Professional Documents
Culture Documents
Сигурност във VoIP мрежите
Сигурност във VoIP мрежите
]
: . -.
VoIP
:
1. ............................................................................................................................................................... 3
2. VoIP...................................................................................................................................... 3
3. ........................................................................................................................................ 4
4. VoIP ........................................................................................................................ 5
4.1 ......................................................................................................................................... 6
4.2 H.323 ............................................................................................................................32
4.3 Real Time Protocol (RTP) ...........................................................................................................................39
5. .....................................................................................................................................41
5.1 ..........................................................................................41
5.2 - TLS ....................................................................................................46
5.3 () - DTLS .................................................49
5.4 S/MIME ....................................................................................................................................................50
5.5 ............................................................................................................................................52
5.6 IPSec ........................................................................................................................................................52
5.7 H.323...........................................................................................................54
5.8 MGCP ............................................................................................................60
5.9 ..............................................................................................................60
6. VOIP ............................................................................................................67
6.1 .................................................................................................................67
6.2 ....................................................................................................................68
6.3 .............................................................69
6.4 QoS (shaping) ............................................................................................69
6.5 ......................................................................................................................................70
6.6 NAT IP ................................................................................................................................70
6.7 (ACL) .....................................................................................................71
7. VoIP ...........................................................................................................71
7.1 - NIDS ..........................................................................................71
7.2 - - HIDS .................................................................75
7.3 log ......................................................................................................................75
7.4 Syslog .......................................................................................................................................................75
8. .....................................................................................................................................76
9. ..................................................................................................................................................79
VoIP
1.
,
, . PSTN (Public Switched
Telephone Network) IP (Internet Protocol) (NGN Next
Generation Network), IP
(IMS IP Multimedia Subsystem).
.
triple play, ,
. triple play, quad play , ,
.
IP IPv4 IPv6
, WWW . / ( pipe).
IP - PSTN, IP
,
. ,
, .
VoIP (QoS),
( Denial of Service, DoS).
, (burst),
, jitter. IP
, .
, .
, IP ; . IP
, , -
,
. IP , .
2. VoIP
VoIP
VPN , ,
. , ,
. ,
, , hosted .
VoIP ,
, . ,
,
. Microsoft Messenger,
Hotmail . Skype,
,
Skype. , ,
Vonage, Broadvoice, SunRocket,Hermes phone Packet8.
VoIP
, PSTN . ,
. ,
, VoIP .
,
. VoIP
VoIP. ,
, .
, ,
, ,
.
, VoIP
. ,
. - IP Sigtran ,
SS7 IP, PSTN IP .
VoIP
VoIP,
:
IP
,
3.
, VoIP.
, ,
. , ,
, ,
. . ,
PBX . ,
VoIP , - -.
, , VoIP /
Ethernet VoIP ( ) -
.
, - (untrusted) ,
, - ,
VoIP .
, , VoIP ,
.
3-1. VoIP
VoIP
4. VoIP
IETF :
-- (Interruption-of-service)
-- (abuse-of-service)
,
. VOIPSA (Voice Over IP Security Alliance; voipsa.org) ,
,
. IETF
,
, ,
.
, VoIP :
- VoIP ,
, , .
, VoIP , , DNS
, SIP , - , ..
,
VoIP , , .
(. VoIP ), ,
SIP , .
( ) SPIT (
).
,
. VoIP (,
), ,
, .
(.., , ,
/ ).
( )
, ,
- .
(masquerading)
, , , , ,
, . ,
, ,
. ,
.
, ,
VoIP (, , SIP
DNS ). , ID
,
(spoofing) CID ,
. VoIP
- ,
VoIP ( ARP, IP DNS).
, ,
.
, , ,
, .
,
, - ,
VoIP
, ,
. , SIP
VoIP ,
. ,
.
, .
VoIP .
- ,
.
VoIP ,
(billing). , VoIP
. , - VoIP
.
,
.
4.1
- - , VoIP.
(Denial of Service DoS)
VoIP, ,
.
DoS , VoIP
. ;
VoIP ( , ), ,
, VoIP .
4.1-1 , ,
.
4.1-1.
DoS
. ,
:
:
/
( )
VoIP
, (. )
:
(billing)
-
, " " VoIP, VoIP
/,
(, )
DoS. VoIP ,
.
DoS .
DoS ,
. DoS
, .
, ,
. VoIP (
), -
(,
). -
, -,
-.
VoIP , - DoS
, VoIP , VoIP , VoIP, SBC (-
). , (STB) . ,
DNS ,
ENUM, -
.
DoS , .
, . ,
.
, DoS . SIP
, SIP ,
.
SIP:
- IPv4, UDP TCP
TLS IPSec
SIP
SIP ,
RTP ,
, -
DoS , , SIP
(UA).
/ DoS DoS . ,
, ,
VoIP
.
. PSTN ,
PSTN VoIP . ,
, ,
(
). -,
, .
, -
. (reflection) (amplification),
,
. ,
.
, - , ,
, flood.
/
DoS .
- fuzzing.
-- (DoS) IP- . DoS
.
DoS . , -
-- (DDoS Distributed Denial of
Service) .
DS, ,
, - .
DDoS -,
- . , IP
, UDP - 65534 5060.
/, . DoS DDoS
, -;
, IP -,
.
DoS VoIP IP ,
DoS IP . , DoS
VoIP, -
. ,
DoS DDoS ,
, .
SIP (digest) ,
/ . HTTP
() , .
SIP REGISTER INVITE , ,
401 407,
. 401 407 (nonce
). , :
Username (. Ivan)
Realm (. iptelco.bg)
Password , UA (., HackniMe)
Method - SIP , (INVITE REGISTER)
URI (Uniform Resource Identifier) UA, SIP:192.168.2.102
Challenge (nonce) / , 401
407
Cnonce - nonce, ,
(QoS),
Nonce Count (nc) nonce,
VoIP
SIP UA SIP , :
1.
2.
3.
4.
, MD5 hash,
. MD5 hash 3, nonce 401/407
, nonce ( ), cnonce (
), MD5 hash 4, :
MD5 (MD5-step-3 : nonce : nc : cnonce : MD5-step-4)
nc cnonce , :
MD5 (MD5-step-3 : nonce : MD5-step-4)
5.
MD5 , 5 , .
6.
, , 3, 4 5
MD5 hash- ,
.
1 6,
:
1. MD5 (Ivan:iptelco.bg:HackniMe)
=
49be40838a87b1cb0731e35c41c06e04
2. MD5 (REGISTER:sip:192.168.2.102)
=
92102b6a8c0f764eeb1f97cbe6e67f21
3. MD5
(49be40838a87b1cb0731e35c41c06e04:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)
=
717c51dadcad97100d8e36201ff11147 ( )
/ (enumeration)
(),
VoIP SIP ,
(sniffing). ,
80% .
, - . ,
.
SIP, ,
. UA REGISTER INVITE , ,
401, 403.
- (brute-force, ), REGISTER
. , 401,
.
VoIP
10
SIP (sniffing)
UA SIP , URI .
, , TLS .
, URI SIP:User@hostname:port
. (cleartext)
,
brute-force. ,
,
, .
, Wireshark.
4.1-2. SIP Wireshark
SIP
SIP U,
. SIP ,
;
.
SIP MD5 ,
(
).
.
, :
MD5_1 = MD5 (Username:Realm:Password)
MD5_2 = MD5 (Method:URI)
Response MD5 Value = MD5 (MD5_1:Nonce:MD5_2)
,
(realm), URI, nonce ( ), MD5 -
( -- MITM ),
. ,
- , ,
. ,
. , SIP
, ,
.
SIP
, , ,
SIP , . , SIP
. , URI
.
,
, realm,
MD5 . URI, MD5
. -, MD5,
nonce MD5 MD5 ,
. ,
VoIP
11
- ,
.
.
, .
:
Challenge (nonce): 350c0fec
Realm: iptlco.bg
-, :
Username: Ivan
Method: REGISTER
URI: SIP:192.168.2.102
MD5 Response Hash Value: 717c51dadcad97100d8e36201ff11147
, -,
( , ):
Setup Equation 1 MD5-1: MD5 (Ivan:iptlco.bg:Password)
Setup Equation 2 MD5-2: MD5 (REGISTER:sip:192.168.2.102)
Final Equation 3 717c51dadcad97100d8e36201ff11147: (MD5-1:350c0fec
:MD5-2)
1 , . 2
, URI . MD5
92102b6a8c0f764eeb1f97cbe6e67f21.
