Session Initiation

Protocol (SIP)
Features of SIP
 SIP is a lightweight, transport-independent,
text-based protocol. SIP has the following
features:
 Lightweight, in that SIP has only four
methods, reducing complexity
 Transport-independent, because SIP can
be used with UDP, TCP, ATM & so on.
 Text-based, allowing for low overhead
 SIP is primarily used for VOIP calls
Functions of SIP

 Location of an end point

 Signal of a desire to communicate
 Negotiation of session parameters to
establish the session
 And teardown of the session once
established.
How SIP works
 SIP user agents: like cell phones, PCs etc.
They initiate message writing.

 SIP Registrar servers: They are databases

containing User Agent locations; they send
agents IP address information to SIP proxy
servers.

 SIP Proxy servers: accepts session request

made by UA and queries SIP registrar server
to find recipient UA address.

 SIP Redirect servers: they help

communicating outside the domain
Continued..
Continued..
 Our user A tries to call user B (1)
 Domain SIP proxy server now queries
Registrar server in the same domain to
know about user B’s address (2)
 Registrar responds with the address (3)
 SIP proxy server calls B (4)
 User B responds to SIP proxy (5)
 SIP proxy answers to User A (6)
 Now multimedia session is established on
RTP protocol (7)
More about SIP..
 SIP relies on SDP and RTP protocols

 SIP proxy is a server in a SIP-based IP

telephony environment

 The SIP proxy takes over call control from

the terminals and serves as a central
repository for address translation (name to
IP address)
SIP Advantages
 SIP is a based on HTTP and MIME, which
makes it suitable for integrated voice-data
applications

 SIP is designed for real time transmission

SIP Advantages
 Uses fewer resources

 Is Less complex than H.323 protocol

 SIP uses URLs and is human readable

SIP Disadvantages
 First one: One SIP challenge is that SIP
message contain information that Client
and/or server will like to keep private but
SIP header as well as message in the open
and distributed architecture of VOIP
systems makes it difficult to keep this
information confidential.

 I will talk about a technique to address it

later…
Registration hijacking
 When a SIP user is registering with SIP
Registrar server the attacker can hijack the
registration:
1.By disabling the legitimate user's
registration using DOS attack on user
machine
2.Send a REGISTER request with the
attacker's IP address instead of the
legitimate user's

 Contact header information is changed by

attacker by replacing its own IP in place of
original users
Registration hijacking
 This leads to the attacker getting the SIP
messages intended for our original user- a
clearly undesirable condition

 Two main reasons for this attack are: SIP

messages being sent in clear and no SIP
message authentication built into the
protocol
Eavesdropping

Eavesdropping is a big problem for SIP

based VOIP traffic. Many internet tools like
Ethereal do that
Eavesdropping….how
ethereal works
 Eavesdropping in VoIP requires
intercepting the signaling and associated
media streams of a conversation

 Media streams typically are carried over

UDP using the RTP
How ethereal works
 Capture and decode RTP packets

 Analyzing session : here we reassemble

the packets

 We store this data in audio files (like

.wav, .au)
Some remedies….
 IPSEC security for IP packets can be one
solution

 A more common solution is to use Ethernet

switches to restrict broadcasting data to all
and sundry on the network.
Spoofing

Spoofing is another issue where someone

can pose as a user and gets unauthorized
access

Address authentication between callers built

in the underlying transport protocols can
resolve this
DOS

Denial of service can be caused if the

Proxy/registrar servers are somehow
flooded

The solution lies in configuring servers to

tackle this problem in their configuration
settings
SIP Security Mechanisms
 IPSEC is another way to protect IP packets
the secure encryption making them safe
from unauthorized access/modification

 So with shared keys between parties

IPSEC can provide the secure path for
communication between SIP partners
TLS
 TLS is another answer for security here
networked parties during handshake can
share their certificates which can be used
for the secure transfer later.
 It is widely in use in the wired internet
market
 TLS lies below FTP(ALP) but above TCP
thus obviating the need for TCP header
encryption.
Session Border Controller for SIP

 A Firewall typically helps in the simple

browser requesting for some information by
ensuring that only the requested content
gets transferred back to the browser and
not the other information this is not so in a
typical SIP using VOIP transfer where
there are two holes on the firewall for public
access: one for signaling and other for
media packets.
 Also the firewall in say two LANs
connected via internet will otherwise reject
the other LANS traffic thinking it malicious.
SBC
 For these addresses to be on public side of
firewall the IP address based attacks
become a real possibility
 The SBC works by making all
communication work outwards for media
and signaling even the incoming ones
SBC
SBC
 When our Client starts it registers with the
registration server now SBC takes over the
function of a PO Box so an incoming party
knows your PO Box address but only your
PO Box (your SBC) knows your real IP
address.
 So primarily for both signaling and media
exchange SBC acts as the bridge between
outside client and us.
SBC
 SBC allows: signaling and media
connections to be dynamically opened and
outbound connected.

