VoIP 安全機制實務討論
Upcoming SlideShare
Loading in...5
×
 

VoIP 安全機制實務討論

on

  • 1,328 views

 

Statistics

Views

Total Views
1,328
Views on SlideShare
1,325
Embed Views
3

Actions

Likes
1
Downloads
17
Comments
0

1 Embed 3

http://www.slideshare.net 3

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

VoIP 安全機制實務討論 VoIP 安全機制實務討論 Presentation Transcript

  • VoIP 安全機制實務討論 顯赫資訊 鄭鈞文 http://www.gentrice.net [email_address]
  • VoIP 安全金字塔 Policies and procedure Physical security Network security Supporting services security OS security VoIP protocol/app security 密碼太短,外撥權限問題 硬體問題,不預期重開機 SYN flow, DDoS SQL, dhcp… Buffer underrun,worms… INVITE/BYE 攻擊 , call 攔截
  • VoIP 攻擊態勢
    • 由外部的直接攻擊
    • 先侵入內部的一台主機
      • 可以有更多空間 / 方法進行攻擊
      • 2005 CSI/FBI computer crime survey
        • 攻擊者通常有一定層級的網路存取權限
          • Employee, contractor, customer, partner
  • Protocols in VoIP Solution
      • Protocol Types:
      • Signaling – Protocols in which Establish , Locate , Setup , Modify and Teardown sessions.
      • Media Transport – Protocols which transmit the voice samples .
      • Supporting (Services) – DNS , Location Servers , QoS , Routing Protocols, AAA …
  • Protocols Combining a VoIP Solution SIP IP Phone SIP IP Phone Location Service SIP Proxy SIP Proxy DNS Server Media Transport 1 2 3 4 5 6 A request is sent (SIP INVITE) to ESTABLISH a session DNS Query for the IP Address of the SIP Proxy of the Destination Domain The INVITE is forwarded The Location Service is being queries to check that the destination IP address represents a valid registered device, and for its IP Address The request is forwarded to the End-Device Destination device returns its IP Address to the originating device and a media connection is opened
    • Signaling
          • SIP (IETF)
          • H.323 (ITU-T)
          • MGCP (IETF)
          • MEGACO
    • Media Transport
          • RTP and RTCP (IETF)
          • SCTP (IETF)
    • Supporting Services
          • DNS
          • Routing - TRIP (Telephony Routing over IP)
          • Quality of Service – RSVP, 802.1q
    Examples for Protocols
  • SIP Design & Methods
    • A client-server based protocol modeled after HTTP
    • Building Blocks are Requests and Responses
    • The Methods are:
      • INVITE – Session Setup
        • Initiate Sessions
        • Re-INVITEs used to change session state
      • ACK – Confirms INVITE sessions
      • BYE – Terminate Sessions
      • CANCEL –Pending session cancellation
      • OPTIONS – Capability and options Query
      • REGISTER – Binds Address to Location
  • SIP Components SIP UAC – SIP User Agent Client SIP UAS – SIP User Agent Server UA – UAC + UAS SIP Proxy – Relays the Call Signaling without maintaining a state (although able to). Receives a request from a UA or another Proxy Server, and forwards or proxies the request to another location (The ACK and BYE are not required to go through the SIP Proxy Server). SIP Redirect – Receives a request from a UA or a Proxy. The Redirect Server will return a 3xy response stating the IP address the request should be sent to. SIP Registrar – Receives Registration requests, and keeps the user’s whereabouts using a Location Server.
  • SIP Response Codes
    • Characteristics similar to HTTP:
    • 1xy Information or Provisional (Request in progress but not yet completed):
      • 100 Trying
      • 180 Ringing
      • 181 Call Forwarded
    • 2xy Success (the request has completed successfully):
      • 200 OK
    • 3xy Redirection (another location should be tried for the request):
      • 300 Multiple Options
      • 301 Moved Permanently
      • 302 Moved Temporarily
  • SIP Response Codes
    • 4xy Client Error (due to an error in the request, the request was not completed . Can be retried at another location):
      • 400 Bad Request
      • 401 Unauthorized
      • 482 Loop Detected
      • 486 Busy Here
    • 5xy Server Failure (the request was not completed due to error in recipient. Can be retried at another location):
      • 500 Server Internal Error
    • 6xy Global Failure (request was failed and should not be retried again):
      • 600 Busy Everywhere
  • 外部攻擊
  • 由 web 找
    • 難易度:低
    • 普遍性:高
    • 影響度:高
    • 網站通常是對外資訊窗口,容易為攻擊點
  • 公開資訊
    • 組織架構或地理位置
    • FAQ/Tech support
      • IP-phone type, default VM password….
    • Job
    • 總機語音
  • Google
    • inurl:”ccmuser/logon.asp”
    • intitle:”Sipura SPA configuration”
    • intitle:”Grandstream Device”
    • 對策:自我檢查
      • Site:
    • http://www.cyveilance.com/