3 MD5 - 1, nonce SIP MD5
- 2. nonce , MD5 - - 2 ,
MD5 - - 1 brute-force.
, ,
- 1 , :
MD5-1 : MD5 (Ivan:iptelco.bg:Password )
f3ef32953eb0a515ee00916978a04eac : MD5 (Ivan:iptelco.bg:Hello )
44032ae134b07cee2e519f6518532bea : MD5 (Ivan:iptelco.bg:My )
08e07c4feffe79e208a68315e9050fe4 : MD5 (Ivan:iptelco.bg:Voice )
b7e9d8301b12a8c30f8cab6ed32bd0b6 : MD5 (Ivan:iptelco.bg:Is )
44032ae134b07cee2e519f6518532bea : MD5 (Ivan:iptelco.bg:My )
56a88ae72cff2c503841006d63a5ee98 : MD5 (Ivan:iptelco.bg:Passport )
7b925e7f71e32e0e8301898da182c944 : MD5 (Ivan:iptelco.bg:Verify )
a5d8761336f52fc74922753989f579c4 : MD5 (Ivan:iptelco.bg:Me )
49be40838a87b1cb0731e35c41c06e04 : MD5 (Ivan:iptelco.bg:HackniMe )
MD5 1, MD5 - 2
(92102b6a8c0f764eeb1f97cbe6e67f21), (nonce) 3
(350c0fec), , brute-force - 3
-. MD5_1, ,
MD5_2 nonce:
MD5 = (MD5-1:72fbe97f:MD5-2)
bba91fc34976257bb5aa47aeca831e8e =
(f3ef32953eb0a515ee00916978a04eac:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)
01d0e5f7c084cbf9e028758280ffc587 =
(44032ae134b07cee2e519f6518532bea:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)
5619e7d8716de9c970e4f24301b2d88e =
VoIP
12
(08e07c4feffe79e208a68315e9050fe4:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)
8672c6c38c335ef8c80e7ae45b5122f8 =
(b7e9d8301b12a8c30f8cab6ed32bd0b6:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)
01d0e5f7c084cbf9e028758280ffc587 =
(44032ae134b07cee2e519f6518532bea:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)
913408579b0beb3b6a70e7cc2b8688f9 =
(56a88ae72cff2c503841006d63a5ee98:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)
b8178e3e6643f9ff7fc8db2027524494 =
(7b925e7f71e32e0e8301898da182c944:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)
c4ee4ed95758d5e6f6603c26665f4632 =
(a5d8761336f52fc74922753989f579c4:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)
717c51dadcad97100d8e36201ff11147 =
(49be40838a87b1cb0731e35c41c06e04:350c0fec:92102b6a8c0f764eeb1f97cbe6e67f21)
MD5 717c51dadcad97100d8e36201ff11147,
. , HackniMe
.
BYE
H.323 IAX , SIP
(DoS). DoS , spoofing BYE
. ,
.
, .
,
.
,
( INVITE ), - Caller-ID
(tag). ,
BYE, From
To . From, To, Caller-ID tag
() ,
(
).
SIP 200 OK , spoof
BYE . - -:
SIP/2.0 200 OK
Via: SIP/2.0/TCP
192.168.5.122; branch=;received=192.168.5.122
From: "iSEC" <sip:Ivan@192.168.2.102>;tag=ff761a48
To: "iSEC" <sip:Petar@192.168.2.102>;tag=as3a9bd758
Call-ID: 845b1f52dd197838MThmMDVhZWRkYZIxMmI1MjNiNDA4MThmYTJiODdiMzM
CSeq: 2 BYE
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Content-Length: 0
(DoS) SIP CANCEL,
-. , BYE
, CANCEL SIP DoS SIP
, . , BYE
, a CANCEL .
REGISTER
, DoS
IP . ,
IP , .
VoIP
13
REGISTER,
Contact, IP . ,
DoS , Contact,
IP 192.168.5.122, . 118.118.8.118.
REGISTER , IP , , 4.13.
4.1-3. Contact SIP
Un-register
(DoS), - SIP
. - SIP
. - SIP RFC,
.
- ,
. , SIP
, .
- UA, REGISTER,
( 3600 7200),
. -,
UDP - .
UDP ,
.
, -.
SIP Fuzzing
, ,
. ,
, . SIP fuzzing,
SIP . ,
fuzzing , VoIP .
PROTOS (http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/index.html/) fuzzing
, VoIP SIP:
4.1-4, . SIP
, , . ,
, ,
.
VoIP
14
4.1-4. Fuzzing
SIP (flooding)
- DoS VoIP /
. , .
. , SIP INVITE,
. SPI .
flooding .
, .
DoS (DDoS) . VoIP
, DDoS .
.
,
.
BOTNET, , -. VoIP
.
SIP (signaling loop)
DoS ,
VoIP . ,
VoIP --
(Max-Forwards), SIP .
/ ,
(loop). 4.1-5 .
http://tools.ietf.org/html/draft-lawrence-maxforward-problems-00
VoIP
15
, , one.com two.com,
user1 user2. , , header
, , .
, SIP
/. 2, / INVITE (
one.com), INVITE two.com,
user1 user2. , INVITE SIP / two.com,
/ one.com.
one.com, Max-Forwards header- . RFC 3261 ,
Max-Forwards 70,
270 .
(.408, CANCEL). VoIP ,
, . o
Max-Forwards , , SIP ,
, .
(loop detection), .
SPIT (Spam Over Internet Telephony)
, ,
.
, .
PSTN . , . ,
, PSTN ,
. (SPIT)
VoIP
16
VoIP , -
. ,
.
, IP
. ,
,
. ,
, SPIT
, .
( ) .
.
,
, . -
, , ?.
- ( ,
) .
, - ,
. ,
.
SPIT .
(INVITE) .
,
. SIP
INVITE , .
, , ,
(RTP) ,
, DoS . ,
, /, ,
VoIP .
, .
:
--
,
/ .
--, ,
, .
, .
, ,
.
VoIP , :
VoIP . ,
VoIP .
VoIP . VoIP
.
VoIP , , , ,
, SBC, DNS, NTP .
VoIP .
.
VoIP
17
, .
.
.
/ .
( ),
, , ( )
.
.
, VoIP ,
.
, ,
VoIP :
(,
, , , )
(. TFTP, FTP, Telnet, RPC)
(, ,
)
, ,
( ).
VoIP .
, VoIP
, . VoIP 2006 .,
$1 . VoIP
, VoIP
.
,
, , SPIT, .
VoIP ,
.
- , , ,
VoIP
, MAC
802.1x
. VLAN, VoIP
VLAN ACL- ( ),
VoIP VLAN-
VoIP
SBC.
VoIP
18
- ,
VoIP
,
- CDR
(CDR Customer Detail Records)
,
,
- , ,
VoIP
, . - -
, , ,
, , .
, (VoIP )
spoofing , ,
,
.
SIP
VoIP
brute-force . VoIP , SIP,
REGISTER . REGISTER,
.
,
. , -
/, - (brute-force)
. VoIP,
.
SIP . , , SIP
, , ,
, 16 .. , SMS
.
-- (MITM)
, SIP --,
4.1-6. ARP DNS spoofing ,
SIP SIP .
, - SIP , .
, , ,
SIP SIP .
, (
1), SIP ( ),
/, SIP nonce
( 3). ,
VoIP
19
( 4). ,
MD5 , nonce ( 5),
. MD5 ,
SIP ( 6).
4.1-6. MITM SIP
,
VoIP .
; .
, VoIP,
.
, :
( , )
( , ) ,
. ,
, . ,
(master),
. VoIP ,
,
.
.
, VoIP ,
. IP , ( ) ,
PSTN IP- . , IP
(.. )
. -
IP- , . , - IP
IP , - .
, ARP (poisoning)
.
Wireshark
Wireshark (- Ethereal)
, SIP, H.323 RTP.
, VoIP
.
VoIP
20
4.1-7. Wireshark
VoIP
21
4.1-8. ARP
VoIP
22
VLAN hopping :
.
(DTP Dynamic Trunking Protocol). - trunking-.
VLAN .
, VLAN Yesirnia.
,
, . DTP, STP (Spanning Tree Protocol), VTP (VLAN Trunking Protocol), ISL (Inter-switch Link
Protocol), 802.1x, 802.1q, HSRP (Hot Standby Router Protocol), DHCP (Dynamic Host Configuration Protocol) CDP
(Cisco Discovery Protocol).
MGCP
VoIP , MGCP
( call manager Cisco ) ,
-
(. ). 4.1-9
VoIP .
4.1-9. MGCP VoIP
2.
