Graphics & Design

A framework for protecting a SIP-based infrastructure against malformed message attacks

Description
A framework for protecting a SIP-based infrastructure against malformed message attacks
Published
of 14
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Transcript
  A framework for protecting a SIP-based infrastructureagainst malformed message attacks Dimitris Geneiatakis, Georgios Kambourakis  * , Costas Lambrinoudakis,Tasos Dagiuklas, Stefanos Gritzalis Laboratory of Information and Communication Systems Security, Department of Information and Communication Systems Engineering,University of the Aegean, Karlovassi, GR-83200 Samos, Greece Received 26 January 2006; received in revised form 7 November 2006; accepted 13 November 2006Available online 19 December 2006Responsible Editor: Refik Molva Abstract This paper presents a framework that can be utilized for the protection of session initiation protocol (SIP)-based infra-structures from malformed message attacks. Its main characteristic is that it is lightweight and that it can be easily adaptedto heterogeneous SIP implementations. The paper analyzes several real-life attacks on VoIP services and proposes a noveldetection and protection mechanism that is validated through an experimental test-bed under different test scenarios. Fur-thermore, it is demonstrated that the employment of such a mechanism for the detection of malformed messages imposesnegligible overheads in terms of the overall SIP system performance.   2006 Elsevier B.V. All rights reserved. Keywords:  Session initiation protocol; Malformed message attacks; Voice over IP security; Intrusion detection system 1. Introduction Internet is susceptible to a plethora of attacksand undoubtedly it must be considered as a hostileenvironment by every critical real-time applicationsuch as Voice over IP (VoIP) telephony. Thus, thedeployment of various VoIP services raises securitychallenges that have not been previously encoun-tered in the Public Switched Telephone Network(PSTN), where it is true that the frequency of attacks is extremely low mainly due to its closedarchitecture. On the contrary, the open architectureof VoIP makes these services vulnerable not only towell known Internet attacks but also to moresophisticated attacks aiming to exploit vulnerabili-ties that may exist in the signaling or the voice trans-port of VoIP infrastructures. Researchers havemade significant efforts in identifying security vul-nerabilities that directly affect VoIP based infra-structures [1,2]. For instance, various floodingtechniques could be utilized for attacking voice 1389-1286/$ - see front matter    2006 Elsevier B.V. All rights reserved.doi:10.1016/j.comnet.2006.11.014 * Corresponding author. Tel.: +30 22730 82247; fax: +30 2273082009. E-mail addresses:  dgen@aegean.gr (D. Geneiatakis), gkam-b@aegean.gr (G. Kambourakis), clam@aegean.gr (C. Lambri- noudakis), ntan@aegean.gr (T. Dagiuklas), sgritz@aegean.gr (S. Gritzalis).Computer Networks 51 (2007) 2580–2593 www.elsevier.com/locate/comnet  services or, alternatively, an attacker could employspecially malformed signaling or media packets.For the latter attack, it is well known that bothprotocol implementations and network applicationsare often not fully compliant with the underlyingstandards (e.g. RFCs). As a result there are imple-mentation errors that may pollute a network withincorrectly formed packets and lead to unstableconditions. Furthermore, standard protocol imple-mentations usually focus on well-formed messageswithout considering any defense tactic against mal-formed messages. For this reason, once an attackerfloods a VoIP target (e.g. a SIP proxy) with a num-ber of malformed messages, the victim is unable toprocess them resulting to various undesired situa-tions like crashing the VoIP server and creatingDenial of Service (DoS) phenomena.The term ‘‘malformed message’’ represents anytype of invalid or non-standard message, skillfullyformed by an attacker in order to exploit and even-tually take advantage of any implementation gap ordysfunction might exist in the target system. As anexample, numerous transport control protocol(TCP) common implementation problems arealready documented in [8]. Specifically for Internetapplications and services, various distinct types of malformed message attacks have been alreadylaunched [6,7]. It is therefore clear that malformedmessage attacks cannot be avoided in VoIP imple-mentations and the corresponding signaling servers.Attackers will try to compromise the system by cap-italizing on properly adapted malformed messages.The security threats introduced by malformedmessage attacks are often poorly understood andrequire more research effort in order to effectivelyprotect VoIP infrastructures against them. Securityflaws caused by malformed messages in VoIP signal-ing protocols such as H.323 and session initiationprotocol (SIP) implementations have been alreadypublished in [3–5]. More