1 / 45

VoIP 安全機制實務討論

VoIP 安全機制實務討論. 顯赫資訊 鄭鈞文 http://www.gentrice.net Kaiser@gentrice.net. VoIP 安全金字塔. VoIP protocol/app security. INVITE/BYE 攻擊 , call 攔截. Buffer underrun,worms…. OS security. Supporting services security. SQL, dhcp…. Network security. SYN flow, DDoS. Physical security. 硬體問題,不預期重開機.

kenley
Download Presentation

VoIP 安全機制實務討論

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. VoIP 安全機制實務討論 顯赫資訊 鄭鈞文 http://www.gentrice.net Kaiser@gentrice.net

  2. VoIP 安全金字塔 VoIP protocol/app security INVITE/BYE 攻擊, call 攔截 Buffer underrun,worms… OS security Supporting services security SQL, dhcp… Network security SYN flow, DDoS Physical security 硬體問題,不預期重開機 Policies and procedure 密碼太短,外撥權限問題

  3. VoIP攻擊態勢 • 由外部的直接攻擊 • 先侵入內部的一台主機 • 可以有更多空間/方法進行攻擊 • 2005 CSI/FBI computer crime survey • 攻擊者通常有一定層級的網路存取權限 • Employee, contractor, customer, partner

  4. Protocols in VoIP Solution Protocol Types: • Signaling – Protocols in which Establish, Locate, Setup, Modify and Teardown sessions. • Media Transport – Protocols which transmit the voice samples. • Supporting(Services) – DNS, Location Servers, QoS, Routing Protocols,AAA…

  5. Protocols Combining a VoIP Solution The Location Service is being queries to check that the destination IP address represents a valid registered device, and for its IP Address DNS Server DNS Query for the IP Address of the SIP Proxy of the Destination Domain Location Service The INVITE is forwarded 4 2 3 A request is sent (SIP INVITE) to ESTABLISH a session SIP Proxy 5 The request is forwarded to the End-Device SIP Proxy 1 SIP IP Phone 6 Media Transport Destination device returns its IP Address to the originating device and a media connection is opened SIP IP Phone

  6. Examples for Protocols • Signaling • SIP (IETF) • H.323 (ITU-T) • MGCP (IETF) • MEGACO • Media Transport • RTP and RTCP (IETF) • SCTP (IETF) • Supporting Services • DNS • Routing - TRIP (Telephony Routing over IP) • Quality of Service – RSVP, 802.1q

  7. SIP Design & Methods • A client-server based protocol modeled after HTTP • Building Blocks are Requests and Responses • The Methods are: • INVITE – Session Setup • Initiate Sessions • Re-INVITEs used to change session state • ACK – Confirms INVITE sessions • BYE – Terminate Sessions • CANCEL –Pending session cancellation • OPTIONS – Capability and options Query • REGISTER – Binds Address to Location

  8. SIP Components SIP UAC – SIP User Agent Client SIP UAS – SIP User Agent Server UA – UAC + UAS SIP Proxy – Relays the Call Signaling without maintaining a state (although able to). Receives a request from a UA or another Proxy Server, and forwards or proxies the request to another location (The ACK and BYE are not required to go through the SIP Proxy Server). SIP Redirect – Receives a request from a UA or a Proxy. The Redirect Server will return a 3xy response stating the IP address the request should be sent to. SIP Registrar – Receives Registration requests, and keeps the user’s whereabouts using a Location Server.

  9. SIP Response Codes Characteristics similar to HTTP: 1xy Information or Provisional(Request in progress but not yet completed): • 100 Trying • 180 Ringing • 181 Call Forwarded 2xy Success (the request has completed successfully): • 200 OK 3xy Redirection (another location should be tried for the request): • 300 Multiple Options • 301 Moved Permanently • 302 Moved Temporarily

  10. SIP Response Codes 4xy Client Error (due to an error in the request, the request was not completed . Can be retried at another location): • 400 Bad Request • 401 Unauthorized • 482 Loop Detected • 486 Busy Here 5xy Server Failure (the request was not completed due to error in recipient. Can be retried at another location): • 500 Server Internal Error 6xy Global Failure (request was failed and should not be retried again): • 600 Busy Everywhere

  11. 外部攻擊

  12. 由web找 • 難易度:低 • 普遍性:高 • 影響度:高 • 網站通常是對外資訊窗口,容易為攻擊點

  13. 公開資訊 • 組織架構或地理位置 • FAQ/Tech support • IP-phone type, default VM password…. • Job • 總機語音

  14. Google • inurl:”ccmuser/logon.asp” • intitle:”Sipura SPA configuration” • intitle:”Grandstream Device” • 對策:自我檢查 • Site: • http://www.cyveilance.com/

  15. SIP Architecture DNS Server The Location Service is being queries to check that the destination IP address represents a valid registered device, and for its IP Address DNS Query for the IP Address of the SIP Proxy of the Destination Domain Location Service SIP Proxy FW: SIP INVITE 100 Trying 180 Ringing 200 OK FW: SIP INVITE ACK 180 Ringing 200 OK SIP Proxy SIP INVITE ACK 100 Trying 180 Ringing 200 OK ACK SIP IP Phone Both Way RTP Media BYE 200 OK SIP IP Phone