 SBC hides your real IP and polices the

signaling and media connections.
SIP Denial of Service
 DOS attacks are based on exhausting
some server response and thus rendering
it incapable for some/all functionalities

 SIP server copies each incoming request in

its internal buffers
Types of SIP servers (proxy
server)
 Stateless servers: They just keep a copy
of message while message is being sent
out then delete it.
 Stateful servers: In general, we can
distinguish between two types of states in
SIP:
• Transaction state: A transaction stateful
server stores a copy of the received
request as well as the forwarded request
• Session state: In certain cases servers
need to maintain some information about
the session throughout the lifetime of the
session.
Continued…
 Regardless the server will need to maintain
the buffered data while contacting another
entity like an authentication, authorization,
and accounting (AAA) server, a Domain
Name Service (DNS) server
CPU based DOS
 When a SIP message is received SIP
server needs to parse this message, do
some processing (e.g., authentication) and
forward the message
 Though Server CPU is high speed still a lot
of parallel loads and following resource
depletion can cause server blocks and
other malfunctions causing a DOS
Bandwidth based DOS
 Sometimes access links connecting a SIP
server are so much overloaded as to cause
congestion Losses
 So SIP messages get lost causing further
delay and at least a transient DOS occurs
 DOS attacks can both be with or without
malicious intent. SIP and its supporting
transport protocols both need protection
and safeguarding from attack.
DOS based on Memory
exhaustion
 A Stateful server is an easy target for
flooding with many requests for different
transactions.
 Memory based exploitation can have two
basic types: to initiate a number of SIP
sessions with different SIP identities and
broken session attacks where a receiver
gets an INVITE but then no response from
the initiator many such pending invites can
cause memory exhaustion
Some Countermeasures
 Just like for a web or email server make a
list of suspected users and blacklist them

 Using authentication strategies is also

preferable. But more CPU resources are
needed to tighten these security problems
Continued..
 Also having SIP proxy server and
applications server on the same hardware
can really slow down the response time.
SIP proxy may need some other server’s
service and this can cause other request to
be suspended sometimes

 Having dedicated hardware for servers is

important
Continued..
 The first line of Defense for DOS is having
high speed CPU, big efficient memory and
many access links

 Clean memory allocation and parsing

schemes is equally important

 Parallel processing can lead to many

request being served simultaneously and
parallel execution of message parsing and
forwarding of messages.
Challenges…
 Text based nature of SIP renders it
vulnerable to spoofing, hijacking and
message tampering

 SIP utilizes transport layer protocols like

TCP, UDP. So its vulnerable to their set of
attacks too like for TCP: SYN Flood and
TCP session hijacking

 FOR SIP software virus/bugs are also an

issue which can be dealt by using antivirus
software
SIP Security Mechanism

SIP specification does not include any

specific security mechanism but relies on
other internet security mechanisms like
HTTPS Digest, TLS, and IPSEC.
How this authentication works
Continued..

SIP authentication works this way:

 SIP client sends a SIP INVITE which gets
answered by a 407 reply which is the
authenticator from the SIP Proxy server.
 Client now uses this authenticator to create
information for its new header
 With this new header attached it sends
back REINVITE to Proxy server
Continued..

IPSEC is another way to protect IP packets

the secure encryption making them safe
from unauthorized access/modification

So in one traditional way with shared keys

between communicating parties IPSEC can
provide the secure path for communication
between SIP partners
References…
 SIP: Wikipedia

 SIP Security Mechanisms: A state-of-the-art review Dimitris Geneiatakis,

Georgios Kambourakis, Tasos Dagiuklas,Costas Lambrinoudakis and
Stefanos Gritzalis

 Newport Networks SBC Whitepaper

 Denial of Service Attacks Targeting a SIP VoIP Infrastructure: Attack

Scenarios and Prevention Mechanisms Dorgham Sisalem and Jiri Kuthan,
Tekelec Sven Ehlert, Fraunhofer Fokus

 http://www.securityfocus.com/infocus/1862/2
 Many information chunks from certain websites