© Verizon Copyright 2008. 1 October 19, 2015 Verizon Columbia Research on VoIP Security A Model...

© Verizon Copyright 2008. 1

April 20, 2023

Verizon Columbia Research on VoIP SecurityVerizon Columbia Research on VoIP SecurityA Model Academia/Industry CollaborationA Model Academia/Industry Collaboration

Gaston Ormazabal

Verizon Verizon LaboratoriesLaboratories


AgendaAgenda

• A successful collaboration

– Verizon and CATT Professor Schulzrinne - three year program

• Project Overview

– Background, Research Focus, and Goals

– DoS

• DoS Detection and Mitigation Strategy

• DoS Validation Methodology - DoS Automated Attack Tool

• Value to Verizon

– Intellectual Property/Technology Licensing

• Next Steps

• Conclusions

© Verizon Copyright 2008.

Verizon – CATT Program

• Collaboration between Verizon and Center of Advanced Technology Telecommunications

• Verizon• PI: Gaston Ormazabal

• CATT– Columbia University

• PI: Prof. Henning Schulzrinne

• Graduate Students

– Milind Nimesh

– New York University • Polytechnic Institute


Background & Research FocusBackground & Research Focus

• SIP is the VoIP protocol of choice for both wireline and wireless telephony

– Control protocol for the Internet Multimedia Systems (IMS) architecture

• VoIP services migrating to IP fast becoming attractive DoS and ToS targets

– DoS attack traffic traversing network perimeter reduces availability of signaling and media for VoIP– Theft of Service must be prevented to maintain service integrity

– Reduces ability to collect revenue and provider’s reputation both are at stake

• Attack targets– SIP infrastructure elements (proxy, softswitch, SBC, CSCF-P/I/S)– End-points (SIP phones)– Supporting services (e.g., DNS, Directory, DHCP, HSS, DIAMETER, Authorization Servers)

• Verizon needs to solve security problem for VoIP services– Protocol-aware application layer gateway for RTP– SIP DoS/DDoS detection and prevention for SIP channel– Theft of Service Architectural Integrity Verification Tool

• Need to verify performance & scalability at carrier class rates – Security and Performance are a zero sum game

• Columbia likes to work in real life problems & analyze large data sets – Goal of improving generic architectures and testing methodologies– Columbia has world-renowned expertise in SIP


GoalsGoals

• Study VoIP DoS and ToS for SIP– Definition – define SIP specific threats– Detection – how do we detect an attack?– Mitigation – defense strategy and implementation– Validation – verification of defense strategy

• Generate requirements for future security network elements and prototypes

– Share requirements with vendors

• Generate the test tools and strategies for their validation

– Share tools with vendors


Definition: VoIP Threat Taxonomy Definition: VoIP Threat Taxonomy

Scope of our research - 2006

Scope of our research - 2007

*- VoIP Security and Privacy Threat Taxonomy, VoIP Security Alliance Report, October, 2005 (http://www.voipsa.org)


Denial of Service & Theft of ServiceDenial of Service & Theft of Service

• Denial of Service – preventing users from effectively using the target services

– Service degradation to a “not usable” point– Complete loss of service

• Distributed Denial of Service attacks represent the main threat facing network operators*

– Most attacks involve compromised hosts (bots)• botnets sized from a few thousands to over million• 25% of all computers on Internet may be botnets

• Theft of Service – any unlawful taking of an economic benefit of a service provider

– With intention to deprive of lawful revenue or property*- Worldwide ISP Security Report, September 2005, Arbor

Networks*- Criminals 'may overwhelm the web', 25 January, 2007. BBC


SIP DoS Attack TaxonomySIP DoS Attack Taxonomy

• Denial of Service– Implementation flaws

– Application level

– Flooding


Strategy FocusStrategy Focus

• VULNERABILITY : Most security problems are due to:

– flexible grammar syntax-based attacks

– Plain text interception and modification

– SIP over UDP ability to spoof SIP requests• Registration/Call Hijacking• Modification of Media sessions• SIP ‘Method’ vulnerabilities

