Verteiltes Monitoring von SIP-basierten Angriffen...Verteiltes Monitoring von SIP-basierten Angr...

22.10.2013

1© Technik der Rechnernetze

Verteiltes Monitoring von

59. DFN-Betriebstagung, Berlin, 15.10.2013

Prof. Dr.-Ing. Erwin P. RathgebDi k H ff t dt M S

Verteiltes Monitoring von SIP-basierten Angriffen

Dirk Hoffstadt, M.Sc.Adnan Aziz, M.Sc.Networking Technology GroupInstitute for Experimental Mathematics & Institute for Computer Science & Business Information SystemsUniversity of Duisburg-Essen

Overview

Introduction– SIP fraud and misuse scenarios– Multi-stage Toll Fraud scheme

SIP misuse detection for forensic analysis– Tools: SIP Trace Recorder and SIP Honeypots– Clustering: from packets to attacks

• Typical multi-stage attack example Distributed real-time SIP misuse detection

– Distributed Sensor System overviewDeployment options

Page 2Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)

– Deployment options• Hardware• Software• Virtual sensors

22.10.2013


Voice over IP –Threats and misuse scenarios

Threat Description Goal

Flooding Flood the device with VoIP protocol packets like INVITE, OPTIONSDenial of Service

(brute force)

Fuzzing Send malformed messages to the system (e.g. PROTOS)Denial of Service

(exploit software vulnerabilities)

SPIT Unwanted calls, often initiated automatically

Trick users into spending money orrevealing secret information (Phishing)

Registration Hijacking/Toll Fraud

Compromise user account, make (toll) calls

Save money on toll callsEarn money from toll callsMake calls anonymously

Denial of Service: Generic threat,


mitigation approaches known in principle (overload control, rigorous programming)

SPIT: Adaptation of generic threat, mitigation based on signalling (SPIT Filter) or media (voice recognition and analysis)

Registration Hijacking/Toll Fraud: Novel, specific threat, High damage potential (financial, legal)

State of SIP misuse –Attacks monitored by PBX vendor


Data from 01/2011

22.10.2013


Benefit/cost for VoIP attacks –Attacker module for lab tests

Registration Hijacking

Denial of Service SPIT GeneratorHijacking

SIPvicious ToolBox

svmapScan for SIP

registrarssvwar

Scan for activet i

SIP-INVITE Flooder

Perform DoSattack withSIP-Invites

Asterisk SW-PBXwith call filesGenerate SPIT calls with freely

configurableannouncement


extensions

svcrackPassword scan

Call fileextension for

PhishingRecord answers

Common SIP misuse scenario –Multi-stage scheme for Toll Fraud

Toll Fraud is particularly attractive– Immediate financial benefit– Caller anonymization– Predominant misuse scheme at the moment

Basic scheme– Stage 1: Find SIP server Server Scan– Stage 2: Find active extensions Extension Scan

St 3 C k d R i t ti Hij ki


– Stage 3: Crack password Registration Hijacking– Stage 4: Make calls using victim‘s account Toll Fraud

22.10.2013


Internet

Common SIP misuse scenario –Stage 1: Server Scan

Anywhere 200 OK CompanySIP-Server

• Attacker sends SIP OPTIONS messages

y

OPTIONS

SIP Server


Attacker sends SIP OPTIONS messages to detect active SIP server in a network

• SIP packets from one source IP address directed to multiple targets

• Scan behaviour: 1 to 96 OPTIONS messages per server• Variations by using other SIP messages (e.g. INVITE)

Result: List of active SIP servers

Common SIP misuse scenario –Stage 2: Extension Scan

Internet

250

251

100

252

• Attacker sends multiple SIP REGISTER messages

Unauthorized

Not found

REGISTER 100250


p gto detect active user accounts / extensions

• SIP packets from one source IP address directed to one target host (SIP server)

• Different extensions / account names• Scan behaviour: 1 to 40,000 REGISTER messages per server

Result: List of active extensions/user accounts

22.10.2013


Common SIP misuse scenario –Stage 3: Registration Hijacking

Internet

250

REGISTER250

• Attacker sends multiple SIP REGISTER messages

Password:1234

Forbidden200 OK

Password:2244


Result: Valid credentials for active extension

p gto guess the password

• Successful attack: Server sends a “200 OK” message• SIP packets from one source IP address directed

to one target host and one extension• Scan behaviour: up to 13 million messages per extension