specifically, the PROTOSproject [9] focuses on the identification of certainmalformed input subclasses that can cause instabil-ity in the corresponding VoIP Signaling servers (e.g.a SIP proxy). Processing such messages in VoIP net-works can, surprisingly, give access to an unautho-rized user or drive the provided service to variousunstable states and consequently cause DoS. How-ever, such studies test and evaluate the robustnessof the implementations without providing any solu-tion for the prevention and protection of VoIP sub-systems against this kind of attacks. Morespecifically, we are not aware of any research workaddressing the detection or/and prevention, throughsome kind of practical mechanisms, of malformedmessage attacks in SIP realms.This paper proposes a novel framework to pro-tect SIP-based subsystems (e.g. SIP proxy) againstmalformed message attacks. The rest of the paperis organized as follows: Section 2 introduces variousforms of SIP malformed message attacks, present-ing practical examples by deploying them in two dif-ferent SIP network subsystems namely SIP proxiesand registration databases. Section 3 describes theproposed identification and prevention framework,while Section 4 evaluates the performance of theproposed solution in terms of the overheads intro-duced in the corresponding VoIP subsystems (SIPservers). Finally, Section 5 concludes the paper pro-viding some pointers to future work. 2. Malformed messages and the SIP protocol SIP is an application-layer signaling protocol forcreating, modifying, and terminating multimediasessions between one or more participants [10].SIP messages can be either a request or an acknowl-edgment to a corresponding request, consisting of the header fields and optionally a message body.The overall structure of a typical well-formed SIPmessage, according to RFC 3261 [10], is as shownin Fig. 1.A SIP-based multimedia connection between twousers is established whenever the caller (e.g. User A)sends an INVITE message to the correspondingproxy, which in turn forwards it to User B (callee).The signaling flow procedure is depicted in Fig. 2. INVITE sip:dgen@aegean.gr SIP/2.0To: Geneiataki Dimitri <dgen@aegean.gr>From: Karopoulos Georgios<sip:gkar@aegean.gr>;tag=76341CSeq: 2 INVITE Authorization: Digest username="gkar",realm="195.251.164.23", algorithm="md5",uri="SIP:195.251.164.23",nonce="41352a56632c7b3d382b39e0179ca5f98b9fa03b",response="a6466dce70e7b098d127880584cd57"Contact: <SIP:195.251.166.73:9384>;>Content-Type: application/sdpv=0o=Tesla 2890844526 IN IP4 lab.high-voltage.orgc=IN IP4 100.101.102.103t=0 0m=audio 49170 RTP/AVP 0a=rtpmap:0 PCMU/8000SIPheadersSessionDescription(body)First Line Fig. 1. A typical well formed INVITE message. D. Geneiatakis et al. / Computer Networks 51 (2007) 2580–2593  2581  Consequently, whenever a SIP request is receivedfrom a SIP proxy the first step is to parse the mes-sage. The parsing procedure is essential in order torepresent the incoming request into a form that isappropriate for constructing the reply to therequest.Fig. 3 depicts the (initial) processing by SIP prox-ies (e.g. SER [11]) whenever they receive either a SIPrequest or a response. Although some SIP proxies’implementations, depending on the vendor, mayslightly vary, the sequence described by steps 1 to3 forms the general concept of the processing mech-anism in a SIP-based server.Generally, SIP parsers are being developed toreceive and process well-formed messages; i.e. SIPmessages conforming to the RFCs 3261 syntax[10]. However, an attacker, or even a poorly-imple-mented SIP client, is quite possible to generate andtransmit various types of distorted messages [12],resulting to one of the following undesiredsituations: •  Denial of Service (DoS); •  Unstable operation; •  Unauthorized access.These problems occur mainly because the SIPproxy parser is unable to successfully handle (e.g.drop) malformed messages. For instance, duringthe establishment of a multimedia SIP session (seeFig. 2), an attacker instead of sending a well-formedmessage could try various malformed message com-binations to discover a security problem or flaw of the parser. Consider, for example, an attacker whoinstead of sending the expected well-formedINVITE message (see Fig. 1) he sends the mal-formed SIP INVITE message shown in Fig. 4. Thismessage is invalid and cannot be generated underthe standard SIP protocol syntax, due to the lackof a REQUEST-URI, which must always followthe SIP INVITE method [10]. The target of such amessage is either a SIP proxy (if the parser of theproxy cannot handle null messages it may crash orit will generate null DNS requests forcing the under-lying DNS service to perform time-consuming andunsuccessful host lookups) or the user’s terminal(callee). More details for this kind of attack canbe found in [12].Another case that can be seen as a malformedmessage attack is that of SIP messages embeddingSQL code in their authorization header as illus-trated in Fig. 5.The difference between the messages presented inFigs. 