– Session teardown– Request flooding – Error Message flooding

• RTP flooding

• STRATEGY: Two DoS detection and mitigation filters and ToS tools

– SIP: Two types of rule-based detection and mitigation filters– Media: SIP-aware dynamic pinhole filtering

Application Level

Flooding


DoS Mitigation StrategyDoS Mitigation Strategy

• SIP infrastructure element defense– Implementation flaws are easier to deal with

• Systems can be tested before used in production

– Application level and flooding attacks are harder to defend against• Require layer 7 deep packet inspection• Require deep understanding and handling of SIP protocol

• Commercially available solutions for general UDP/SYN flooding but none for SIP

Address application level and flooding attacks specifically for SIP

Identify and address architectural weaknesses before they are exploited to commit ToS


DoS Mitigation Solution OverviewDoS Mitigation Solution Overview

Untrusted

DPPM sipd

Trusted

SIPSIP SIP

RTP RTP

Filter I Filter II

VoIP Traffic

Attack Traffic

Untrusted

DPPM sipd

Trusted

SIPSIP SIP

RTP RTP

Filter I Filter II


Hardware PlatformHardware Platform

10/100/1000 10/100

E1E2

Backplane

F0

C3

C4

Gigabit Ethernet Interconnects

D0

D1

E1E2

F0

C3

C4

D0

D1

3 4

P0

P0

System Level Port DistributionSystem Level Port Distribution

Application Server ModulePentium 1GHz

1000 1000

0 1 2

ASM

DPPM

Intel IXP 2800

DPPM

Intel IXP 2800


Integrated DDOS and Dynamic Pinhole FiltersIntegrated DDOS and Dynamic Pinhole Filters

DPPM

Inbound Outbound

SIP

Linux server

Switch

FCP/UDP

Drop

Lookup

CAM CAM

DynamicTable

StaticTable

CAM CAM SIPDDOS

DDOSTable

CAM CAM

ASMsipd


Integrated Testing and Analysis EnvironmentIntegrated Testing and Analysis Environment

GigE Switch GigE Switch

SIP Proxy

Call Handlers

SIPUA/SIPp

Controller secureSIP

AttackLoaders

SIPStone/SIPp

Legitimate Loaders

SIPUA/SIPp

Firewall


secureSIP Test Results for DoSsecureSIP Test Results for DoS

Firewall Filters OFF Firewall Filters ON

Traffic Composition

Good

CPS

Attack

CPS

CPU

Load

Good

CPS

Attack

CPS

CPU

Load

Non-Auth Traffic 690 0 87.81 690 0 88.04

Auth Good Traffic

240 0 19.83 240 0 39.64

480 0 81.20 480 0 81.75

Auth Good Traffic +

Spoof Traffic

240 2950 83.64 240 16800 41.39

480 195 85.40 480 14400 82.72

Auth Good Traffic +

Flood of Requests

240 3230 84.42 240 8400 40.83

480 570 86.12 480 7200 82.58

Auth Good Traffic +

Flood of Responses

240 2970 87.2 240 8400 41.33

480 330 86.97 480 7200 82.58

Auth Good Traffic +

Flood of Out-of-State

240 2805 86.24 240 8400 40.29

480 290 84.81 480 7200 82.19

Concurrent

Calls

Call rate

(CPS)

Delay due to Firewall

Pinhole opening Pinhole closing

20000 300 0.73 0

25000 300 0.75 0

30000 300 0.83 15.51

30000 200 0.80 0.02

SIP DoS MeasurementsSIP DoS Measurements(showing max supported (showing max supported

call rates)call rates)Dynamic PinholeDynamic Pinhole


The Bigger Picture - Columbia VoIP TestbedThe Bigger Picture - Columbia VoIP Testbed

• Columbia VoIP test bed is collection of various open-source, commercial and home-grown SIP components– provides a unique

platform for validating research

• Columbia-Verizon Research partnership has addressed major security problems– signalling, media and

social threats

• Researched DoS solutions verified against powerful test setup at very high traffic rates

• ToS successfully validated integrity of different setups of test bed


Value to VerizonValue to Verizon

• Enhanced VoIP security through standards and vendor involvement– Worked with Verizon vendors to mitigate exposures