().
3.
, .
4.
5.
, ,
.
VoIP
23
4.1-10. MGCP
PSTN
. MGCP , SIP.
MGCP :
AUEP 1500 *@mgcp.gateway MGCP 0.1
(idle). AUEP :
AUEP 1000 S0/SU1/DS1-0/1@mgcp.gateway MGCP 0.1
F: R,D,S,X,N,I,T,O,ES
S0/SU1/DS1-0/1, F:
, :
200 1000
I: 2EDA
N: ca@10.96.1.51:2427
X: 1
R: D/[0-9ABCD*#](N)
S:
O:
T:
ES:
ID I: 2EDA,
, MGCP RTP .
VoIP
24
MGCP (S0/SU1/DS1-0/1)
RTP 10.6.158.178 17794. MGCP
, . ,
RTP
, . ,
, RTP ,
. , ,
, "".
, MGCP RTP ,
VoIP
25
. RTP
, RAT (Robust Audio
Tool), RTP . RAT,
RTP (
). RTP ,
, MGCP
RTP . ,
RTP .
(masquerading)
,
. , ,
. ,
.
,
,
. ,
,
( ).
, . SIP ,
.
, , H.323 .
, , , DNS
, SIP , PSAP softswitch, ,
, .
, DNS , SIP URL-
, .. .
, (
MAC IP spoofing IP ), VoIP
. ,
VoIP ,
.
(caller id spoofing)
VoIP
(. SIP INVITE).
, VoIP (. Asterisk PBX)
INVITE , SIVuS. , Asterisk
PBX CID, - SetCallerID(2015551212)
extensions.conf , 2015551212 , .
, , Asterisk
.
ID VoIP
. , VoIP VoIP
-- ,
( SBC, SIP , H.323 gatekeeper). , VoIP
VoIP , ID . , ,
ID .
ID , ID
. ,
ID . ID-
, , ,
.
, ID (. SpoofTel, NuFone
VoicePulse, , ).
www.spooftel.com/; www.nufone.net/; www.voicepulse.com/features/basic/CallerID.aspx;
VoIP
26
(presence hijacking)
,
. ,
VoIP
, .
, .
4.1-12 , IP ,
(INVITE). VoIP ,
.
4.1-12. SIP Register
REGISTER Contact , IP (
). (INVITE),
IP
. , 201-853-0102 IP 192.168.10.5.
INVITE IP, 5061,
SIPS, RFC 3261.
,
www.vopsecurity.org/Security_Issues_with_SOHO_VoIP_Gateways-052005.pdf
4.1-13 REGISTER, .
, ,
Contact. , IP (192.168.1.3),
IP . REGISTER SIP
192.168.1.2. SIVuS.
VoIP
27
4.1-13. REGISTER
:
1.
.
:
DoS , .
- (spoof) ,
0 (Expires: 0). ,
.
REGISTER - (. 15 ),
. ,
60 .
2.
REGISTER IP ,
.
.
:
0. DoS .
1. .
2. : .
3. : .
4. : , IP .
5. : .
6. .
7. .
.
VoIP
28
4.1-14.
:
,
( INVITE ).
, ,
.
SIP
.
, VoIP REGISTER
SIPS (SIP TLS). SIP nonce,
, ID, , URI,
MD5 .
nonce, SIP . , SIPS
, .
VoIP, , SIP
, SIP
, . , SIP , ,
REGISTER, ,
, (. nonce
).
. , ,
,
. ,
. ,
(, ,
).
SIPS SIP (
), - . ,
SIPS ,
.
ARP (arp spoofing)
ARP Ethernet . , ARP
VoIP . ,
,
. , ,
, ARP
. , ARP
VoIP
29
, (Solaris )
ARP , .
, ARP , ARP spoofing, ARP ARP
ARP. .
ARP ARP spoofing- .
ettercap, Cain dsniff, IP
ARP -. ARP
IP . ARP
.
, - . ARP IP , -
(), , IP (10.1.1.2) MAC -
, BA:DB:AD:BA:DB:AD. , ,
- . , MAC - , IP
, IP MAC - . , - ARP
ARP , Windows , ARP
ARP ,
.
ARP :
10.1.1.1
10.1.1.2
AA:BB:CC:DD:EE:FF
BA:DB:AD:BA:DB:AD
int0
int0
,
.
ARP ,
IP . - , ARP.
, ,
( MITM) .
/dev/null (.. ), DoS.
ARP :
10.1.1.1
10.1.1.2
BA:DB:AD:BA:DB:AD
AA:BB:CC:DD:EE:00
int0
int0
,
, Wireshark
tcpdump. a ( , ,
), .
vomit rtpsniff, VoipCrack,
VoIP . ,
, PIN . ,
IP .
- . ,
. . ,
ARP . , ,
. /,
,
, ,
ARP . ( ) ,
, - (CAM ContentAddressable Memory) IP MAC, .
unicast , , .
, .
VoIP
30
ARP ,
MAC . Arpwatch. ,
MAC/IP . Cisco Catalyst 6500
ARP (DAI Dynamic ARP inspection). DAI
Cisco (CIS) spoofing
, ARP . DAI CIS
Catalyst, (Cisco IOS).
VoIP
. Avaya.
, VoIP AES .
,
IP .
. ,
- DoS,
DoS - .
, , .
Call Manager
VoIP , .
VoIP
. VoIP
( ) ,
.
MGCP.
4.1-15. PSTN
"" MGCP,
MGCP
. RFC 3991, "Media Gateway Control Protocol (MGCP) ,"
, ,
.
(CA) NotifiedEntity NotifiedEntityList
, "all of". ,
() .
, "" ,
.
:
EPCF 1200 *@gw1.dostav4ik.bg MGCP 1.0
RED/N: ca1@ca1234.dostav4ik.bg
EPCF (End Point Configuration )
2427. (*) ,
. RED/N
( ca1@ca1234.dostav4ik.bg).
:
EPCF 1200 *@gw1.dostav4ik.bg MGCP 1.0
RED/NL: ca1@myca.dostav4ik.bg, a2@mybackupca.dostav4ik.bg
VoIP
31
MGCP ,
MGCP (2427) , .
, --,
, MGCP . IPSec
, .
IP
, (boot image)
, . VoIP , Cisco Avaya,
, TFTP , HTTP.
. TFTP HTTP
, . ,
, , .
, IP TFTP ,
boot image- , Cisco ,
. ,
TFTP Cisco .
Avaya, UDP 69 TFTP
( Avaya TFTP ,
). TFTP ,
, TFTP HTTP GET .
, 46xxsettings.txt Avaya.
TFTP GET ,
. ,
, -
. :
1.
VoIP
2.
TFTP ,
3.
TFTP , IP .
. 172.16.1.88.
4.
, (boot image)
. ,
. , boot image-
.
.
,
--. 2 OSI ,
TFTP/HTTP ,
. , boot image
.
. ,
.
a01d01b2_3.bin Avaya
46xxsettings.txt Avaya
,
. . ,
.
, . , , SIP
VoIP
32
-,
, .
,
, . ,
, .
, :
5.
VoIP
1.
2.
3.
, IP TFTP
4.
IP
5.
SIP
spoofing SIP VoIP ,
SIP SIP . SIP INVITE , SIP SIP
INVITE. ,
, , IP ,
SIP , .
, SIP stargate-bg.org 91.196.124.78,
Stargate-BG 91.196.124.150, SIP
/ .
Stargate-BG, SIP ,
. , ,
,
. Spoof - (IP
Contact).
SIP/2.0 302 Moved Temporarily
To: <sip:Ivan@91.196.124.78>
From: <sip:Raina@91.196.124.78>;tag=1108
Call-Id: 11082006@91.196.124.78
CSeq: 1 INVITE
Contact: <sip:attacker@91.196.124.150>
4.2 H.323
H.323 H.225 (RAS - Registration Admission Status)
, . RAS
, gatekeeper- ,
, .
, , /- -
-gatekeeper, RAS.
, RAS H.323 . , H.323
, RAS ,
VoIP .
RAS, . RAS H.323.
, / gatekeeper-.
RAS H.323 VoIP ,
. RAS ,
.
H.225 ,
, . , H.225
. , :
VoIP
33
(H.323 ID)
H.323 ( )
(replay) H.225
(spoofing) H.323 (E.164 )
E.164
E.164 (hopping)
NTP
UDP (H.225 )
H.225 nonStandardMessage
Host Unreachable
H.323 gatekeeper-
H.323 GK ( GateKeeper) , VoIP
. H.323 gatekeeper,
gatekeeper (GRQ Gatekeeper Request) 224.0.1.41 1718.