4 and 5, is that in the latter case the objectiveof the malicious user is the unauthorized modifica-tion of the SIPs proxy database (e.g. the registration User A User BSIP ProxyinvitetryinginviteringingringingOKOK ACK ACKMULTIMEDIA Fig. 2. SIP multimedia connection establishment. receiveudp/tcpreceiveincoming packet(1)parser (2)(3) Fig. 3. Processing steps of SIP message in a SIP proxy server. INVITE (null) To: Geneiataki Dimitri <dgen@aegean.gr>From: Karopoulos Georgios<sip:gkar@aegean.gr>;tag=76341CSeq: 2 INVITE Authorization: Digest username="gkar",realm="195.251.164.23", algorithm="md5",uri="SIP:195.251.164.23",nonce="41352a56632c7b3d382b39e0179ca5f98b9fa03b",response="a6466dce70e7b098d127880584cd57"Contact: <SIP:195.251.166.73:9384>;>Content-Type: application/sdpv=0o=Tesla 2890844526 IN IP4 lab.high-voltage.orgc=IN IP4 100.101.102.103t=0 0m=audio 49170 RTP/AVP 0a=rtpmap:0 PCMU/8000SIPheader SessionDescription Fig. 4. Example of malformed SIP INVITE message.2582  D. Geneiatakis et al. / Computer Networks 51 (2007) 2580–2593  database); a detailed analysis of SQL injectionattacks in SIP can be found in [13].Even though the above attack categories havedifferent targets, they are classified in the same typeas they both violate SIPs, protocol specification try-ing to exploit a different vulnerability in the corre-sponding SIP infrastructure. 3. Proposed framework for protecting sipinfrastructures against malformed messages In order to have more agile and secure VoIP SIP-based services, capable to defend malformed mes-sage attacks, one has to deploy a defence suite withdifferent types of prevention and detection mecha-nisms. This section introduces a complete securityframework that deals with malformed messages inSIP implementations and aims at improving theavailability, reliability and security level of the pro-vided services. 3.1. General countermeasures and remedies As already explained, the availability of VoIPsubsystems can be reduced due to the fact that pars-ers in signaling servers, like SIP proxies, do notexamine messages for illegal characters and text.Therefore, input validation procedures are neces-sary. The lack of any validation mechanism in thereceiving process, as illustrated in Fig. 3, is respon-sible for several security flaws caused by processingsuch malformed messages. The employment of mechanisms for filtering malicious input, at theInternet application level, has thus been investigatedby researchers [14]. Even state-of-the-art firewalltechnologies incorporate deep packet inspectionmethods [15] in order to check incoming data formalicious content. The same techniques can beapplied to SIP architectures using the MiddleboxCommunication approach [16].Moreover, according to RFC 3261 [10] the utili-zation of underlying security protocols like SSL,IPsec, S/MIME and HTTP Digest can substantiallyrestrict or prevent the use of malformed messages,even though they introduce additional traffic andprocessing overhead to the corresponding SIP sub-systems. Nevertheless, such security schemes, whenutilized in SIP, require the installation of an end-to-end or layered Public Key Infrastructure (PKI)beforehand. A detailed analysis of SIP commonsecurity mechanisms can be found in [17].All the aforementioned security protocols have,in some cases, proved to be ineffective. For example,as stated in [12], an attacker may utilize a SIP proxyfrom another realm to amplify the hazardous effectsof his malformed messages. Consequently, althoughthe SIP proxy may not crash it will forward themalformed message towards other proxies in thepath and finally towards the end-user trying tocause a DoS. In addition, these mechanisms donot provide any real security against (malevolent)insiders, as it is well known that many securityincidents srcinate from them. For example, con-sider the case where an insider creates a malformedmessage, signs it with his private key and then sendthe message to the corresponding SIP server. As theSIP server will successfully validate the signed mes-sage, the process will continue to the next stage thatis the parsing of the incoming- malformed message.It must be stressed that such a scenario may crashthe SIP server. Someone could claim that mal-formed message attacks can be repelled by simplyblocking the sources that originate malformedpackets. However, such a solution may cause aDoS to legitimate users if the attacker (a malevolentlegitimate user who holds a legal certificate) has hi- jacked their connections (e.g. by spoofing their IP orMAC addresses). It is therefore clear that suchattacks can be hardly defeated by conventionaldetection or prevention mechanisms like SSL, IPsec,S/MIME, etc. It is essential to emphasize that suchthreats cannot be ignored since many securityincidents are caused by internal users. 