• Evangelize vendor community

• Rolled the requirements and lessons learned into the Verizon security architecture and new element requirements database for procurement – Columbia requirements valid for VoIP, Presence and Multimedia

architectures (IMS)– Wireline and wireless

• Setup a laboratory in Verizon facilities for VoIP security evaluations– Incorporate Columbia/Verizon collaborative test tools

• Intellectual Property with Six Patent Applications• Licensing Agreement

– Taken research quickly to marketplace – Four vendors interested

• One agreement almost finalized• A major vendor interested


Next Steps

• New vulnerability require a new mitigation technology for VoIP products– VoIP should not be deployed without protection

• SIP proxies are vulnerable to crash• Attack tool is easy to build and use

• Carriers (e.g., Verizon) will need new network elements– RFP will include these requirements– Vendors must have a ready solution

• Conversion of research into a product that carriers can use– Need to determine optimal architecture for DoS prevention functionality

for VoIP• Security vs. Performance• Hardware vs. Software Implementation

– Proxy/Softswitch (SW)– SBC or New network element (HW/SW), Router?

– Use internally (protect VZ Network)– Use externally (sell new security services to large customers)– Get other companies interested to synergize resources and share

results


Next Steps

• Cisco has just joined project funding research at NYU Polytechnic Institute to develop hardware prototype– Objective is to research the optimal hardware platform to implement

Columbia-Verizon SIP algorithms– Use Cisco experimental cards that will eventually become router blades

• Continue relationship with Columbia– Cisco is funding maintenance of the Verizon testbeds

• For further research in distributed computing and traffic generation enhancements

• To assist NYU Poly in testing and validation of new prototype against previous benchmarks

• To assist in eventual product development during product testing cycle– Feedback loop of research and product cycle

– Other research in related areas• Proposal to study SRTP/RTSP

• What can we do to make the working relationship even more productive?– Have the synergistic combination of both CATT components (NYU

Polytech and Columbia) and two major industry players (Cisco and Verizon)

– A model worth emulating!


ConclusionsConclusions

• Research Results– Demonstrated SIP vulnerabilities for VoIP resulting in new DoS susceptibility

for both wireline and wireless• Work is fully reusable to secure a “Presence” and IMS infrastructure

– Implemented some “carrier-class” mitigation strategies• Prototype is first of its kind in the world• Removed SIP DoS traffic at carrier class rates• Developed new generic requirements

– Built a validation testbed to measure performance• Developed customized test tools• Built a high powered SIP-specific Dos Attack tool using parallel computing

– Crashed a SIP Proxy in seconds• Built a Theft of Service Architectural Integrity Validation Tool using parallel computing

• Intellectual Property– Research activity resulted in six patent applications

• Commercialization– Licensing agreements currently under negotiation– Have socialized new requirements and test tools with vendor community to

address rapid field deployment• Major Vendors interested in new opportunities• Rapid implementation is now expected

• Have created a partnership among both CATT university components and two major industry players


Thank You Thank you

Questions?

[email protected]

Paper published by Springer Verlag - “Principles, Systems and Applications of IP Telecommunications” in October 2008:

http://www.springerlink.com/content/r5t1652v3572/ Book available at:

http://www.amazon.com/Principles-Applications-Telecommunications-Services-Generation/dp/354089053X/ref=sr_1_1?ie=UTF8&s=books&qid=1226098298&sr=1-1


Backup Slides…Backup Slides…


Intellectual Property – Six Patent ApplicationsIntellectual Property – Six Patent Applications

• “Fine Granularity Scalability and Performance of SIP Aware Border Gateways: Methodology and Architecture for Measurements”

– Inventors: Henning Schulzrinne, Kundan Singh, Eilon Yardeni (Columbia), Gaston Ormazabal (Verizon)

• “Architectural Design of a High Performance SIP-aware Application Layer Gateway”

– Inventors: Henning Schulzrinne, Jonathan Lennox, Eilon Yardeni (Columbia), Gaston Ormazabal (Verizon)

• “Architectural Design of a High Performance SIP-aware DOS Detection and Mitigation System”