H.323 gatekeeper- .
H.323
gatekeeper- . gatekeeper- (GCF Gatekeeper Confirmation),
, H.323 ,
, , . ,
, gatekeeper gatekeeper
. H.323 GCF ,
GK , .
224.0.1.41 D GK
IP gatekeeper,
. 224.0.1.41,
GK, .
, ,
DoS .
, gatekeeper .
GCF ,
GK. , GCF H.323
gatekeeper . , ,
GCF . ,
GCF . , GCF
GCF GK,
, .
(H.323 ID)
gatekeeper H.323 ,
. H.323
, .
, --
H.225 .
,
-. Wireshark,
H.323 ID H.225.0 RAS /.
VoIP
34
4.2-1. H.225
H.323
a H.323 H.225, ASN.1,
(H.323 ID) ( ,
1 , 1970), ASN.1- .
MD5 ( cryptoEPPwdHash). -, ,
;
- .
MD5 , /:
MD5(ASN.1 Encoded: H.323 ID + + timestamp) = Hash
. ,
,
--. -, H.323 ,
,
.
, ,
, MD5 ,
. 4.2-2 , H.323-ID (USER),
timestamp Nov 7, 2006 10:32:45.00000000 MD5 :
1C8451595D9AC7B983350D268DB7F36E.
4.2-2. H.323
,
, :
MD5(ASN.1-encoded: H.323-ID + password + timestamp) = hash
- , , (H.323 ID),
VoIP
35
ASN.1 . ASN.1-
, MD5 hashing . MD5
MD5 -, , ,
. , 5 + X = 8.
X , .
- ,
,
. , H.323 ,
- .
H.225 .
, ,
MD5 .
MD5 ( ),
H.323 .
Sniffed (Captured) Entities over the network:
- Username: USER
- Timestamp: 1162895565
- MD5 Hash: 1c8451595d9ac7b983350d268db7f36e
MD5 (ASN.1 Encoded:
Username + Password + Timestamp ) = Hash
USER
+
test
+ 1162895565 + =! 1C8451595D9AC7B983350D268DB7F36E
USER
+
Ivan
+ 1162895565 + =! 1C8451595D9AC7B983350D268DB7F36E
USER
+
Raina
+ 1162895565 + =! 1C8451595D9AC7B983350D268DB7F36E
USER
+
1108
+ 1162895565 + =! 1C8451595D9AC7B983350D268DB7F36E
USER
+
1117
+ 1162895565 + =! 1C8451595D9AC7B983350D268DB7F36E
USER
+
isec
+ 1162895565 + =! 1C8451595D9AC7B983350D268DB7F36E
USER
+
PASS
+ 1162895565 + = 1C8451595D9AC7B983350D268DB7F36E
H.323 (replay)
H.225 ,
, ,
, . , MD5
, , .
, .
, MD5 . H.323,
, .
MD5 , H.323
( ), (H.323-ID) .
, iSEC ,
, MD5 .
GK NTP , H.323
. , Oct 2, 2008 6:34.00 gatekeeper-
Oct 2, 2008 6:34:01, MD5 gatekeeper-
.
, NTP H.323
GK, , .01 . ,
H.323 GK- MD5 , - (
30 60 ), . (
H.323 ),
. ,
, MD5 , MD5 30
60 .
- MD5
gatekeeper-a GK,
.
16- , H.225 .
IP GK (c0 a8 74 79 192.168.116.28,
VoIP
36
08
06
07
00
00
00
82
2c
be
b8
00
00
49
2d
01
2b
06
01
00
00
00
00
01
10
00
00
00
00
47
74
00
30
08
c0
00
00
00
00
07
2e
91
a8
00
00
53
73
54
01
4a
74
00
00
00
00
61
04
00
49
00
00
2d
74
6e
04
05
06
00
00
00
05
64
00
80
b7
01
00
69
00
62
55
01
22
34
00
00
49
65
00
00
c0
39
02
53
83
72
53
c0
82
00
40
00
58
67
00
a8 - IP
01
00
0c
45
69
01
45 (..
00
00
b7
12
a5
27
3e
69
65
72
00
80
f3
6d
92
73
3c
65
3e
73
c0
80
6e
01
74
c0
61
6e
3c
69
45
1c
01
50
af
a5
73
74
76
6f
50
84
00
20
00
92
73
3c
65
6e
d1
51
01
df
00
74
65
2f
72
3e
4c
59
00
89
50
af
6e
61
73
3c
08
5d
01
03
20
00
74
73
69
2f
2a
9a
00
59
df
46
5f
73
6f
61
86
c7
01
6f
89
3c
74
65
6e
73
48
b9
00
45
03
61
79
6e
3e
73
86
83
05
19
59
73
70
74
31
65
f7
35
18
9f
6f
73
65
5f
3c
6e
0d
0d - MD5
01
27
45
65
3e
74
2f
74
H.225 , 16-
GK.
H.323 (.164 )
- , E.164 ,
H.323 , H.323
. E.164 ,
, MAC Ethernet , - (Initiator Node
Names) iSCSI WWN - HBA. MAC
, etherchange
MAC, http://ntsecurity.nu, .
E.164 GK
. gatekeeper-, DoS
, . GK (rewrite)
E.164 , ( ),
; DoS .
E.164 ,
, ,
DoS . ,
, ,
, E.164 . ,
, .
VoIP , E.164 ,
. , E.164 ,
, VoIP (
). E.164
( VoIP ,
). ,
VoIP .
.164
E.164 ,
H.323 . - .
, , E.164 .
;
.164 . Wireshark,
dialedDigits, . dialedDigits H.323
VoIP
37
Wireshark -:
H.225.0 RAS
gatekeeperRequest
endpointAlias
Item 1
Item: dialedDigits
dialedDigits
--,
- E.164 . , -
, gatekeeper- . gatekeeper, E.164
, securityDenial. ,
E.164 , , GK duplicateAlias.
, .164 ,
. GK, E.164
GK, 1 999999999
duplicateAlias.
- . (rejectReason) 4.2-3
, .164 ,
(securityDenial). 4.2-4 (rejectReason),
, (duplicateAlias).
, E.164 .
4.2-3. , E.164
E.164 (hopping)
Hopping
, . , hopping
, .
Cisco ,
VLAN-, VLAN (), ,
.
E.164 , -. , GK
E.164 ( E.164
). , E.164
H.323 . ,
,
- ; ;
VoIP
38
VoIP
39
H.323 .
, , .
, , - (
),
.
: ,
, .
, H.225 nonStandardMessage,
-:
1.
2.
http://www.isecpartners.com/tools.html/ iSEC.nonStandardMessage.DOS;
Nemesis, .
3.
, b a
, :
a.
b.
a.
IP: 172.16.1.103
b.
MAC: 00:05:4E:4A:E0:E1
c.
IP (H.323 ): 172.16.1.140
d.
nemesis udp -x 1719 -y 1719 -S 172.16.1.103 -D 172.16.1.140 -H
00:05:4E:4A:E0:E1-M 02:34:4F:3B:A0:D3 -P iSEC.nonStandardMessage.DOS
4.
16- , HEX
.
5c 09 81 40 82 01 01 00 04 03 00 00 04 04 00 00
00 00
4.3 Real Time Protocol (RTP)
RTP UDP , 1024 65535. ,
UDP - 1024, VoIP
( Cisco Avaya) .
, RTP/RTCP
, .
RTP - . RTP
, , (payload), SRRC (
), CSRC ( ), -.
: , VoIP
. , RTP H.323 .
() : RTP . ,
,
160 .
: RTP .
: RTP .
B RTP RFC, " ", ,
. 9 RFC ,
- , IPSec .
VoIP
40
, VoIP IPSec - ,
-
VoIP . , RFC, ,
RTP .
RTP
VoIP (),
RTP. /
, . , .
: , Secure RTP (SRTP), -,
, SRTP
/ .
RTP , . , , ,
, - .
- RTP, :
RTP
RTP ,
, . Telnet, FTP HTTP. , RTP
, ,
.
Cain&Abel Wireshark,
RTP , RTP
. , ,
VoIP .
--, ,
.
RTP VoIP, .wav ,
--,
Cain&Abel.
4.3-1. VoIP RTP
VoIP
. , , 118,
, .
VoIP , RTP
, SSRC . . RTP ,
VoIP
41
0 (.. 160ms),
0 1 SSRC
. .
, ,
.
4.3-2. RTP
SSRC ,
( ).
VoIP RTP, RTPInject,
, .
, SSRC.