  16. SIP Security–INVITE Example INVITE sip:UserB@there.com SIP/2.0 Via: SIP/2.0/UDP here.com:5060 From: BigGuy <sip:UserA@here.com> To: LittleGuy <sip:UserB@there.com> Call-ID: 12345601@here.com CSeq: 1 INVITE Contact: <sip:UserA@100.101.102.103> Content-Type: application/sdp Content-Length: 147 v=0 o=UserA 2890844526 2890844526 IN IP4 here.com s=Session SDP c=IN IP4 100.101.102.103 t=0 0 m=audio 49172 RTP/AVP 0 a=rtpmap:0 PCMU/8000 Predicted Values Another hard to guess value

  17. SIP Security–Denial-of-Service • Simple Denial-of-Service against SIP when Using UDP Since UDP is asynchronous protocol, if one can guess the target network a caller is sending its SIP signaling over UDP to, sending an ICMP Error Message such as Port Unreachable, Protocol Unreachable, Network Unreachable or even Host Unreachable will terminate the signaling and the call in any state. • Using “CANCEL”s (see next 2 examples) • Using “BYE” (anytime)

  18. SIP Security–Denial-of-ServiceA can not make calls B: SIP IP Phone INVITE CANCEL A: SIP IP Phone C:Attacker “The CANCEL request cancels a pending request with the same Call-ID, TO, From, and Cseq…”

  19. SIP Security–Denial-of-ServiceA is not receiving calls B: SIP IP Phone INVITE CANCEL A: SIP IP Phone C:Attacker

  20. SIP Security–Call Tracking (Example) INVITE sip:UserB@there.com SIP/2.0 Via: SIP/2.0/UDP here.com:5060 From: BigGuy <sip:UserA@here.com> To: LittleGuy <sip:UserB@there.com> Call-ID: 12345601@here.com CSeq: 1 INVITE Contact: <sip:UserA@100.101.102.103> Content-Type: application/sdp Content-Length: 147 v=0 o=UserA 2890844526 2890844526 IN IP4 here.com s=Session SDP c=IN IP4 100.101.102.103 t=0 0 m=audio 49172 RTP/AVP 0 a=rtpmap:0 PCMU/8000

  21. SIP Security –Call Hijacking INVITE is sent, the attacker sending a 3xy message indicating that the called party has moved, and will give his own forwarding address. B: SIP IP Phone INVITE 301 Moved Permanently INVITE’ A: SIP IP Phone C:Attacker

  22. SIP Security –Call Hijacking Registering address instead of other. [If requires authentication might use another type of attack] SIP Registrar I am user A and here is my IP Address A: SIP IP Phone C:Attacker

  23. SIP Security 路由隱藏 SIP Proxy SIP Proxy IP Phone B SIP Proxy SIP Proxy IP Phone A Target – Hide the routing information (via header) Problem – IP Phone B will need to route back to IP Phone A. Will be able to see all routing information before it sends responses to his local proxy.

  24. Scan VoIP network

  25. Scan • 結合UDP, TCP, SNMP, ICMP • 目標: • Firewall, routers, VoIP phone, VoIP softphone, IP-PBX, DHCP server, TFTP server,

  26. tools • Nmap -sP 192.168.0.1-254

  27. TFTP/auto provisioning

  28. SNMP walk • SNMP v1/v2 • Snmpwalker • 可以找出許多話機連結的服務主機ip • SNMP v3

  29. DOS/DDOS

  30. Flooding attacks • UDP, TCP flooding attacks • 網路電話使用UDP為多 • SIP , 5060, 及random偶數port • 風險度高,難易度低 • H.323 使用TCP • SYN • SYN-ACK • ACK

  31. 影響:頻寬不足 • 頻寬不足,被病毒佔滿 • 病毒掃描可入侵對象,造成頻寬不足 • P2P下載

  32. 對策 • 使用QoS • DiffServ, QoS tag • Anti DOS/DDOS solution • 通常透過rate control等方式,偵測攻擊 • 強化網路設備設定 • Ex:http://fanqiang.chinaunix.net/a5/b7/20010625/070000655_b.html • 強化voip 設備設定 • Default pw, guest account, 不必要的服務, OS patch • VLAN

  33. 網路測錄

  34. 網路型態的測錄 • TFTP configuration file • File sniffing • Number harvesting • Call pattern tracking • Conversation

  35. Switch • Hub • Switch 攻擊 • Mac address flooding • VLAN • Spanning tree protocol • (Bridge protocol data units )BPDU packet • VLAN trunking protocol • Hacking Exposed csico Networks,2006, McGraw-Hill, ch12 • ARP poisoning (man-in-the-middle)

  36. 語音測錄/號碼分析 • Voipong,vomit • Ethereal, Wireshark

  37. DTMF detection from recorded call http://www.polar-electric.com/DTMF/

  38. 傳統作法 • 竊聽 • DoS • 送出假的media • 改變relay的media • 加入media • 轉送到不同的IP

  39. ARP poisioning • Demo…

  40. 對治 • 靜態的arp mapping • For voip server, GW.DHCP server…) • Switch port security • Ip-phone移動不便 • VLAN • Session encryption • ARP poisioning detection • http://arpon.sourceforge.net/ • arpwatch

  41. 加密 VoIP security Transport layer Application layer Network layser http digest authenication TLS SRTP ZRTP IPSec

  42. 敬請指教

More Related