– Inventors: Henning Schulzrinne, Eilon Yardeni, Somdutt Patnaik (Columbia), Gaston Ormazabal (Verizon)

• “Architectural Design of a High Performance SIP-aware DOS Detection and Mitigation System - Rate Limiting Thresholds”

– Inventors: Henning Schulzrinne, Somdutt Patnaik (Columbia), Gaston Ormazabal (Verizon)

• “System and Method for Testing Network Firewall for Denial of Service (DoS) Detection and Prevention in Signaling Channel”

– Inventors: Henning Schulzrinne, Eilon Yardeni, Sarvesh Nagpal (Columbia), Gaston Ormazabal (Verizon)

• “Theft of Service Architectural Integrity Validation Tools for Session Initiation Protocol (SIP) Based Systems”

– Inventors: Henning Schulzrinne, Sarvesh Nagpal (Columbia), Gaston Ormazabal (Verizon)


External – Publications, Presentations, RecognitionExternal – Publications, Presentations, Recognition

• Importance of rapid dissemination of results in industry and academia– For knowledge diffusion and ubiquity among research practitioners – For PR reasons (licensing agreements and potential sales)

• Presentation at NANOG 38 – Oct. 10 2006 (HS/GO) – Paper published in NANOG 38 2006 Proceedings - “Scalable Mechanisms for Protecting SIP-

Based VoIP Systems”– Made a headline in VON Magazine on October 11, 2006:

http://www.vonmag.com/webexclusives/2006/10/10_NANOG_Talks_Securing_SIP.asp • Presentation to at Global 3G Evolution Forum – Tokyo, Japan, Jan. 2007 (GO)• Presentation/demo at IPTComm 2007 – New York City, July, 2007 (GO)• Presentation at OSS/BSS Summit – Tucson, AZ, September, 2007 (GO)• Presentation at Columbia Science and Technology Ventures Symposium: “From

Signal to Information Displayed in a Wireless World”, April 2008 (HS/GO)• Presentation at IPTComm 2008 – Heidelberg, July, 2008 “Secure SIP: A scalable

prevention mechanism for DoS attacks on SIP based VoIP systems” (GO)• Presentation at IIT VoIP Conference and Expo IV – Chicago, October, 2008 (GO)• Paper published by Springer Verlag - “Principles, Systems and Applications of IP

Telecommunications” in October 2008: http://www.springerlink.com/content/r5t1652v3572/

• Work incorporated in a new Masters level course on VoIP Security taught at Columbia since Fall 2006, every year

– COMS 4995-1: Special Topics in Computer Science : VoIP Security (HS)• CATT Technological Impact Award - 2007


SIP Security OverviewSIP Security Overview

• Application Layer Security– SIP RFC 2543 – little security

– SIP RFC 3261 – security enhancements• Digest Authentication

• TLS

• IPSec

– SRTP/ZRTP (RFC 3711)

• Perimeter Protection– SIP aware Filtering Mechanisms

– SIP aware DOS Protection • Detection and Mitigation


SIP Security Overview - SIP Security Overview - ????

• Application layer security• Digest Authentication, TLS, S/MIME, IPSec, certificates

• SRTP/ZRTP for media

• Convergence leads to converged attacks– Data network attacks

• DDoS, spoofing, content alteration, platform attacks

– Voice over IP network attacks

• Toll fraud, session hijacking, theft of service, spam/spit

• Most security problems are due to– User Datagram Protocol (UDP) instead of TCP/TLS

– Plain text instead of S/MIME

– Message/Method vulnerability

– Flexible grammar --> syntax-based attacks


SIP Detection and Mitigation FiltersSIP Detection and Mitigation Filters

• Authentication Based - Return Routability Check– Require SIP built-in digest authentication mechanism

• Null-authentication (no shared secret)– Filter out spoofed sources

• Method Specific Based – Rate Limiting– Transaction based

• Thresholding of message rates– INVITE– Errors

• State Machine sequencing– Filter “out-of-state” messages– Allow “in-state” messages

– Dialog based• Only useful in BYE and CANCEL messages

• Dynamic Pinhole Filtering for RTP• Only signaled RTP media channels can traverse perimeter