5.
VoIP.
5.1
VoIP ,
. ,
.
,
.
, . , ,
, .
.
, .
VoIP
. , SRTP TLS .
SIP
SIP
(RFC 3261) . IPSec, S/MIME, TLS DTLS,
.
,
. , TLS
S/MIME, .
, .
, SIP ,
IP DHCP, TFTP ( )
VoIP
42
, SIP . IP
SIP . (.
TFTP), (. sip:user@sip-domain.com)
(. sip.mcat.net 224.0.1.75). SIP
, SIP ,
. , (INVITE)
,
DoS SPIT .
() SIP
SIP HTTP SIP
(realm) .
, , -
.
5-1. SIP
5-1 ,
. 180 Ringing .
1, SIP ( A). ( 1-5), , 401 Unauthorized (
nonce) ( 1.2 REGISTER 1.1).
REGISTER ( 1.4), MD5 . ,
.
SIP .
2, B.
SIP ( A) , 407 Proxy
Authentication Required ( 2.2) INVITE ( 2.1).
(UA) .
INVITE :
INVITE sip:petar@domain-b.com:5060 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.3:5060;branch=z9hG4bK-5ef661a9
From: ivan<sip:ivan@domain-a.com:5060>;tag=aed516f97e1da529o0
To: <sip:petar@domain-b.com:5060>
VoIP
43
Call-ID: ceab1739-db25a1e9@192.168.1.3
CSeq: 101 INVITE
Max-Forwards: 70
Contact: ivan<sip:ivan@192.168.1.3:5060>
Expires: 240
User-Agent: 001217E57E31 Linksys/RT31P2-3.1.6(LI)
Content-Length: 313
Allow: ACK, BYE, CANCEL, INFO, INVITE, NOTIFY, OPTIONS, REFER
Content-Type: application/sdp
SIP ( ) :
SIP/2.0 407 Proxy Authentication Required
Via: SIP/2.0/UDP 192.168.1.3:5060;branch=z9hG4bK-5ef661a9
From: ivan<sip:ivan@domain-a.com:5060>;tag=aed516f97e1da529o0;
To: <sip:petar@domain-b.com:5060>
Call-ID: ceab1739-db25a1e9@192.168.1.3
CSeq: 101 INVITE
Proxy-Authenticate: Digest realm="domain-a.com",
domain="sip:domain-a.com", nonce="969467834", algorithm=MD5
Max-Forwards: 15
Content-Length: 0
, OK:
SIP/2.0 200 OK
VoIP
44
, ACK,
:
ACK sip: petar@domain-b.com:5060 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.3:5060;branch=z9hG4bK-6ee04695
From: ivan<sip:ivan@domain-a.com;5060>;tag=aed516f97e1da529o0
To: <sip:petar@domain-b.com:5060>;tag=2027561073
Call-ID: ceab1739-db25a1e9@192.168.1.3
CSeq: 102 ACK
Max-Forwards: 70
Proxy-Authorization: Digest username="ivan",realm="domaina.com",nonce="969467834",uri="sip:petar@domainb.com:5060",algorithm=MD5,response="28909c2f5b3f682b2d8bc6a36ab
a572c"
Contact: ivan<sip:ivan@domain-a.com:5060>
User-Agent: 001217E57E31 Linksys/RT31P2-3.1.6(LI)
Content-Length: 0
: RFC ACK, .
, SIP ACK, 407 Proxy Authentication
Required.
, BYE .
, BYE ( ).
BYE sip:petar@domain-b.com:5060 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.3:5060;branch=z9hG4bK-304dbcd
From: ivan<sip:ivan@domain-a.com:5060>;tag=aed516f97e1da529o0
To: <sip:petar@domain-b.com:5060>;tag=2027561073
Call-ID: ceab1739-db25a1e9@192.168.1.3
CSeq: 103 BYE
Max-Forwards: 70
Proxy-Authorization: Digest username="ivan",realm="domaina.com",nonce="969467834",uri="sip:petar@domainb.com:5060",algorithm=MD5,response="96645bfe26e2a5b64803041948b
ba38d"
User-Agent: 001217E57E31 Linksys/RT31P2-3.1.6(LI)
Content-Length: 0
, SIP
BYE, 407 Proxy Authentication Required:
SIP/2.0 407 Proxy Authentication Required
Via: SIP/2.0/UDP 192.168.1.3:5060;branch=z9hG4bK-304dbcd
From: ivan<sip:ivan@domain-a.com:5060>;tag=aed516f97e1da529o0
To: <sip:petar@domain-b.com:5060>;tag=2027561073
Call-ID: ceab1739-db25a1e9@192.168.1.3
CSeq: 103 BYE
Proxy-Authenticate: Digest realm="domain-a.com",
domain="sip:domain-a.com", nonce="35921938", algorithm=MD5
Max-Forwards: 15
Content-Length: 0
SIP BYE
:
BYE sip:petar@domain-b.com:5060 SIP/2.0
SIP/2.0/UDP 192.168.1.3:5060;branch=z9hG4bK-1be1b199
From: ivan<sip:ivan@domain-a.com:5060>;tag=aed516f97e1da529o0
To: <sip:petar@domain-b.com:5060>;tag=2027561073
Call-ID: ceab1739-db25a1e9@192.168.1.3
CSeq: 104 BYE
Max-Forwards: 70
Proxy-Authorization: Digest username="petar",realm="domaina.com",nonce="35921938",uri="sip:petar@domain-
VoIP
45
b.com:5060",algorithm=MD5,response="f17f737430b236c73121ecf6a10
31518"
User-Agent: 001217E57E31 Linksys/RT31P2-3.1.6(LI)
Content-Length: 0
, OK :
SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.1.3:5060;branch=z9hG4bK-1be1b199
From: ivan<sip:ivan@domain-a.com:5060>;tag=aed516f97e1da529o0
To: <sip:petar@domain-b.com:5060>;tag=2027561073
Call-ID: ceab1739-db25a1e9@192.168.1.3
CSeq: 104 BYE
Max-Forwards: 15
Content-Length: 0
SIP ,
. , REGISTER,
INVITE. REGISTER INVITE, BYE
CANCEL . ,
.
,
, .
INVITE, BYE, ACK REFER. SIP RFC 3261 , CANCEL
, . SIP
CANCEL , SIP .
, , IPSec TLS.
SIP , UDP
IPSec. SIP (.
callerID, Cseq, branchID tag),
CANCEL .
INVITE REGISTER , BYE CANCEL. IETF
(. 183, 180), UDP
, .
, SIP
(. REGISTER, INVITE ..) 5-2.
5-2. SIP
- :
nonce_value ,
nc_value (nonce count) 16- , nonce. .,
nonce , "nc=00000001".
nonce , qpop
cnonce_value ,
, ,
VoIP
46
VoIP
47
(. ) . TLS
. ,
TCP SCTP. , UDP
. RFC 4347 "Datagram Transport Layer Security" IETF ,
-.
SIP TLS
SIP RFC- TLS, ,
, ..
, SIPS URI ( SIP SIP
TLS), ,
.
5.2-1 SIPS
VoIP
48
, TLS ( /),
,
SIP . TLS . 5.2-3
.
5.2-3. SIP TLS
, TLS SIP , .
SIP ,
TLS(SSL) (hop)
.
, - -. :
,
.
- ,
.
.
.
, -
VoIP
49
. , ,
SIPS,
.
, SRTP, SIP, SIPS.
, , SIP,
. peer-to-peer
SRTP.
TLS
TLS SIP
RTP . ,
.
-
- ,
,
- SSL - -
-
- , (, , VPN)
- ,
IPSec
- PKI SSL
- .
hop (. SIP
)
- TCP SCTP UDP,
UDP. UDP
- DoS TCP RST ( ,
reset). TCP flood (. CPU ),
RSA . , RST
TLS ,
5.3 () - DTLS
RFC 4347, DTLS
TLS ,
, UDP , SIP . TLS ,
hop-.
TLS DTLS , DTLS UDP,
.
TLS Handshake, .
TLS , MAC ( , Message Authentication
Code) . MAC
, . ,
, .
DTLS TLS, :
DTLS ( )
, DTLS .
ClientHello, HelloVerifyResponse
. . ,
ClientHello HelloVerifyResponse ClientHello . 5.3-1
VoIP
50
.
5.3-1. DTLS
, HelloVerifyResponse ,
ClientHello.
, DTLS
. , 32
, 32 . 32-
.
, - , RFC
4347 32 . ,
.
DTLS stateless cookies, DoS .
