the "do not disturb" Page 204
Figure 14 SIP 500 SEVER INTERNAL ERROR attack B- SIP 501 Not Implemented attack: The server does not support the functionality required to fulfill the request. This is the appropriate response when a UAS (User Agent Server) does not recognize the request method and is not capable of supporting it for any user (Proxies forward all requests regardless of method) [1]. Attacker can use this response as faked response attack. Figure (15) illustrates SIP 501 NOT IMPLEMENTED attack. As a result, the client is prevented from service, and will believe that the server cannot answer his request.
Figure 12 SIP 480 TEMPORARILY UNAVAILABLE attack F- SIP 486 Busy Here attack: The callee's end system was contacted successfully, but the callee is currently not willing or able to take additional calls at this end system. The response may indicate a better time to call in the Retry-After header field [1]. Attacker can use this response as faked response attack. Figure (13) illustrates SIP 486 BUSY HERE attack. As a result, the client is prevented from service, and will believe that the destination is busy.
Figure 15 SIP 501 NOT IMPLEMENTED attack C- SIP 504 Server Time-out attack: The server did not receive a timely response from an external server used in attempting to process the request [1]. Attacker can use this response as faked response attack. Figure (16) illustrates SIP 504 SERVER TIME OUT attack. As a result, the client is prevented from service, and will believe that the server cannot answer his request.
Figure 13 SIP 486 BUSY HERE attack 4.5SIP 5xx faked response attacks 5xx responses are failure responses given when a server itself has erred [1] (the error in server). 5xx responses include many types, we will present three of them for faked attack. A- SIP 500 Server Internal Error attack: The server encountered an unexpected condition that prevented it from fulfilling the request. The client may display the specific error condition and may retry the request after several seconds. If the condition is temporary, the server may indicate when the client may retry the request using the Retry-After header field. Attacker can use this response as faked response attack Volume 2, Issue 2 March April 2013
Page 205
MISUSE
DETECTION
Intrusion Detection System (IDS) is an important security tool that is used as a countermeasure to preserve data integrity and system availability from attacks [6]-[7]. The goal of IDS is to detect malicious traffic. In order to accomplish this, the IDS monitors all incoming and outgoing traffic. There are several approaches in implementation of an IDS. Among those, two are the most popular (anomaly and misuse detection), as follows: Anomaly detection technique is based on the detection of traffic anomalies. The deviation of the monitored traffic from the normal profile is measured. Misuse or signature detection technique looks for patterns and signatures of already known attacks in the network traffic. A constantly updated database is usually used to store the signatures of known attacks [8]. In this section we present new misuse algorithm to detect SIP faked response attacks, where in next subsection we will extract the main session parameters, create signature for these attacks, and evaluate the proposed algorithm.
Figure 19 Main session parameters during SIP faked responses attacks In figure (19), attacker captures INVITE2 request and extracts all important session parameters from it (method, CALL-ID field, branch, tag of TO field, tag of FROM field), then attacker creates faked response to INVITE2 request, this faked response includes all session parameters, except the tag in TO header field, the attacker sets it a random value (false) to complete the Page 206
Figure 20 Signature of SIP faked responses attacks 5.3The Detection Procedure Depending on signature of SIP faked responses attacks which we obtained it in previous subsection, we can forge detection procedure of proposed algorithm as shown in figure (21). Which is based on: Monitoring of INVITE request followed by faked response, this response includes some parameters differ from parameters of response sent from server after final ACK.