Common SIP misuse scenario –Stage 4: Toll Fraud

Internet

Chargeable calls:abroad, 0900, mobile

Register at

250

• Attacker registers at a previously cracked extension

Register at250@

company.dewith password

2244


g p y• Attacker sends INVITE messages to establish

Toll Fraud calls• Chargeable calls to abroad or premium numbers• Toll Fraud can cause the account owner substantial financial

damage

Result: Calls via victim‘s account

22.10.2013


SIP misuse detection tools –SIP Trace Recorder

DBSTRSIP Trace Recorder (STR) Passive SIP monitoring and logging Stateful correlation, e.g.

•CDR generation •Detection of successful attacks

Optional privacy preservation•Deployment in production networks

Monitoring Port

Target subnet

Internet

•Deployment in production networksFocus: Statistical attack analysis

g


Target Network

SIP misuse detection tools –SIP Trace Recorder and SIP Honeypots

DBSTRSIP Trace Recorder (STR) Passive SIP monitoring and logging Stateful correlation, e.g.

•CDR generation •Detection of successful attacks

Optional privacy preservation•Deployment in production networks

Monitoring Port

No activeV IP t

Internet

•Deployment in production networksFocus: Statistical attack analysis

VoIP components

VoIP Server

Full InteractionHoneypot

Full InteractionHoneypot

Full Interaction

Full Interaction SIP Honeypot Extended SIP Server with logging function Full SIP functionality

•Call handling•Media handling

Focus: Detailed forensic analysis

NEW: Low Interaction SIP Honeypot Script based

•Low resource utilization•High flexibility


Target Network

HoneypotInteractionHoneypot

Low InteractionHoneypot



•High flexibility Limited SIP functionality

Focus: Dynamic experiments

Evaluation and Presentation Consolidation of all attack data

•Automated data collection Flexible analysis capabilities

•Various views on data•Attack clustering

Web-based GUI

Evaluation and

Presentation

22.10.2013


SIP misuse detection results –Honeypot vs SIP Trace Recorder

10000

100000

1000000

10000000 New Honeypot

1

10

100

1000

10000De

c‐09

Jan‐10

Feb‐10

Mar‐10

Apr‐10

May‐10

Jun‐10

Jul‐1

0Au

g‐10

Sep‐10

Oct‐1

0No

v‐10

Dec‐10

Jan‐11

Feb‐11

Mar‐11

Apr‐11

May‐11

Jun‐11

Jul‐1

1Au

g‐11

Sep‐11

Oct‐1

1No

v‐11

Dec‐11

Jan‐12

STRMonitoring

From 2009 until November 2010Operated and monitored onl the SIP Hone pots itho t global monitoring

HoneypotMonitoring


– Operated and monitored only the SIP Honeypots without global monitoring From December 2010 until now

– STR was installed to monitor complete subnets • Substantial increase in the number of captured SIP messages• Detection accuracy for multi stage attacks significantly improved

On May, 17th, a new Honeypot was set up, resulting in a massive peak

SIP Trace Recorder Results –Network without active SIP components

1000000

10000000Network ANetwork B

1

10

100

1000

10000

100000

amou

nt of SIP M

essages


All traffic in the network is generated by Server Scans used to detect SIP-capable devices– Attackers continuously search for SIP devices throughout the Internet

1

22.10.2013


SIP Trace Recorder Results –Network with active SIP components

100000

1000000

10000000Network ANetwork B

1

10

100

1000

10000

amou

nt of SIP M

essages


The fraction of Server Scan packets in network with SIP server is rather low and can be traced back to occasional scans

Majority of messages in network A belongs to Registration Hijacking attacks – Attackers directly attack the SIP devices in network A and do not scan the

network repeatedly to get the addresses

SIP Trace Recorder –Evaluation & Presentation web interface

Filter Options Geolocation analysis

SIP messagesper day


User agent analysis

22.10.2013


SIP misuse detection –Clustering: From packets to attacks

Server Scans – different IP addresses– extension 100

SIP method: OPTIONS

From counting packets to analysing attacks Alternative view on the collected data Identify and analyse attack variants