(. ClientHello HelloVerifyRequest), cookie
, ,
. cookie,
ClientHello , cookie.
MD5 secret, IP ,
ClientHello . DoS ,
IP , .
DTLS
DTLS , ,
. ,
. ,
:
- , S/MIME IPSec
TLS
TLS, handshake
DoS , stateless cookies
-, hop-, TLS
PKI
,
hop (. SIP SBC)
5.4 S/MIME
RFC 3851, / (Secure/Multipurpose Internet
Mail Extensions), ,
VoIP
51
, SIP , SDP , .
,
UDP , (. SRTP),
(. , , URL-, ..).
SIP (. From, To, Contact, Via),
. From
, . , Contact
, ,
, .
S/MIME From ,
, ,
, .
. , SIP
S/MIME , , S/MIME.
, S/MIME,
. PKI ,
S/MIME, (. , ,
..).
SIP
SIP ,
VoIP
52
5.6 IPSec
IPSec ,
TCP, UDP .
. ,
SIP. IPSec ,
, . 5.61 SIP .
VoIP
53
, ,
, (.
PKI), TLS DTLS
PKI ,
, VoIP (. VPN
).
VoIP
54
5.7 H.323
H.323 ITU, H.225.0, H.245 H.235.x -
. H.225 -, RAS (,
), . H.323
ITU Q.931 . RAS GK
, RAS
GK . RAS
, RAS UDP, UDP, TCP.
, . H.245
,
.
, RTP IP , , (. G.729, G.711) .. , H.225, RAS
H.245 , .
H.235 (
) H.323 , H.245 H.225.0,
. H.235 (v4) H.235.1
H.235.9 . - A A F.
.
5.7-1 H.235
H.235.0
H (H.323 H.245 )
H.235.1
H.235.2
H.235.3
H.235.4
H.235.5
RAS, ,
H.235.6
H.235/H.245
H.235.7
MIKEY + SRTP
H.235.8
Secure RTP,
H.235.9
H.323
VoIP
55
H.245
H.245
-,
, H.323 ,
. ,
:
, ,
( ).
, .
, H.225.0
. ,
Diffie-Hellman, .
, TLS IKE.
, H.245, ,
.
H.245, OpenLogicalChannel
OpenLogicalChannelAck. -,
H.245 :
EncryptionUpdateCommand (master)
EncryptionUpdateRequest (slave)
EncryptionUpdate (master)
EncryptionUpdateAck
H.245 ,
.
H.235.1
H.245, H.225.0 RAS
. (hashing)
.
. , NAT (Network Address
Translation) , ( NAT
). HMAC-SHA1-96 20 ,
() . GK ,
,
. , H.225
:
GK (Gatekeeper routed)
, GK.
.
GK.
H.225 (RAS ) ,
- , cryptoTokens, H.235.1
H.225 .
H.235.2
, H.225.0
, SHA1 MD5 (hashing).
- - , H.235.1,
.
RTP ( ).
:
VoIP
56
, /
H.225 (RAS
) H.245 .
H.235.3
H.235.1 H.235.2 ,
PKI . H.235.3 ,
VoIP .
GK- ,
gatekeeper, .
, ,
(fast-connect). -, H.245
H.225.0 , .
, H.235.3 :
Hop-by-hop ( H.235.1 7 II H.235.2 7)
(. ,
GK), ,
,
(GKSP Gate Keeper Security Processor).
H.235.4
GK- ,
, .
5.7-1 .
5.7-1. H.235
, .
GK RAS , GK
RAS.
,
. ,
, GK , ,
. :
(DRC1)
I (DRC2)
II (DRC3)
VoIP
57
, :
PRF
FIPS 140
,
.
H.235.5 RAS, ,
H.235.5 GK, GK,
RAS , ,
RAS
. GK- , .
:
(SP1),
80 (. NIST SP 800-57)
(SP2), SP1,
SP2 ,
. ,
pointID :
K = Trunc(SHA1(user_password || end pointID), 16)
Trunc(SHA1,16) SHA1 16 .
H.235.6 H.235/H.245
H.235.0 ,
.
. ,
AES, RC2, DES 3DES, OFD (Output Feed Back mode, ISO/IEC 10116).
H.245,
.
(. , ),
fast-connect. , DTMF (Dual Tone
Multi Frequency). H.323 DTMF
RTP, SIP MGCP RTP . H.323 , DTMF
RTP ( rtpPayloadIndication), RTP ,
DTMF .
H.323 , :
- - H.323 ( 1 2),
KeySyncMaterial
-
ECNRYPTED
(Diffie-Hellman) . Diffie-Hellman
(RTP) .
DoS (),
RTP , RTP
. ,
. , MAC RTP (.
), ( antiSpamAlgorithm).
VoIP
58
RTP ,
. , RTP ,
.
H.235.7 MIKEY Secure RTP, H.235
:
- , gatekeeper-
- (PKI), gatekeeper-
5.7-3 MIKEY H.323 .
8.7.8-1. MIKEY H.323
MIKEY H.245 ,
GK. TerminalCapabilitySet, RequestMode,
OpenLogicalChannel MiscellaneousCommand.
MIKEY H.323 ( )
( ).
,
. , ,
MIKEY H.235.1 hop-.
H.235.8 Secure RTP,
ITU
. SrtpCryptoCapability SRTP
H.323 . ,
genericH235SecurityCapability, encryptionAuthenticationAndIntegrity H.245 .
SrtpCryptoCapability SrtpCryptoInfo,
.
SRTP SRTP SrtpKeyParameters,
SrtpKeys H.245 OpenLogicalChannel . H.235.8
SRTP , SRTP
.
VoIP
59
.
H.235.8 AES 128 .
SHA1, 80 32 .
AES f8 128 , SHA1 80 UMTS (Universal Mobile
Telecommunications System).
H.323 SIP.
(early media) ,
, ()
(. ), -
. ,
,
,
H.460.11 .
H.235.9 H.323
ITU H.235.9,
, .
GK , ,
. ,
GK ,
GK , . ,
(. )
.
(. TLS, IPSec)
. ,
(. DES, AES . ) (
64, 128, 192, 256),
, RTP .
,
- .
, GK
.
, GK GW,
H.235.1, H.235.2, H.235.3, H.235.5.
H.235
, ,
VoIP VoIP :
,
(),
, H.235 ,
DoS , --, , ,
- SIP
H.235 , ,
VoIP
60
5.8 MGCP
MGCP (Media Gateway Control Protocol, RFC 3435) PSTN
IP IP PSTN. , PSTN
. ,
PSTN . 5.8-1 PSTN .
5.8-1. PSTN
MGCP ,
IPSec . MGCP
.
MGCP
, MGCP:
ACL MGCP
. .
(
) PSTN MGCP .
PSTN IPSec,
PSTN .
MGCP
,
IPSec
,
UDP (. )
5.9
RTP (Real Time Protocol), RFC 3550.
, IPSec RTP, -
, NAT,
PKI. SRTP (Secure Real Time Protocol).
SRTP .
SRTP
SRTP (Secure Real Time Protocol) RTP (RTP, IETF RFC 3550) ,
IETF RFC 3711. ,
(. SIP, H.323, Skinny) (.
MIKEY, SDESCRIPTIONS, ZRTP), SRTP
( ) . RTP ,
RTCP (Real Time Transport Control Protocol) . RTCP
VoIP
61
SRTP RTP, :
MKI Authentication. MKI (Master Key Identifier)
(. MIKEY), , SRTP (RFC 3711).
(. , SSRC)
,
SRTP, RTP (.
). ,
RTP , - (IP, UDP).
5.9-2 , SDescriptions
SRTP. SDP SIP . SDP crypto
, (AES_CM_128),
(SHA1_32).
VoIP
62
inline key-info.
:
a=crypto:<tag> <crypto-suite> <key-params> [<session-params>]
<crypto-suite> ( , AES
128 SHA-1).
<key-params>,
key-params = <key-method> ":" <key-info>
<key-method>
<key-info> = UlrbLlfNTNw3blKHQVLGze6oHsyFdjGj3NheKoYx
MIKEY, 5.9-3
SIP INVITE , MIKEY SDP .
5.9-3. MIKEY SIP
VoIP
63
, RTP SRTP
.
5.9-4. SRTP
RTP , ,
. SRTP AES , DoS ,
. , ,
( )
,
. AES ,
.
SRTP SHA-1 160 (
80 /tag/) ,
. (. )
(. 32 ) ( )
.
SRTP .
SRTP
. ,
SRTP , .
, salt SRTP
SRTCP . , SRTP
salt, .
.
key_derivation_rate, . ,
- ( /master/ ).
. ,
, , -
( ). -
,
, .
(early media)
,
. (early media),
(. VoIP/PSTN). , VoIP ,
(. VoIP/PSTN ), PSTN
,
. . , IETF
MIKEY EKT (Encrypted Key Transport),
.
VoIP
64
SRTCP
SRTP, SRTCP /tag/ MKI ,
: SRTCP index encrypt-flag. ,
RTCP . ,
. authentication, SRTCP index encrypt-flag
SRTCP. - , SRTCP SRTP , .
.
SRTP
, (
)
RTP RTCP
AES ( )
-
SRTP
RTP
RTP
,
IP SS7 (PSTN)
.
SRTP (SRTP Security Descriptions)
SRTP Security Descriptions , MIKEY ,
- ,
SRTP (. RTP/SAVP RTP/SAVPF).
- .
crypto SDP.
crypto :
a=crypto:<tag> <crypto-suite> <key-params> [<session-params>]
tag /
, , .
crypto-suite , (.
AES_CM_128_HMAC_SHA1_80).
key-params
, inline, ( salt)
key-info. ,
MKI ( ). MKI
SRTP . IETF Security Descriptions
, :
"inline:" <key||salt> ["|" lifetime] ["|" MKI ":" length]
:
key||salt salt, base64
lifetime
MKI:length: MKI MKI SRTP
[<session-params>], /
VoIP
65
( RFC ):
KDR SRTP , PRF
UNENCRYPTED_SRTP SRTP
UNENCRYPTED_SRTCP SRTCP
UNAUTHENTICATED_SRTP SRTP
FEC_ORDER (FEC Forward Error Correction),
SRTP
FEC_KEY FEC, FEC /
WSH ,
Extensions
SDP, SIP
MGCP. , (. TLS, IPSec)
,
.
ZRTP
ZRTP , SRTP.
ZRTP
(RTP) UDP , ,
MIKEY SDescriptions. ,
, SIP , .
, ZRTP
. DH (Diffie-Hellman)
, PKI,
, .
, ZRTP , RFC IETF,
.
ZRTP
ZRTP , (RTP)
: Diffie-Hellman - (shared secret).
Diffie-Hellman , ,
ZRTP , , -
.
VoIP
66
, DH ,
, DHPart1 DHPart2
. DH (hvi pvr),
nonce .
ZRTP -- (MITM)
DH --, ZRTP SAS (
, Short Authentication String). SAS
. SAS ,
, V (SAS ).
SAS --.
ZRTP DoS
DoS
. ZRTP, Hello
,
.
ZRTP. -
, RTP
ZRTP.
ZRTP DTMF
, ZRTP RTP , Zfone
DTMF . RFC 2833 DTMF RTP.
- DTMF . ,
, ,
.
, , ,
.
VoIP
67
ZRTP,
DTMF (. RTP ).
6. VoIP
, VoIP
. VoIP
.
, :
,
, VoIP
. , ,
.
,
, (. /Diameter/),
(. SBC).
6.1
VoIP .
, , , .
, ,
VoIP (, , ). -,
, ,
(, ).
, ,
QoS. - , VoIP
, .
VoIP
68
6.2
,
. 6.2-1
VoIP .
6.2-1.
.
,
VoIP (SBC).
, , PSTN , ,
, , VoIP ,
VLAN ( LAN), VLAN
. ,
(ACL).
, SIP, H.323, MGCP Skinny,
,
VLAN . 6.2-1 ACL, SIP VoIP
VLAN .
6.2-1 ACL
VoIP VLAN
UDP
5060
VoIP VLAN
CA VLAN
UDP
5060
VoIP
69
6.2-2 ACL
VLAN
UDP
2427
VLAN
CA VLAN
UDP
2727
, CA (.
), , (. ,
, ) (.
).
VLAN , PSTN VLAN, VoIP
.
, ACL RTP
UDP , . , 16,384 32,767
, 49,152 65,535 .
, ,
ACL.
6.2-2 ACL VoIP VLAN .
VLAN,
,
.
6.2-2. ACL VoIP
6.3
2 3,
, .
, (..
, DoS ) ,
.
; 2 VLAN , VoIP
VLAN 802.1p/q QoS
VLAN ;
.
6.4 QoS (shaping)
,
.
VoIP
VoIP
70
QoS. , ,
.
, AES , , 50 ,
500ms,
. - IPSec 2 10 . TLS , 1.5 .
6.5
.
IP .
: ,
; IP (
); ; NAT ; ;
VPN ; ,
,
.
6.5-1 , VoIP.
6.5-1 VoIP
Skinny
TFTP
MGCP
Backhaul (MGCP)
Tapi/Jtapi
HTTP
SSL
SCCP
Transport traffic
SNMP
SNMP trap
DNS
NTP
LDAP
H.323RAS
H.323 H.225
H.323 H.245
H.323 Gatekeeper Discovery
SIP
SIP/TLS
TCP 2000-2002
UDP 69
UDP 2427
TCP 2428
TCP 2748
TCP 8080/80
TCP 443
TCP 3224
16384-32767
UDP 161
UDP 162
UDP 53
UDP 123
TCP 389
TCP 1719
TCP 1720
TCP 11000-11999
UDP 1718
TCP 5060
TCP 5061
, .
. SIP ,
IP ,
STUN , NAT.
, , VPN
VoIP .
6.6 NAT IP
(NAT) - / IP
, NAT . , IP
VoIP
71
-, -, (checksum) IP .
TCP UDP , -,
IP , TCP . NAT
.
NAT VoIP, Ipv6
. NAT , H.323 SIP
3 IP .
6.7 (ACL)
(ACL) ,
ACL, ( permit deny)
, / ,
, , . ACL VLAN, QoS
VoIP .
7. VoIP
IDS (Intrusion Detection Systems)
. - IDS
.
,
(.
). ,
.
VoIP ,
.
IDS . ,
VoIP ,
, .
, Snort IDS - ,
SIP , SIP
, , SYN .
IDS :
DoS; (.
)
,
(. ,
, )
, VoIP
, VoIP , . , SIP , SBC.
,
,
, .
, .
, -
.
7.1 - NIDS
NIDS ,
. , ,
, ,
. - IDS
VoIP
72
.
,
-
. VoIP NIDS .
NIDS : -
. NIDS
. Code Red, NIMDA, DoS , , ASP
CGI . - NIDS ,
. , ,
, ,
. - NIDS
, . ,
(backdoor) .
NIDS ,
. - , ,
.
NIDS () - ( ) .
.
, ,
, VMWare Xen.
, ,
.
NIDS (
), Ethernet
, .
, ,
,
.
, ,
. 1000 2000 . ,
.
. -
,
. , IDS
.
7.1-1 , NIDS
, . Match IDS Rule
, (. , SIP
) , ,
.
VoIP
73
7.1-1. - NIDS
NIDS
. NIDS
. :
IP ,
TCP/UDP ICMP /
IP
TCP
(hex ASCII)
(offset)
,
. ,
, - .
, .
NIDS , ,
. - , ,
, .
( ) .
, -
, - .
, .
,
.
, . ,
.
. - (.
SYN).
, , -
-
. , NIDS
.
, .
.
VoIP
74
NIDS
NIDS , ,
.
, .
, , .
IDS ( )
, NIDS Ethernet ,
, - .
,
, SNMP, , SMS , syslog , IM .
,
, SCP
.
NIDS
Nmap Nessus IDS (. NIDS HIDS).
NIDS
, . TCP (resets)
(ACL), . NIDS IPS
(Intrusion Prevention Systems).
,
. ,
, spoof IDS,
.
NIDS ,
, ,
(-
). NIDS
, ,
.
Honeypots Honeynets
Honeypot , ,
. , ,
, . honeypot
,
. Honeynet , honeypot. , honeynet
, , .
NIDS HIDS, ,
honeypot honeynet . IP
, honey-
, IP .
.
VoIP
75
7.2 - - HIDS
- (HIDS) ,
. HIDS
, , /
.
HIDS Tripwire, MD5 .
- ,
, .. . HIDS ,
Tripwire, ,
.
, MD5
, , .
HIDS , DoS ,
. HIDS
, , , - .
7.3 log
,
. , , , , ,
,
.
, ,
. MRTG (Multi Router Traffic Grapher
http://people.ee.ethz.ch/~oetiker/webtools/mrtg/) RRDTool (http://oss.oetiker.ch/rrdtool/)
SNMP .
7.4 Syslog
- , syslog
IP syslog . Syslog
, , IEEE
RFC3164, .
