Beruflich Dokumente
Kultur Dokumente
Revision History
Version
520-0052-00
Author
Patrick Manor
Description of Changes
Initial Release
Date Revision
Completed
01-24-2011
Abstract
The use of the RFC 2119 keywords is an attempt to assign the correct requirement levels ("MUST",
"SHOULD", "MAY", etc.).
Distributed Denial of Service (DDoS) attacks are a legitimate threat to Voice over IP (VoIP) networks and
may severely impact the stability and performance of unprotected VoIP networks. These attacks may or may
not be malicious, however they should not affect the operation of current trusted users adversely. SIPVicious
is a free suite of tools which can be used to audit SIP networks. The suite consists of tools to find SIP
devices, identify extensions of SIP PBXs, and crack passwords used in authentication. Although it is meant
as a tool to help network administrators verify the security of their networks, it can also be used maliciously
to either steal VoIP services or to render VoIP devices useless by consuming processing resources. Ideally,
the SD should drop all SIP messages from the offending IP address and not used CPU resources processing
these messages.
This document outlines configuration recommendations to be employed on the Acme Packet Session
Director (SD) to reduce the negative effects of these tools when targeting the SD. These configuration
techniques will reduce the impact of these attacks and help maintain a high level of service for legitimate,
trusted users.
Best Current Practices should be used when either (a) deploying a new SD, or (b) updating existing
configuration implemented before this document was available. When in conflict with Customer
requirements or desires, the Customers preference SHOULD take precedence.
Applicability
This document is applicable to NN3000 and NN4000 Session Directors.
SIPVicious Protection
January 2011
Contents
1
4
5
6
7
Introduction ............................................................................................................................................... 3
1.1
OVERVIEW ...........................................................................................................................................................3
1.2
INTENDED AUDIENCE ...........................................................................................................................................3
SIPVicious Protection ............................................................................................................................... 4
2.1
GOALS ..................................................................................................................................................................4
2.2
SIPVICIOUS FRIENDLY-SCANNER ATTACKS .....................................................................................................4
Recommendations .................................................................................................................................... 5
3.1
ACCESS ENVIRONMENTS ......................................................................................................................................5
3.1.1
SIP Manipulation Rule ................................................................................................................................6
3.1.2
Deny Offending User using DDoS Configuration .......................................................................................9
3.2
PEERING ENVIRONMENTS ................................................................................................................................... 11
Normative References ............................................................................................................................ 12
Authors Address .................................................................................................................................... 13
Disclaimer ................................................................................................................................................ 14
Full Copyright Statement ....................................................................................................................... 15
SD:
VoIP:
Voice over IP
HA:
High Availability
BCP:
HMR:
ACL:
520-0052-00
Page 2 of 15
1.1
SIPVicious Protection
January 2011
Introduction
Overview
This document is designed to provide configuration recommendations to combat possible malicious attacks
by the test suite SIPVicious or similar SIP tools. Several methods will be discussed as not all solutions may
be acceptable in all customer environments. The goal is to drop all packets from these devices without
responding. This is not possible in all cases, but configurations will be recommended to reduce the impact of
a SIPVicious attack on CPU resources and allow uninterrupted service to known trusted endpoints.
1.2
Intended Audience
This document is intended for use by Acme Packet Systems Engineers, third party Systems Integrators, and
end users of the Session Director. It assumes that the reader is familiar with basic operations of the Session
Director, and has attended the following training course(s) (or has equivalent experience):
EDU-CAB-C-CLI: Net-Net 3000/4000 Configuration Basics
EDU-ADV-OE: Net-Net Advanced Configuration
520-0052-00
Page 3 of 15
2.1
SIPVicious Protection
January 2011
SIPVicious Protection
Goals
Provide configuration recommendations which will drop all SIPVicious friendly-scanner
messages without responding to the sender.
Provide configuration recommendations that will limit similar SIP Registration attacks that
cannot be identified as a SIPVicious scan.
It is not a goal to provide actual parameter values for DDoS configuration in this document,
only to illustrate which parameters should be modified.
2.2
SIPVicious is a free suite that provides tools to scan IP addresses looking for SIP devices, help identify
active PBX extensions, as well as provide a mechanism to crack passwords for SIP PBX users.
For this document, we will focus on the svcrack tool which floods a high rate of SIP registrations to the SD.