– SIP method: OPTIONS Extensions Scans

– same IP address– different extensions– SIP method: REGISTER

Registration Hijacking– same IP address– same extension

Month Server Scan Extension Scan Reg. Hijacking Toll Fraud

2011-01 187 98,483 0 0 1 136,081 1 221

2011-02 274 96,648 9 16,379 6 45,954 1 116

2011-03 241 103,666 127 92,740 25 125,151 3 64

2011-04 344 167,604 6 89 5 158 1 176

2011-05 238 79,243 10 35,280 7 9,603,316 1 1,032

2011-06 171 50,623 9 14,541 8 13,963,419 1 102011-07 70 71,078 6 27,482 40 10,483,106 8 684

OPTIONS REGISTER REGISTER INVITE


– SIP method: REGISTER– different credentials

Toll Fraud– same IP address– known Honeypot extension– SIP method: INVITE

2011-08 56 72,889 1 12,890 20 772,207 1 542

2011-09 35 93,441 10 108,247 148 3,243,164 13 10,506

2011-10 56 70,773 2 16,487 7 228,572 12 19,571

2011-11 55 85,012 42 196,356 146 2,259,409 31 9,1952011-12 45 118,823 9 70,223 43 588,468 21 6,613

2012-01 32 102,204 36 301,491 33 3,037,620 15 358

SIP misuse detection results –Attack stage patterns

90%

100%

tacks

30%

40%

50%

60%

70%

80%

ve distribution functio

n of at

Server Scan

Extension Scan

RegistrationHijackingToll Fraud


0%

10%

20%

1 10 100 1000 10000 100000 1000000 10000000

Cumulativ

Number of SIP messages

22.10.2013


SIP misuse detection results –Attack tools used

User Agent Server Scan Ext Scan RegHij. Toll Fraudfriendly-scanner 40.9331% 99.9950% 99.9999% -sundayddr 58.3421% - - -Asterisk PBX - - - 7.5429%SIPPER for Phoner - - - 26.4444%Eyebeam/X-Lite - - - 14.5568%Known Softphones - - - 21.9452%Others 0.7248% 0.0050% 0.0001% 29.5107%

Analysis based on packet count only shows that 98% are generated by Sipvicious and related implementations

Cluster based analysis– Sundayddr is strictly a server scanning tool


y y g– Sipvicious is the only tool currently used for multi-stage attacks– Toll Fraud attempts are performed using popular SIP softphones

(e.g., eyebeam, X-Lite, Sipper) or the open source PBX Asterisk Asterisk PBX

– Automated calls by using scripts without human interaction

SIP misuse detection results –Improved attack stage correlation

Source IPXXX.134.235.220


130


5 minutes

2,751messages

1,420messages

130calls

162calls

504,069messages

28 hours 3 days

2012-09-1803:15:59

Server Scan

2012-09-1803:17:04

Extension Scan

2012-09-1803:20:56

Registration Hijacking

2012-09-2007:22:45

Toll FraudAttempt 1

2012-09-2310:21:46

Toll FraudAttempt 7

DynamicLow

InteractionHoneypot


Typical example attack– a total of 508,643 SIP messages

Toll Fraud calls – are launched after a significant period of time– originate from different IP addresses

Attacksuccessful

Paper:Improved Detection and Correlation of Multi‐Stage VoIP Attack Patterns by using a Dynamic Honeynet System

IEEE ICC 2013, June 2013

22.10.2013


SIP misuse detection results –Identification of attack variations

Input data collected by the STR and the SIP Honeypot System– More than 90 million SIP messages– Collected between 12/2009 and 12/2012

Method– Message clustering

• Map packets to attack instances and attack stages– Comparison of instances of the same attack stages

• Based on IP and SIP header information• Based on number of messages and timing

ResultsClassification of major attack variants


– Classification of major attack variants• Server Scan: 7, Extension Scan: 2,

Registration Hijacking: 2, Toll Fraud: 3• Significant number of minor variations identified

Attackers start to modify code of attack tools• Camouflage attacks, more softphone like behaviour

Generic Attack Replay Tool (GART) –Set of attack samples with broad coverage

Replaying real attack samples in arbitrary networks– Can be used to test and calibrate detection and mitigation

algorithms and componentsg Comprehensive set of attack variants

– Based on overall STR database• Currently total of 5684 attack samples

– Extraction of one typical sample per attack variant for reduced database

• Provides broad coverage– Set of sample attacks configurable

Built using

STRSTRDatabaseDatabase

> 40 GB Data


Built using – Java

• Platform independent– SQLite database

• Fast• Lightweight

Stag

e 1

Varia

tion

Stag

e 2

Varia

tion

Stag

e 3

Varia

tion

Stag

e 4

Varia

tion

SQLite Database

22.10.2013


Generic Attack Replay Tool (GART) –Set of attack samples with broad coverage

Mapping of relevant header values according to local network– To send attack traffic to local SIP server– To receive responses at the sender