Figure 22 Block diagram for detection method 5.4Comparative study In this subsection we compare our proposed algorithm with three misuse detection algorithms used to detect SIP spoofed message attacks, these algorithms are: Cross protocol algorithm [10], Retransmission algorithm [12], and Conflict Based Attack Detection algorithm [13], notify that: - Cross protocol detection technique monitors two traffics in network (RTP and SIP traffic) to detect BYE attack. While, our proposed algorithm monitors SIP traffic only. - The retransmission detection scheme asks the user to retransmit its last message that is sent to the server. To do this, the user must store the last SIP message and retransmit it when it is requested from the server. While, our proposed algorithm does not require any retransmission, it monitors SIP traffic only. - Conflict Based Attack Detection Algorithm (CBADA) requires sending some of legal SIP messages particular party to check state conflict or message conflict, while, our proposed algorithm does not require sending any message, it depends on monitoring SIP traffic only. 5.5Proposed detection algorithm evaluation To evaluate effect of SIP faked response attacks on SIPbased system, we used test bed which consists of: SIP faked response generator, Wireshark program, 3CX SIP server, and two 3CX clients [9], as shown in figure (23).
Figure 23 SIP test bed Using SIP faked response generator, we generated eighteen SIP faked response attacks, and we saw that these attacks have similar effectiveness on SIP- based system, this effectiveness is: Call deny, transaction in progress phase at server side, and transaction is terminated at client side. To detect SIP faked response attacks that are generated by attacker, we wrote C# program its core is the proposed Page 207
4. Attacker has not any sense about the detection process, the reason is that the proposed algorithm monitors the SIP messages only. 5. The detection process does not require any modification in the standard, or any additional resources.
6. CONCLUSION
The proposed detection algorithm is able to detect SIP faked response attacks with high accuracy and completeness. It belongs to misuse detection algorithm family, which have the ability to detect different types of SIP faked response attacks with high detection accuracy and excellent completeness. It is a misuse detection algorithm which utilizes several of messages parameters as signature to detect SIP faked response attacks. This signature addresses behavior of transaction between legal client and server when client is targeted by the faked response attacks. The proposed algorithm is simple algorithm and depends on traffic monitoring only without any additional operation. This work will be completed by implementing mechanisms to prevent intrusion.
References
[1] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., Schooler, E.: SIP: Session Initiation Protocol. RFC 3261 (Proposed Standard) (June 2002) Updated by RFCs 3265, 3853, 4320. [2] Al-Allouni H., Rohiem A., Abd El-Aziz M. H., and El-moghazy A., VoIP Denial of Service Attacks Classification and Implementation, Proceedings of 26th national radio science conference, Future University, Egypt, March, 2009. [3] Xianglin D., Chien-wei L., Security of VoIP SIP flooding and its Mitigation, Proceeding of The New Zealand Computer Science Research Student Conference, 2008. [4] D. Geneiatakis, G. Kambourakis, C. Lambrinoudakis, A. Dagiouklas, and S. Gritzalis, "A framework for protecting SIP-based infrastructure against Malformed Message Attacks", Science Direct - Computer Networks, Volume 3, No. 10, pp. 2100-2113, Elsevier, 2007. [5] E. Chen, Detecting DoS attacks on SIP systems, in 1st IEEE Workshop on VoIP Management and Security, P 5358, 2006. [6] Premkumar T. Devanbu, Philip, Stuart G. Stubblebine, "Technique for Trusted Software Engineering", Proceedings of the 20th international conference on Software engineering (ICSE), Pages: 126 135, 1998. [7] Chang-Tien Lu, Arnold P. Boedihardjo, Prajwal manalwar, "Exploiting Efficient Data Mining Techniques to Enhance Intrusion Detection Systems", Information Reuse and Integration Conference, Volume , Issue , 15-17, 2005. Page 208
To calculate accuracy and completeness of proposed algorithm, we generated all the previous attacks four times as dataset, and we applied the proposed algorithm on these attacks, as table (3).
Where: Number of correct alarm, false alarm, and false rejection respectively. Table 3: Accuracy and Completeness of proposed algorithm
Number of faked respons e attacks 72 CA F A 0 F R 0 Accurac y 1 Completenes s 1
72
Our proposed algorithm has the following features: 1. It belongs to misuse detection algorithm family. 2. It is a simple algorithm. 3. It depends on SIP traffic monitoring only without any additional operation (as in some other algorithms). Volume 2, Issue 2 March April 2013
Page 209