3.2. Detection scheme for malformed messages The introduction of an appropriate detectionmechanism for malformed messages in the existingVoIP infrastructure is considered vital for ensuringreliability and preventing DoS.The main idea for the development of such amechanism stems from the SIP syntax as describedin the RFC 3261 [10]. More specifically, anymessage that does not comply to the RFC can be  Authorization:Digest username="gkar';  Update subscriber set first_name='malicious' where username='gkar'--",  realm="195.251.164.23", algorithm="md5", uri="sip:195.251.164.23", nonce="41352a56632c7b3d382b5f98b9fa03b", response="a6466dce70e7b098d127880584cd57 Fig. 5. Example of a malformed message that contains SQLcode. D. Geneiatakis et al. / Computer Networks 51 (2007) 2580–2593  2583  characterized as malicious. Therefore, the detectionmechanism for malformed message attacks can beeffectively described through specific structures,known as ‘‘ attack signatures ’’, which consist of two parts based on the SIP syntax. The first partcontributes to the identification of the malformedmessage; it is a  general signature  that can be appliedto any SIP method. The second (optional) part spec-ifies additional rules that can be applied to specificSIP methods as determined by the administratorof each SIP domain, according to the security policyof each VoIP provider. One important parameterthat has been taken into account is that, unlikenon-real time services, the detection mechanismshould not introduce significant processing over-head. Otherwise, the interactivity between theinvolved parties will be jeopardized. An exampleof the  general signature  is depicted in Fig. 6.The fist two lines imply that any SIP message: •  Must include a SIP_METHOD (e.g. INVITE,BYE), with a SIP or SIPS URI followed by thecorresponding HEADERS. •  Optionally include a MESSAGE_BODY; itspresence depends on the utilized SIP_METHOD.In the section of additional rules it is noticedthat: •  Any SIP message should not have the SIP_-METHOD and the MESSAGE_HEADER equalto NULL. •  The length of the SIP method and message bodycannot be greater than a specific threshold.The anticipated identification method has twomajor advantages: •  Since all SIP messages are based on the afore-mentioned RFC, it will be easier to embody alight SIP IDS mechanism in a slightly modifiedSIP protocol stack. •  Alternatively, it is also feasible to include thissignature-based identification scheme in an exist-ing open source IDS system (e.g. SNORT,PRELUDE) without making any modificationsto the SIP stack. In this case, the only realrequirement is to supply the appropriate signa-tures, even though, as presented in Section 3.3,there are specific limitations when the proposedidentification system is applied to those systems.There are certain circumstances of ‘‘well-struc-tured’’ malicious messages that cannot be identifiedthrough the aforementioned rule. For these cases,special signatures for each distinct SIP-method arerequired. For instance, according to the SIP stan-dard syntax, SIP INVITE messages must includeat least one of some specific headers such asCall-ID or Content-Type. Consider the case wherean incoming SIP INVITE does not include any of these headers. Such a message must be characterizedas malicious and must be discarded prior it ishandled by the parser. Otherwise, the parser willtry (possibly indefinitely) to find and parse headersthat do not exist. Fig. 7 describes the detection sig-nature for a SIP INVITE message. It is stressed thatthe detection signature contains additional fields(MESSAGE HEADER) that are specific to theSIP INVITE message. Note that headers markedwith a ‘*’ character are both mandatory and uniquefields. Consequently, if any of these headers is miss-ing or it appears more than once at the incomingSIP message, then this message must be consideredas malicious. Further, the line starting with thestring INVITE_METHOD covers the case wherethe header (INVITE) is represented in HEX form.In the same way it is possible to specify appropri-ate signatures for each distinct SIP method. Forexample, in contrast to SIP INVITE, the SIP REG-ISTER message does not require a message body.Furthermore, in special cases such as in the SIP-SQL injection attack [13], it is not sufficient to check SIP_METHOD SIP-URI | SIPS-URI MESSAGE HEADER+[MESSAGE_BODY]additionall rulesSIP_METHOD!=NULLMESSAGE_HEADER!=NULLsize_of(SIP_METHOD)>%constant% e.g 50 bytessize_of(MESSAGE_BODY)>%constant% Fig. 6. General detection signature for SIP. INVITE_METHOD SIP-URI | SIPS-URI MESSAGE HEADER+MESSAGE HEADER =Via | Max-Forwards | From* |To* | Call-Id* CSeq* | Contact* |User-agent |Authorization |Event |Content-Length* |Content-type*|Record-RouteINVITE_METHOD="INVITE" | %x49.4E.56.49.54.45MESSAGE_BODYadditionall rules%Content-Length% >0%Content-Length%==size_of(MESSAGE_BODY)(*)mandatory fields Fig. 7. Detection signature for SIP INVITE messages.2584  D. Geneiatakis et al. / Computer Networks 51 (2007) 2580–2593
Search
Tags
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks