Beruflich Dokumente
Kultur Dokumente
1 Introduction
The Session Initiation protocol (IETF RFC 3261) is a protocol designed to pro-
vide session management functionalities such as establish, terminate and modify
multimedia sessions [1]. SIP is a very simple text based protocol similar to that
of HTTP and it follows the request/response model. This has made SIP a very
popular protocol in the VoIP system implementations. H.323 protocol provides
very similar functions as SIP but the SIP has better features such as simplicity,
extensibility and scalability [6].
SIP is being widely used in building VoIP networks. Unlike the traditional
telephone networks VoIP networks does not have a closed communication which
makes communication medium vulnerable to all kinds of attacks from the in-
truders. The attacks on the SIP systems may cause severe consequences such
as making system unavailable for the services, hijacking of information or user
credentials, Inappropriate billings and more. This paper introduces some of the
common attacks which can happen on the SIP systems and the ways to de-
fend these attacks. The second section describes briefly about the SIP archi-
tecture and SIP security framework. Section 3 talks about the various kinds of
threats/attacks on the SIP based systems such as flooding attacks, message flow
attacks, parser attacks and the ways to defend these attacks and the section 4
concludes this paper with some areas of focus and research and the future work
to improve the SIP vulnerabilities.
2 Defending against common attacks in SIP
2 SIP Overview
SIP was designed by Internet Engineering Task Force (IETF) and it is docu-
mented as RFC 3261 and the obsolete for this is RFC 2543. SIP is a simple text
based application protocol which is used for creating, modifying and terminating
the multimedia sessions. SIP is not itself a complete multimedia system. It can
be part of several other protocols to build a complete multimedia system.
SIP is a signaling protocol and it defines the signaling interaction between the
following entities,
A typical SIP call setup is as shown in the figure 1. The setup has 2 par-
ticipating UAs, intermediate proxies and a location server. This setup is also
referred as ”SIP trapezoid”. A call can happen only after a UA registers with
the SIP server. SIP registration is process where a UA registers its SIP address
with an SIP registrar for that domain. SIP address is a SIP URI which will be
having hostname at domain format.
A call setup starts from sending SIP INVITE message; this message will be
sent by the UA1 which is initiating a call to UA2. The INVITE message passes
through a series of proxies to reach the final destination UA2. The proxies make
use of redirect and location servers to determine the next hop information. When
INVITE message reaches the UA2 then UA1 will receive ringing sound. If UA2
accepts the call then an ACK message will be sent to UA1 and multimedia
session is established as per the information in SIP messages. The termination
of call is done by sending BYE request. Termination can be initiated by UA1 or
UA2.
Other important SIP methods are SIP UPDATE and SIP REFER. SIP UP-
DATE method is used by client to update session related parameters without
having impact on the ongoing dialog. In SIP REFER method the referrer pro-
vides the information about the URI to reference. This method is used to enable
services like call transfer.
SIP architecture can have several other components also depending on the
services offered, they are
Defending against common attacks in SIP 3
3.1.1 The ”BYE” Attack (Teardown attack) This attack can be made
by an intruder when there is no authentication used by the SIP. BYE message
is used to terminate the established session. First the intruder gets the session
information by sniffing the communication media and then he deliberately inserts
the BYE message to terminate the call as shown in the figure 2. This results in
the irregular behavior of calls made by the user. Intruder can make use of the
BYE message and attack the SIP system to cause improper billing. This can be
possible by delaying the sending of BYE message. Here the intruder after getting
the session information acts as man-in-middle and when the BYE is sent by the
legitimate user it drops the BYE message or delays it.
Defending against common attacks in SIP 5
3.1.3 The ”Re-INVITE” Attack Re-Invite is used for modifying the ex-
isting session. The modifying may involve in change or removing of the media
stream. This can be done by sending the INVITE message within the same di-
alog session. This kind of attack results in DoS or deteriorates the quality of
established session.
3.1.4 The ”UPDATE” Attack The SIP UPDATE method [4] is similar to
the Re-INVITE procedure but the only difference here is UPDATE method hap-
pens before the dialog is established. The UPDATE method is used to negotiate
QoS parameters or other session related parameters. This attack results in DoS
or deteriorates the quality of the session being established.
3.1.5 Registration Hijacking and Replay Attack This attack targets the
legitimate user registration process with the registrar. In this attack the intruder
spoofs the registration message and replaces the legitimate users registration
by his own address as result of this calls coming for UA will be received by
the intruder. The intruder can also capture the register message sent by the
legitimate user to the registrar and replay it after some time to unregister the
actual legitimate user. This can be achieved by sending the expiry field value as
0 [7]. This kind of attack is called unregister attack and this results in DoS.
3.1.6 Measures to defend Message Flow attacks The main cause for
the message flow attacks is the use of inefficient or no authentication procedure.
Preserving the session related information from the intruders is the main con-
sideration. These kinds of attacks can be easily solved by implementing IPSec or
TLS to the SIP. All the messages should use HTTP digest or TLS for preserving
the integrity and confidentiality. This can also be suppressed by implementing
SIPS (SIP over TLS). There are lot of other proposals and research going on
how to prevent the message flow attacks. One such proposal has introduced a
new Integrity Auth Header and it claims to provide integrity and authenticity
security services for the SIP signaling [11].
eventually to crash the system. Flooding attacks mainly targets the resources of
the SIP system like memory, CPU and bandwidth to crash the system. Flooding
attacks result in DoS since it makes the SIP system unavailable for the service.
Flooding attacks can be carried out on any component of the SIP system and
flooding attack can happen from the multiple sources also at once; some of the
flooding attacks are as follows,
3.3.2 SIP Proxy and UA flooding This attack targets SIP proxy and
the End user terminal. As discussed earlier in this paper the SIP call setup
begins by sending SIP INVITE request message to end user via proxy. In this
attack INVITE message is used to flood the SIP proxy and End user. When an
INVITE message is sent by the UA to establish the call, the proxy forwards it and
maintains the state of the connection. SIP proxy has to maintain the connection
state till the connection is terminated. The proxy forwards the INVITE message
and waits for the connection to establish. After the timer expires it considers
call cannot take place. The End user waits for the ACK message from the caller
and retransmits the response message after timer expiry. Since the End user has
accepted the connection it maintains the state for that connection. The attacker
generates numerous INVITE messages without waiting for response message.
8 Defending against common attacks in SIP
This results in increasing the processing at proxy and End user which eventually
leads to their crash. The situation can be even worse when the attacker attacks
with long INVITE messages by adding additional headers.
As discussed earlier all the components of the SIP system are vulnerable to the
threats. In this section we discuss some of the threats on the DNS server and
how it affects the SIP operation.
3.4.1 DNS Packet spoofing DNS does not provide any encryption for the
Request and response exchanged between the DNS server and client. So the
Defending against common attacks in SIP 9
attacks are much simpler in this medium. An intruder can spoof to all the DNS
packets and there are fair chances for him to perform eavesdropping and spoof
the packet with erroneous data. As a result of this the intruder successfully sends
the wrong resolved IP address for the SIP address. The intruder can also spoof
the source address of the DNS query reply. This makes client drop the packet
when it arrives. These kinds of attacks result in DoS and DNS cache poisoning.
The attacker can cause the query flooding to DNS server. The attacker first gains
the credentials and starts communicating with the DNS server then he floods
the DNS server with numerous malformed requests as a result of this the DNS
server will not be able to service the actual client requests.
3.4.2 Defending against DNS attacks Some of the ways to defend DNS
attacks are,
◦ The DNS design should be made non-blocking so the SIP proxy is not blocked
until it receives the DNS response. SIP Proxy will store the information and
starts processing the next message in the queue.