  • SIP IP Phone SIP IP Phone DNS Server SIP Proxy SIP Proxy Location Service SIP INVITE DNS Query for the IP Address of the SIP Proxy of the Destination Domain FW: SIP INVITE 100 Trying 100 Trying The Location Service is being queries to check that the destination IP address represents a valid registered device, and for its IP Address FW: SIP INVITE 180 Ringing 180 Ringing 180 Ringing 200 OK 200 OK 200 OK ACK ACK ACK Both Way RTP Media BYE 200 OK SIP Architecture
  • SIP Security – INVITE Example INVITE sip: [email_address] SIP/2.0 Via: SIP/2.0/UDP here.com:5060 From : BigGuy < sip:UserA@here.com > To : LittleGuy < sip:UserB@there.com > Call-ID : 12345601@here.com CSeq: 1 INVITE Contact: < sip:UserA@100.101.102.103 > Content-Type: application/sdp Content-Length: 147 v=0 o=UserA 2890844526 2890844526 IN IP4 here.com s=Session SDP c=IN IP4 100.101.102.103 t=0 0 m=audio 49172 RTP/AVP 0 a=rtpmap:0 PCMU/8000 Predicted Values Another hard to guess value
  • SIP Security – Denial-of-Service
      • Simple Denial-of-Service against SIP when Using UDP
      • Since UDP is asynchronous protocol, if one can guess the target network a caller is sending its SIP signaling over UDP to, sending an ICMP Error Message such as Port Unreachable, Protocol Unreachable, Network Unreachable or even Host Unreachable will terminate the signaling and the call in any state.
      • Using “CANCEL”s (see next 2 examples)
      • Using “BYE” (anytime)
  • SIP Security – Denial-of-Service A can not mak e calls A: SIP IP Phone B: SIP IP Phone C:Attacker INVITE CANCEL
      • “ The CANCEL request cancels a pending request with the same Call-ID, TO, From, and Cseq…”
  • SIP Security – Denial-of-Service A is not receiving calls A: SIP IP Phone B: SIP IP Phone C:Attacker INVITE CANCEL
  • SIP Security – Call Tracking (Example) INVITE sip: [email_address] SIP/2.0 Via: SIP/2.0/UDP here.com:5060 From : BigGuy < sip:UserA@here.com > To : LittleGuy < sip:UserB@there.com > Call-ID: 12345601@here.com CSeq: 1 INVITE Contact : < sip:UserA@100.101.102.103 > Content-Type: application/sdp Content-Length: 147 v=0 o=UserA 2890844526 2890844526 IN IP4 here.com s=Session SDP c=IN IP4 100.101.102.103 t=0 0 m=audio 49172 RTP/AVP 0 a=rtpmap:0 PCMU/8000
  • SIP Security – Call Hijacking
      • INVITE is sent, the attacker sending a 3xy message indicating that the called party has moved, and will give his own forwarding address.
    A: SIP IP Phone B: SIP IP Phone C:Attacker INVITE 301 Moved Permanently INVITE’
  • A: SIP IP Phone C:Attacker SIP Registrar SIP Security – Call Hijacking
      • Registering address instead of other.
      • [If requires authentication might use another type of attack]
    I am user A and here is my IP Address
  • SIP Security 路由隱藏 IP Phone A IP Phone B Target – Hide the routing information (via header) Problem – IP Phone B will need to route back to IP Phone A. Will be able to see all routing information before it sends responses to his local proxy. SIP Proxy SIP Proxy SIP Proxy SIP Proxy
  • Scan VoIP network
  • Scan
    • 結合 UDP, TCP, SNMP, ICMP
    • 目標:
      • Firewall, routers, VoIP phone, VoIP softphone, IP-PBX, DHCP server, TFTP server,
  • tools
    • Nmap -sP 192.168.0.1-254
  •  
  • TFTP/auto provisioning
  • SNMP walk
    • SNMP v1/v2
    • Snmpwalker
      • 可以找出許多話機連結的服務主機 ip
    • SNMP v3
  • DOS/DDOS
  • Flooding attacks
    • UDP, TCP flooding attacks
    • 網路電話使用 UDP 為多
      • SIP , 5060, 及 random 偶數 port
    • 風險度高,難易度低
    • H.323 使用 TCP
      • SYN
      • SYN-ACK
      • ACK
  • 影響:頻寬不足
    • 頻寬不足,被病毒佔滿
      • 病毒掃描可入侵對象,造成頻寬不足
    • P2P 下載
  • 對策
    • 使用 QoS
      • DiffServ, QoS tag
    • Anti DOS/DDOS solution
      • 通常透過 rate control 等方式,偵測攻擊
    • 強化網路設備設定
      • Ex: http://fanqiang.chinaunix.net/a5/b7/20010625/070000655_b.html
    • 強化 voip 設備設定
      • Default pw, guest account, 不必要的服務 , OS patch
    • VLAN
  •  
  •  
  • 網路測錄
  • 網路型態的測錄
    • TFTP configuration file
    • File sniffing
    • Number harvesting
    • Call pattern tracking
    • Conversation
  • Switch
    • Hub
    • Switch 攻擊
      • Mac address flooding
      • VLAN
      • Spanning tree protocol
        • (Bridge protocol data units )BPDU packet
      • VLAN trunking protocol
        • Hacking Exposed csico Networks,2006, McGraw-Hill , ch12
    • ARP poisoning (man-in-the-middle)
  • 語音測錄 / 號碼分析
    • Voipong ,vomit
    • Ethereal, Wireshark
  • DTMF detection from recorded call http://www.polar-electric.com/DTMF/
  • 傳統作法
    • 竊聽
    • DoS
    • 送出假的 media
    • 改變 relay 的 media
    • 加入 media
    • 轉送到不同的 IP
  • ARP poisioning
    • Demo…
  • 對治
    • 靜態的 arp mapping
      • For voip server, GW.DHCP server…)
    • Switch port security
      • Ip-phone 移動不便
    • VLAN
    • Session encryption
    • ARP poisioning detection
      • http://arpon.sourceforge.net/
      • arpwatch
  • 加密 VoIP security Transport layer Network layser Application layer http digest authenication TLS SRTP ZRTP IPSec
  • 敬請指教