denial of service on sip voip infrastructures using dns flooding attack scenario and countermeasures...
TRANSCRIPT
Denial of Service on SIP VoIP Infrastructures Using
DNS Flooding
Attack Scenario and CountermeasuresGe Zhang, Sven Ehlert, Thomas Magedanz and Dorgham Sisalem
Fraunhofer Institute FOKUS
Outline
Background: DNS usage in SIP network
Vulnerability and Attack Experiment Test bed Previous Limited Solutions Cache Solution Conclusion and Future Work
Background DNS Usage in SIP Infrastructures (3). (1) Domain Names contained in SIP message headers. (e.g. IN
VITE, TO, FROM, VIA) (2) Telephone number mapping (ENUM). (e.g. Translate +34 9
8 765 4321 to 1.2.3.4.5.6.7.8.9.4.3.e164.arpa) (3) Server location. (e.g. SRV, NAPTR request)
Background
Parsingmessage
Resolving Domain name
Continue…
DNS Server
1
23
4
5
Scope of the Attack
Parsingmessage
Resolving Domain name
Continue…
DNS Server
1
23
4 Blocked!!
5 waiting….
Scope of the Attack
Root
com de net edu
fraunhofer columbia
fokus sit
Alice Bob
Tom
Scope of the AttackINVITE: SIP:[email protected] SIP/2.0Via: SIP/2.0/UDP 10.147.65.91; branch=z9hG4bk29FE738CSeq: 16466 INVITETo: sip:[email protected]: application/sdpFrom: SIP: [email protected]; tag=24564Call-ID: [email protected]: MessageContent-Length: 184Contact: SIP: [email protected]…<SDP part not shown>
Experiment test bed A SIP proxy A DNS server An attacking tool 100 external SIP providers User Agents (SIPp): a SIP traffi
c generator tool.
Attacking toolUA (SIPp)
unresolvable
SER (outgoing proxy)
DNS server
SIP providers
InternetInternet
...
Process nProcess 2Process 1
Message Scheduler
DNS
Message Forward
Limited Solutions Increasing Parallel Processes
Limited Solutions
0
1000
2000
3000
4000
5000
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
attacki ng i nterval (s)
mess
ages
rep
lied
n = 2 n = 4 n = 8
n = 16 n = 32 n = 64
Limited Solutions Asynchronous Scaling through Message Processing
Interruption
Limited Solutions
Cache Solution
Parsingmessage
Resolving Domain name
Continue…
DNS ServerDNS Cache
Cache Solution how to detect the attacking? (n is the parallel processes numbe
r)
How to prevent being blocked? 1 emergency process Whenever H ≥ n – 1, alarm! The next DNS request will not
be forwarded to external DNS server, instead, it will only look up in the cache and reply immediately.
otherwise
ttimeatreturned
notbutqqueueprocess
incallresolvedomaina
tSq
,0
,
,1
)(
,)(1
n
qq tSH
Hence the proxy will absolutely be blocked at time t when H = n
Cache Solution For example, n = 4. Occupied processes H ≥ n – 1 ( 3 ≥ 4 - 1)
DNS ServerDNS CachePro
cess
1
Pro
cess
2
Pro
cess
3
Pro
cess
4
waitingwaitingwaitingemergency
Cache Solution
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
10000
0 20 40 60 80 100 120 140
elapsed time (s)
mes
sage
s r
eplie
d
n=2 with DADP n=256 n=128 n=64
0
50
100
150
200
250
300
350
400
450
0 20 40 60 80 100 120 140
elapsed time (s)
mes
sage
s re
plie
d
n=32 n=16 n=4 n=2
Cache Solution Cache replacement policies Motivation: As the number of cache entries (e) can not
practically cope with the unlimited number of possible domain names, we have to find a way to optimally use the limited number of cache entries.
FIFO LRU LFU
Cache Solution
0
1000
2000
3000
4000
5000
0. 1 0. 2 0. 3 0. 4 0. 5 0. 6 0. 7 0. 8 0. 9 1
attacki ng i nterval (S)
mess
ages
rep
lied
No cache FI FO LRU LFU
Cache Solution Investigate the relationship
between the number of cache entries and the performance of proxy
e = number of cache entries Less than 270, growth Greater than 270, stop
0
1000
2000
3000
4000
5000
0 100 200 300 400
cache entri es
mess
ages
rep
lied
DADP wi th LFU wi thout DADP
Conclusion and future work
attack is easy to launch . compared with previous
solution, the cache solution is better .
4 parameters affect the performance: cache replacement policy, cache entries number, processes number of proxy and attacking interval.
Accurate the research result (INVITE, ACK, BYE)
Consider the new threat (DNS cache poisoning)
Build an scalable defense system for it
Questions