Attack data characteristics are preserved– Time stamps– Sequence of packets

Minimum configuration efforts Functional test was successful


Paper:Development and Analysis of Generic

VoIP Attack Sequences Based on Analysis of Real Attack Traffic

IEEE TrustCom, July 2013

BMBF Project SUNsHINE

Fraud and misuse detection and mitigation for VoIP networks 4 partners

4 associated partners


2 year project, ends April 2013 (plus 3 months extension) Homepage http://www.sunshineproject.net/

22.10.2013


SUNsHINE Architecture


Real-time SIP misuse detection –Security Sensor System

Misuse Detection SensorPassive behaviourDifferent environments

•PBX, Router, Home GatewaysDetection by using attack signatures

SCS

Sensor

SensorSensor

Detection by using attack signatures• Dynamically loadable

Att k

Sensor

Standalone•Low Interaction Honeypot plugin

Low Interaction Honeypot

plugin


Firewall SensorSensor

Sensor Central Service (SCS)Aggregation of sensor alerts

• Based on SCS rulesManagement

• Sensors• Attack signature management

Interface to mitigation components0900 Callee

Attacker

22.10.2013


Realtime Misuse Detection & Mitigation –Security Sensor System Mitigation Interface

SCS

Alert

Sensor

SensorSensor

Att k

SensorLow Interaction

Honeypotplugin



0900 Callee

Attacker

Realtime Misuse Detection & Mitigation –Security Sensor System Mitigation Interface (2)

SCS

eRBLAlert

Sensor

SensorSensor

Att k

SensorLow Interaction

Honeypotplugin



0900 Callee

Attacker

22.10.2013


Monitoring Sensor –Overview

Rule-based attack detection and reporting of misuse in SIP-based networks Light-weight software component for different hardware and software

platformsI l t d i C i lib [1] J i l il bl– Implemented in C++ using libpcap [1], Java version also available

Input Data (Network interface, PCAP file, Socket) SIP traffic analysis

– The Sensor receives all traffic that is sent to any of the Honeypots Process of misuse detection and reporting is separated into three phases

– Capturing and filtering of SIP messages– Analysis of SIP messages

• Recognize sequences of SIP messages


• Recognize sequences of SIP messages that are characterized by pre-defined rules

– Report information (e.g., source IP, signature ID) about detected attacks to the Sensor Central Service via a secure interface

ListenerMessageQueue Analyzer Notification

Rules

Monitoring Sensor –Rules (XML)

Different attack types and variations are defined as a XML sensor rules– E.g. Registration Hijacking

E h l d fi ifi tt f SIP Each rule defines a specific pattern of SIP messages and timing conditions

Sensor Analysis based on signatures– Timing conditions– IPv4 information

• Source IP, Destination IP and Ports– SIP Request / SIP Response– SIP Header fields


• E.g., From, To, Via, Contact, Call-ID, Cseq

– Comparison of different header values (equal, not equal) within received SIP messages

22.10.2013


Sensor Central ServiceArchitecture / Mode of Operation

SCS Sensor Interface (SSI)

Sensor

SCS

Worker Process (WP)

Database

SCS Rules

StoreN tifi ti

Sensor ControllerProcess (SCP)

Incoming ReportsSensor Management

Configuration, Rules, Status, etc.

Store Reports

SCS


SCS Notification Process (NP)

Mitigation ComponentseRBL‐Service

Actions

SCS Analyse Results Notifications

SCS Notification Interface (SNI)

Monitoring Sensor -Deployment options

Software installation in network devices– PBXs, FritzBox, router, …

Vmware Virtual MachineGuest OS: Ubuntu 12 04 LTS or Debian Linux 7 1– Guest OS: Ubuntu 12.04 LTS or Debian Linux 7.1

– 2 network interfaces (Capturing & Management) Standard PC or Server with Ubuntu 12.04 LTS

– 2 network interfaces (Capturing & Management) ALIX system boards or Raspberry Pi

– OS: Debian Linux 7.1– Up to 3 network interfaces

• E.g., Bridging, Sensor+Honeypot, Sensor standalone Optional: Honeypot Plugin


Optional: Honeypot Plugin Virtual Sensor

– Central sensor / honeypot– Traffic captured on multiple remote interfaces and tunneled to sensor– Answer packets tunneled to originating interfaces

22.10.2013


Virtual

Distributed Sensor System –Current NorNet setup

SCS I1

I2Simula

VirtualMachine

SIP

Hon

eypo

tAttacker

Internet

I2

I1NTNU

I1Universiteteti Tromsø

I1

129.242.157.228

158.37.6.195


Sensor I1Universiteteti Bergen

I1

I2

University Duisburg-

Essen

158.37.6.195

132.252.152.105

89.246.242.228

Distributed Sensor System –Overview

SCS Sensor Interface (SSI)– Each sensor is connected to SCS

• Sensor ID, secret, MAC address, location infoTLS d (HTTPS) ith tifi t h k• TLS secured (HTTPS) with server certificate check

– Status updates and keep-alive messages Auto provisioning which is managed and controlled by SCS

– Configuration– Signatures

SIP traffic analysis based on sensor signatures Report generator

Sends reports to SCS according to sensor signature settings


– Sends reports to SCS according to sensor signature settings• Source IP, destination IP, signature ID, sensor ID, timestamp, source

port, destination port, signature version– Optional: extended reports

• Pre-defined SIP header values

22.10.2013


Distributed Sensor Systems –Sensor Central Service Overview

Sensor Management– Configuration– Signatures ( Web-Editor or XML file)

• Sensor signature mapping– Status, report and statistics presentation– Central logging

SCS Features– Receives sensor reports via SCS Sensor Interface (SSI)– Central MySQL database

• Reports, signatures, SCS rules, sensor configurations, status, etc.– Analysis based on SCS rules

• Depends on “Sensor ID” and “Sensor Signature ID”• PHP script logic with pre-defined variables and result values

N tifi ti i t f t iti ti t


– Notification interface to mitigation components• Up to three different actions per SCS rule• Actions

– eRBL– Firewall alert– PBX notification

Sensor Central Service –Management Website (Screenshot)


22.10.2013


Distributed Sensor System –The NorNet approach

Physically distributed sensors at different sites in the internet– Deployment of hardware or installation of software reqired

• Local management necessary– Privileged access to network interfaces requiredPrivileged access to network interfaces required

Virtually distributed sensors (NorNet approach)– One central Sensor only (in Essen, Germany)– Distributed NorNet nodes to capture input traffic

• GRE Tunnel(s) between each node and the central Sensor• Filters TCP/UDP traffic on port 5060• Traffic redirection to the central Sensor

by using DNAT via GRE tunnels• Reverse direction is realized by routing policies


Reverse direction is realized by routing policies– Pros

• No software component on productive systems (no influence)• Easy to manage single sensor

– Cons• More bandwidth required in contrast to distributed approach• Possible delays

Distributed Sensor System –First NorNet results

Node IP Node Name Numberof Reports172.31.1.1 Simula 57518172.31.1.2 Simula 344172.31.4.1 Uni Tromsø 3172.31.4.1 ø 3172.31.42.1 UDE 73172.31.42.2 UDE 144172.31.5.1 Uni Stavanger 67172.31.6.1 Uni Bergen 24839172.31.8.1 Høgskolen i Narvik 8172.31.9.1 NTNU 1

01.09.-12.09.2013


22.10.2013


VoIP fraud and misuse detection –Conclusions

SIP devices on the Internet are constantly scanned and attacked– Significant damage possible

Flexible and powerful attack tools readily avaiable for downloadp y– SIPvicious

Local monitoring over several years– Development of sophisticated monitoring tools– Analysis of attack traffic

Distributed monitoring required to get a global view– Distributed Sensors System

S l d l d d G


– Several sensors deployed around Germany– NorNet adds significant number of additional monitoring points

Technical details and live demos in the VoIP session Cooperation with DFN would be highly appreciated

– Deployment of hardware/software/virtual sensors

Verteiltes Monitoring von SIP-basierten Angriffen...Verteiltes Monitoring von SIP-basierten Angr...

Documents

Transcript of Verteiltes Monitoring von SIP-basierten Angriffen...Verteiltes Monitoring von SIP-basierten Angr...