UDP/514 ,
,
. Syslog , ,
. ,
, , ,
syslog , .
syslogd (. syslog-ng) TCP -
, / .
Syslog UNIX , MS Windows. -
Windows Kiwi Syslog (www.kiwisyslog.com).
Syslog (ASCII ) , ,
syslog syslog relay. Syslog
/var/log,
/etc/syslog.conf. :
0 Emergency:
1 Alert:
2 Critical:
3 Error:
4 Warning:
5 Notice: ,
6 Informational:
7 Debug: debug / /
VoIP , IP syslog ,
,
VoIP
76
.
.
8.
, IP,
VoIP . , -
, .
:
,
PSTN VoIP (. Mtel, BTC ..)
ISP (ISP-VSP) , VoIP
(Cores Networks, ..)
(I-VSP) VoIP ,
VoIP, PSTN
(Hermes phone, inphonex.com, Vonage ..)
- .
TDM , VoIP .
, TDM IP .
(IP ) IMS 3GPP ,
.
PSTN VoIP ,
(POP Points Of Presence), .
VoIP IP VPN ( MPLS).
VoIP
, (. MGCP SIP , IP-PBX, SIP
, H.323 GK). DSL (. T1-OC3,
E1, ), . ,
- ,
.
IP VPN (QoS) - ,
- , VPN .
, VoIP
, .
TDM IP,
VoIP , IP (. VoIP VoIP). IETF
( SPEERMINT) VoIP
.
,
, IP SS7/C7 (
). , VoIP
- (softswitch).
DoS ,
SBC ( ),
.
, ,
(, ).
, ,
VoIP . ,
. ,
VoIP ().
VoIP , VoIP
, ,
. -
VoIP
77
, .
ISP
VoIP
. LAN
(//), ,
.
, IP TDM
. VoIP ,
, SBC ,
. ,
TDM , PSTN
. PoP
, IP ,
.
, .
.
ISP-VSP , PacketCable VoIP
(PacketCable DOCSIS [Data-Over-Cable Service Interface Specifications] PacketLabs
1.1.), IP- VoIP, ,
.., 6- IMS, 3GPP (3rd Generation Partnership
Project). IP PSTN
.
, .
VSP .
, VoIP
. Vonage.
,
VoIP . PSTN
- (LEC Local Exchange Carrier)
.
, ,
, .
VoIP ,
,
, , .
.
, .
,
, , ,
, (. , PBX).
DoS
,
, ,
. ( ),
, . ,
, .
, VoIP :
DoS
VoIP
78
, .
. ,
. ,
.
MAC , ,
(. ). SIP , SIP .
REGISTER/INVITE
. IP
.
H.323, RRQ.
VoIP
. ,
, .
,
.
DoS - VoIP ,
.
VoIP .
SPIT. , SBC ,
, .
, ,
. 8-1
, .
8-1. NGN (Next Generation Network)
VoIP
79
, . , BCE
3 (. , )
(IP) .
BCE 0 1, .
BCE :
BCE 3 ,
. 2 3
, , - .
, , ,
, .
BCE 2
, ,
, . , 2
. ,
(. DNS, TFTP, BOOTP, DHCP).
BCE 1 , NFS (
), (. Diameter), (. LDAP)
, 2 0. -
(HIDS NIDS) ,
NIDS 1 2
. BCE 1 SSL SRTP ,
.
BCE 0 , (. ,
..) ,
.
BCE, 0. 0 1
(AP-IDS , application intrusion detection),
BCE .
,
VoIP , . :
9.
, VoIP
,
. -
, VoIP
.
IEEE 802.1x ,
.
, ,
VoIP . , 802.1x
, . ,
, MAC .
, VoIP
VoIP ,
. VoIP
VoIP
80
VoIP , . .
, .
.
,
, , ,
. ,
, VoIP ,
.
, VoIP .
,
. VoIP
, . / , , ,
.. , , , (.
, , ).
.
VoIP
, .
VoIP
81
3DES
, , .
- DES.
3GPP
AES
ACL
ACK
"ACKnowledge", , ,
.
ARP
ASCII
ASP
ASN.1
Backdoor , .
BCE
BOOTP
BOTNET , .
CA
CAM
Content-Addressable Memory
CBC
CDR
CGI
Common Gateway Interface. . - Perl,
C++, Java, VBScript.
CID
Caller ID
CIS
IOS
CSRC
Checksum , .
DAI
DHCP
DDoS
DoS
Denial of Service
DH
Diffie-Hellman. .
, .
DTLS
DTMF
DNS
E.164
ITU-T , 16 .
ENUM
, IETF, IP , DNS.
FTP
Fuzzing
GCF
Gatekeeper Confirmation
VoIP
82
GK
GateKeeper. H.323 ,
IP , ..
GKSP
GRQ
Gatekeeper Request
H.323
ITU-T, ,
-
HBA
HIDS
HTTP
IAX
ICMP
IDS
IETF
IP
Internet Protocol
IPSec
IP, .
IKE
IMS
iSCSI
ITU
Jitter
LEC
MAC
MD5
MGCP
MITM
MIKEY
NAT
NGN
NIDS
Network Intrusion Detection Systems. , ,
.
NTP
Packet burst , ,
.
PBX
POP
Point Of Presence. .
PSTN
PIN
PSAP
VoIP
QoS
83
Quality of Service
RAT
RC2
Rivest Cipher
RFC
RPC
RRQ
Receive Request
RTP
SBC
SDP
SHA-1
SIP
SPIT
SS7
STB
Set-Top Box. - ,
. STB IP ,
, .
SCCP
SIPS
SIP Secure
SUN/Oracle.
SNMP
SSL
STUN
SYN
Syslog
TCP
TLS
Triple play , , .
TDM
Telnet
, .
TFTP
UA
User Agent. , .
UDP
URI
URL
VLAN
VoIP
84
.
VoIP
Voice over IP
VPN
VSP
WWN
ZRTP
VoIP
:
Hacking VoIP, 1st Edition, Himanshu Dwivedi
Practical VoIP Security, Larry Chaffin; Jan Kanclirz, Jr.; Thomas Porter; Choon Shim; Andy Zmolek
Securing VoIP Networks: Threats, Vulnerabilities, and Countermeasures, Peter Thermos; Ari Takanen
Voice over IP Security Alliance, http://voipsa.org
RTP, A Transport Protocol for Real-Time Applications, http://www.faqs.org/rfcs/rfc1889.html
http://www.grc.com/nat/arp.htm
S. Niccolini. VoIP Security Threats, http://tools.ietf.org/id/draft-niccolini-speermint-voipthreats-00.txt
S. Lawrence, Problems with Max-Forwards Processing (and Potential Solutions) IETF Draft, http://tools.ietf.org/html/draftlawrence-maxforward-problems-00
Gibson Research Corporation: Arp Cache Poisoning,
D. Shin and C. Shim, "Voice SPAM Control with Gray Leveling," Proceeding of 2nd VoIP Security Workshop
Fraud Analysis in IP and Next-Generation Networks. The International Engineering Consortium,
http://www.iec.org/online/tutorials/fraud_analysis/
S. Kent and R. Atkinson. Security Architecture for the Internet Protocol (IPSec). RFC 2401
M. Baugher, D. McGrew, M. Naslund, E. Carrara, K. Norrman. "The Secure Real-time Transport Protocol (SRTP)," IETF RFC 3711
F. Andreasen, M. Baugher, D. Wing. Session Description Protocol Security Descriptions for Media Streams, IETF draft draft -ietf-mmusicsdescriptions-12.txt
J. Bilien, et al. Secure VoIP: Call Establishment and Media Protection. Royal Institute of Technology (KTH). Stockholm, Sweden
J. Arkko, et. al. MIKEY: Multimedia Internet KEYing. IETF RFC 3830
Cisco TLS Implementation Steps, TLS
imlementation
Avaya TLS Implementation Steps, http://support.avaya.com/elmodocs2/sip/S6200SesSip.pdf
Asterisk SRTP Implementation Steps, http://www.voip-info.org/wiki/view/Asterisk+SRTP
libSRTP, an open source library for SRTP, http://srtp.sourceforge.net/srtp.html
PacketCable, Security technical Report, [PKT-TR-SEC-V01-060406]
PacketCable Architecture Framework Technical Report [PKT-TR-ARCH- ARCHFRM-V01-060406]
Symantec SecurityFocus, http://www.securityfocus.com/archive/1
MITRE CVE database, http://cve.mitre.org
BackTrack 4, http://www.remote-exploit.org
Newtons Telecom Dictionary
85