This is sometimes referred to as the friendly-scanner attack as the tool populates its User-Agent header
field with friendly-scanner. svcrack sends many SIP registrations with various credentials to try to
determine the password for a particular user. This tool creates a large amount of untrusted traffic which is
sent to the SD and can consume all CPU resources if DDoS settings are not correctly configured. The SD
will also process and forward these SIP registrations at a high rate to SIP registrars. Ideally, the SD would
drop these packets and not respond to the endpoints running these scans.
While the SIPVicious scans use friendly-scanner as the default User-Agent header, more and more
instances of similar attacks using different non-identifying User-Agent names are being seen. To handle
these attacks, DDoS configuration on the SD to limit the level untrusted traffic allowed and to deny service to
endpoints making these attacks must be implemented.
The recommendations in the next section will include a method to drop any message with the User-Agent
friendly scanner, as well as a configuration method that will help reduce untrusted traffic and deny offending
endpoints.
520-0052-00
Page 4 of 15
3.1
SIPVicious Protection
January 2011
Recommendations
Access Environments
In this document, we will focus mostly on SIP Access environments, as this issue should not be as prevalent
in SIP Peering environments.
The first method involves using configuration, including SIP manipulation rules, to drop all messages
received from a friendly-scanner without responding to the sender. This method will be successful in the
scenario where the contents of the User-Agent SIP Header field is the string: friend-scanner.
However, as noted, it is becoming more prevalent that the User-Agent header is being modified from
friendly-scanner to a more generic name such as User-Agent: Asterisk PBX. This means an attack
cannot be identified by only looking at this header. For these cases, a more intensive DDoS configuration is
required to limit the amount of untrusted bandwidth that can be consumed by these attacks, as well as deny
messages from offending endpoints after a certain threshold has been exceeded. A solution for this scenario
will be discussed below.
A general recommendation is to configure DDoS protection on the SD. Basic DDoS configuration settings
are outlined the Denial of Service Configuration Guidelines BCP [1] and the Basic DDoS Configuration for
SIP Access Environments BCP [2]. However, for the best DDoS protection, the configuration should be
customized based on the customer environment.
Below is the Access test network used to test the recommendations suggested in the next section.
Registrar
SIPVicous
172.16.101.0/24
172.16.101.0/24
.61
197.168.11.0/24
.9
SD HA Pair
.61
192.168.12.0/24
172.16.125.0/24
172.16.124.0/24
.1
.1
polycom-video-2
555-0909
.1
.1
M00
NI: .100
SIP: .100
GW: .1
M10
NI: .100
SIP: .100
GW: .1
tandberg-video-1
555-0505
.1
.10
.31
polycom-video-3
555-1010
polycom-sip-6
555-3131
520-0052-00
.1
.5
Page 5 of 15
SIPVicious Protection
January 2011
REGISTER Message
User-Agent: friendly-scanner
Core Realm
Access Realm
Session Agent
SIP Interface
Inbound Realm
SIP Interface drop response SIP Manipulation Rule
if User-Agent: friendly-scanner
Configure options to
drop all 677
responses
Options
dropResponse=677
hostname
10.12.13.14
State
disabled
local-response-map 503Rogue
Drop
520-0052-00
Create to dummy
address specified in
the HMR added
Route header.
Disable to create
503 response
Page 6 of 15
SIPVicious Protection
January 2011
Elements of Configuration:
Inbound SIP Manipulation Rule:
An inbound SIP Manipulation Rule needs to be created to modify any messages that contain a User-Agent
header of friendly-scanner. The manipulation rule will add a Route header to a dummy Session Agent to
all messages with a User-Agent header that starts with friend. This manipulation will allow the resulting
message to be routed to a dummy Session Agent which will respond with a 503.
sip-manipulation
name
description
split-headers
join-headers
header-rule
name
header-name
action
comparison-type
msg-type
methods
match-value
new-value
header-rule
name
header-name
action
comparison-type
msg-type
methods
match-value
new-value
last-modified-by
last-modified-date
addRouteHdr
isScanner
User-Agent
store
pattern-rule
any
^friend.*
addNullRoute
Route
add
boolean
request
$isScanner.$0
"<sip:10.12.13.14;lr>"
admin@172.41.1.64
2010-12-09 06:41:03
The access realm-config must also be modified to assign the SIP manipulation rule defined above to be
an inbound manipulation.
realm-config
identifier
description
.
.
.
in-translationid
out-translationid
in-manipulationid
.
.