– Obtain from SDP interception

• End systems are protected against flooding of random RTP


Test ToolsTest Tools

• SIPp, SIPStone, and SIPUA are benchmarking tools for SIP proxy and redirect servers– Establish calls using SIP in Loader/Handler mode– A controller software module (secureSIP) wrapped over SIPp/SIPUA/SIPStone

launches legitimate and illegitimate calls at a pre-configured workload

• SIPp – Robust open-source test tool / traffic generator for SIP– Customizable XML scenarios for traffic generation– 5 inbuilt timers to provide accurate statistics– Customized to launch attack (SIP DoS) traffic designed to cause proxy to fail

• SIPStone continuously launches spoofed calls which the proxy is expected to filter– For this project enhanced with:

• Null Digest Authentication• Optional spoofed source IP address SIP requests

• SIPUA Test Suite – Has built-in Digest Authentication functionality– Sends 160 byte RTP packets every 20ms

• Settable to shorter interval (10ms) if needed for granularity– Starts RTP sequence numbers from zero– Dumps call number, sequence number, current timestamp and port numbers to a file


Theft of Service OverviewTheft of Service Overview

• VoIP is different– Not a static but a real-time application– Direct comparisons with PSTN

• According to Subex Azure 3% of total revenue is subject to “fraud”*• VoIP can be expected to be at least twice as large a proportion of

revenue

– Theft of Service is more daunting problem in VoIP

• Implications of ToS– Lost revenue and bad reputation– Abused resources cause monetary losses to network providers– Unauthorized usage degrades whole system’s performance

• Scenarios– Using services without paying– Illegal Resource Sharing (unlimited-plans)– Compromised Systems– Call Spoofing and Vishing

*Billing World and OSS Magazine: “Top Telco Frauds and How to Stop Them”, January 2007, by Geoff Ibett


Theft of Service GoalsTheft of Service Goals

• Verification of security implementation– Automate validation process

• Creating new tools and scripts• Modify existing tools to create a package

• Architectural Integrity Verification Tool– Identity Assurance

– Multiple End Points

– Intrusion Detection

• Black-box type abstraction


Theft of Service ChallengesTheft of Service Challenges

• Client-side threats– Illegal resource sharing– Compromised hardware– Weak password

• Server-side threats– Identity assurance

• Unauthorized registration, unauthenticated INVITE • Digest authentication (nonce usage, password guessing)• Transport protocol choice (TCP/UDP)• TLS crypto strength

– Spoofing to gain privileged access– DoS/DDoS attacks

• Implementation flaws• Flooding billing system

– DoS amplification prevention on Billing systems• Application level flaws

– Counter Method-based vulnerabilities– BYE attack validation


Theft of Service ChallengesTheft of Service Challenges

• Service threats– Distinguish between audio call, single media stream or multiple

destination signaling• Multimedia services, messages, etc.

– Launching multiple simultaneous accounts • Multiple end-points

– Authorization Safeguards• 800 numbers, emergency number• Voicemail messages checking portability ensured

• Intrusion detection• Existing call logs help find patterns and detect anomaly


Discussion… A “successful” collaborationDiscussion… A “successful” collaboration


A Successful Collaboration

• Want a realistic perspective on what makes projects succeed and what is unlikely to work – Project is not in critical path of current deployments but is very relevant– Industry must see value or need to pursue IP

• Rapid commercialization/productization for in-house use• Agreement on fair distribution of rights/obligations

• Typical arrangement: GRA + professor– Frequently needs to supervise multiple projects at the same time– Companies often seem to have the illusion that they get the faculty's full

attention...• Require full attention of industry SME

– Student mentoring/coaching• Industry perspective• Writing/Presentation skills

• Clear understanding of deliverables– Standards – Reports– Systems/Prototypes

• Timelines – Start time and academic calendar - MS GRA vs. PhD

© Verizon Copyright 2008. 1 October 19, 2015 Verizon Columbia Research on VoIP Security A Model...

Documents

Transcript of © Verizon Copyright 2008. 1 October 19, 2015 Verizon Columbia Research on VoIP Security A Model...