◦ Non blocking cache design with cache replacement policies
◦ Threshold specification in SIP proxy for issuing DNS query
Spam is defined as the unsolicited messages sent for commercial marketing pur-
pose. [5] Spam here in SIP is of three forms, they are
◦ Call Spam - These are the unsolicited calls made by the spammer. This is a
usual way used by telemarketing people.
◦ IM Spam - These are unsolicited IMs sent by the spammer. It contains the
information which spammer wants to convey.
◦ Presence Spam - These are the unsolicited presence (subscribe) requests sent
by the spammer to initiate other forms of communication.
Spam in SIP has not become a big problem as spam emails but the need of hour
to control the spam in SIP before they make havoc.
3.5.1 Defending from Spam The RFC 5039 [5] specifies several ways to
control the spamming attacks. They are as follows,
◦ Content filtering - Content filtering analyses the content of the message and
based on the rules filtering process will happen. This method can be used
with IM spam.
◦ Identity Based Filtering - This method uses the identity of sender as a de-
ciding factor for filtering the content then it decides based on the rules to
block or accept the communication. Some of the mechanisms are blacklists,
whitelists and reputation based lists.
10 Defending against common attacks in SIP
◦ Interactive Methods - Interactive methods for defending spam use the meth-
ods which human presence make mandatory. They use simple puzzles solving
and other techniques.
◦ Preventive methods - This method takes preventive measures from spam.
Generally spammers get address from the websites and other source. In order
to protect the SIP address it can be embedded in the image or providing
address only after interactive method. The other way is by using temporary
addresses and alias to your address.
4 Conclusion
In this paper we discussed some of the common attacks that are possible on the
SIP systems. There are more types of attacks possible on SIP systems such as
various kinds of DoS attacks and Distributed DoS which are very destructive as
well. There are number of research papers available on these kinds of attacks
and how to defend them but here is no common framework or an end to end
frame work for SIP systems to secure communication. This makes defending from
threats a difficult job. The deployed SIP systems make use of various test tools
such as VoIP vulnerability scanner, SIP forum test framework, PROTOS Suite,
SIP Swiss Army Knife and others to test the existing system for vulnerabili-
ties and also it makes use of many Intruder Detection System and commercial
enterprise solutions to make the communication secure. SIP has gained much
popularity and it is being used by both 3GPP and NGNs (Next Generation Net-
works), as result of this a good mechanism is required to provide confidentiality,
integrity, AAA services and privacy.
References
1. J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, R. Sparks,
M. Handley, and E. Schooler. Session Initiation Protocol, RFC 3261, June 2002.
2. Arkko, J. Torvinen, V. Camarillo, G., Niemi A. and Haukka T. (2003), Security
Mechanism Agreement for the Session Initiation Protocol RFC 3329, January 2003.
3. R. Sparks, The Session Initiation Protocol (SIP) Refer Method, RFC 3515, Apr.
2003.
4. J. Rosenberg, The Session Initiation Protocol (SIP) UPDATE Method, RFC 3311,
Sept. 2002.
5. J. Rosenberg and C. Jennings. The Session Initiation Protocol (SIP)and Spam, RFC
5039, January 2008.
6. H. Schulzrinne and J. Rosenberg, A Comparison of SIP and H.323 for Internet
Telephony, Proc. International Workshop on Networkand Operating System Support
for Digital Audio and Video(NOSSDAV), pp. 83-86.
7. A. Bremler-Barr and R. Halachmi-Bekel, Unregister attacks in SIP, IEEE 2nd Work-
shop on Secure Network Protocols 2006, Santa Barbara, CA., Nov. 2006.
8. Xianglin Deng and Shore M, Advanced Flooding Attack on a SIP Server IEEE
ARES ’09. International Conference 2009.
9. El Sawda and P. Urien, SIP Security Attacks and Solutions: A state-of-the-art re-
view, IEEE, Information and Communication Technologies, 2006. ICTTA ’06. 2006.
Defending against common attacks in SIP 11