520-0052-00
access
Serving all access endpoints
addRouteHdr
Page 7 of 15
SIPVicious Protection
January 2011
Session Agent:
A dummy Session Agent needs to be created with the state disabled. This is important so that a 503
response will be sent to any request sent to this Session Agent. The 503 response will then be mapped to a
new response code that can be easily dropped. To accomplish this, a SIP Response Mapping is created to
map any 503 from this Session Agent to a bogus 677 code. Any 677 responses can then be dropped at the
SIP Interface level without dropping any actual 503 responses. The SIP Response Mapping must be
assigned in the Session Agent as seen below.
session-agent
hostname
ip-address
port
state
app-protocol
app-type
transport-method
realm-id
.
.
.
local-response-map
.
.
.
10.12.13.14
5060
disabled
SIP
UDP
*
503Rogue
admin@console
2010-12-03 00:57:50
503Rogue
503 -> 677 (Rogue)
SIP Interface:
All SIP interfaces that receive messages from a SIPVicious friendly-scanner require the option
dropResponse=677 to drop all 677 responses received from the dummy Session Agent.
sip-interface
state
realm-id
.
.
.
options
.
.
.
520-0052-00
enabled
access
dropResponse=677
Page 8 of 15
SIPVicious Protection
January 2011
realm-config
identifier
description
.
.
.
access-control-trust-level
invalid-signal-threshold
maximum-signal-threshold
untrusted-signal-threshold
nat-trust-threshold
deny-period
.
.
.
access
Serving all access endpoints
low
1
4000
5
0
120
The following are media-manager configurations taken from the Basic DDoS Configuration for SIP Access
Environments BCP [2]. These values are for a NN4500 with CPU-1. The max-untrusted-signaling
parameter will limit the amount of untrusted traffic the SD will process.
520-0052-00
Page 9 of 15
SIPVicious Protection
media-manager
state
.
.
.
max-signaling-bandwidth
max-untrusted-signaling
min-untrusted-signaling
app-signaling-bandwidth
tolerance-window
.
.
.
520-0052-00
January 2011
enabled
1152580
14
13
0
30
Page 10 of 15
3.2
SIPVicious Protection
January 2011
Peering Environments
As noted earlier, this document will not focus much on SIPVicious attacks in SIP Peering Environments. In
these environments it is recommended to create static ACLs with a trust-level of high for all trusted peers.
The realm-config access-control-trust-level should also be set to high so that all traffic from
any endpoint that does not have an ACL will be denied.
realm-config
identifier
description
.
.
.
access-control-trust-level
.
.
.
access-control
realm-id
description
source-address
destination-address
application-protocol
transport-protocol
access
average-rate-limit
trust-level
520-0052-00
peer
high
peer
172.16.101.6
197.168.11.100
ALL
permit
0
high
Page 11 of 15
SIPVicious Protection
January 2011
Normative References
[1] Acme Packet, BCP Denial of Service Configuration Guidelines, 520-0015-00, Jul 2006.
[2] Acme Packet, BCP Basic DDoS Configuration for SIP Access Environments, 520-0051-00, Jan 2011.
520-0052-00
Page 12 of 15
SIPVicious Protection
January 2011
Authors Address
Patrick Manor
Acme Packet, Inc.
100 Crosby Dr
Bedford, MA 01730
email: pmanor@acmepacket.com
520-0052-00
Page 13 of 15
SIPVicious Protection
January 2011
Disclaimer
The content in this document is for informational purposes only and is subject to change by Acme Packet
without notice. While reasonable efforts have been made in the preparation of this publication to assure its
accuracy, Acme Packet assumes no liability resulting from technical or editorial errors or omissions, or for
any damages resulting from the use of this information. Unless specifically included in a written agreement
with Acme Packet, Acme Packet has no obligation to develop or deliver any future release or upgrade or any
feature, enhancement or function.
520-0052-00
Page 14 of 15
SIPVicious Protection
January 2011
Copyright @ Acme Packet (2010). All rights reserved. Acme Packet, Session-Aware Networking, Net-Net
and related marks are trademarks of Acme Packet. All other brand names are trademarks or registered
trademarks of their respective companies.
This document and translations of it may be copied and furnished to others, and derivative works that
comment on or otherwise explain it or assist in its implantation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice,
disclaimer, and this paragraph are included on all such copies and derivative works. However, this document
itself may not be modified in any way, such as by removing the copyright notice or references to Acme
Packet or other referenced organizations, except as needed for the purpose of developing open standards.
The limited permission granted above are perpetual and will not be revoked by Acme Packet or its
successors or assigns.
This document and the information contained herein is provided on an AS IS basis and ACME PACKET
DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY
WARRANTY THAT THE USE FO THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR
ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
520-0052-00
Page 15 of 15