[VOIPSEC] VoIP vulnerabilities summarization

Simon Horne s.horne at packetizer.com
Thu Dec 15 02:20:05 CST 2005 

Sukery

To be honest which protocol is going to win is purely academic.
Customers don't care what protocol they use just that is works so unless 
either/both protocols can overcome authentication, encryption and Nat 
traversal (especially symmetric) issues and be deployable on a large scale, 
both are going to lose out to the likes of proprietary peer to peer networks.

Simon



At 03:52 PM 15/12/2005, sukery wrote:

>Hi Simon,
>thank you very much for giving us such a good materia, I learned a lot,
>now I think I biased H.323 a little, but I still hold the opinion that SIP 
>is going to winover H.323.
>
> >I'm sorry Sukery, but this is largely opinion not necessarily backed by 
> fact.
> >
> >Here is a couple of comparisons
> >At a glance
> >http://microtronix.ca/sip_vs_h323.htm
> >
> >More indepth
> >http://www.comsoc.org/livepubs/surveys/public/2003/oct/glasmann.html
> >
> >Simon
> >
> >
> >At 12:43 PM 15/12/2005, sukery wrote:
> >
> >>   i think the inroduction of vpn ipsec will reduce system efficienty.
> >>as to the comparison of SIP and H.323,
> >>1. H.323,which is defined by ITU-T, tends to be telecom application,it
> >>regards voip as an extension of telecommunication field. however, SIP
> >>,which is defined by IETF,  reuses many mechanisms from existing internet
> >>famous protocols,such as http, smtp,rtp,dns...,it regards voip as a
> >>totoally internet application. as we all know, now IP meltage is a trend,
> >>so sip is going to gain more and more acceptances.
> >>2. H.323 is based on binary codec(BER PER), and is very complex in call
> >>control signals,while SIP is based on text, and its control signals are
> >>simple .further more,many existing internet protocols(such as HTTP)
> >>implementation can be used as a reference to  SIP system realization.
> >>3. SIP is much more flexible and extensible compared to H.323, for that
> >>its Method ,Head field, message body can be extened and added easily.
> >>H.323 is indeed not easy to be extended.
> >>4. SIP is not only a voip protocol, in fact, it has many more important
> >>uses besides voip. it is the communication protocol between softswitches
> >>and between softswitch and AS in the NGN network, it is the main protocol
> >>in IMS (3G core network).
> >>
> >>so ,SIP is ip oriented, simple,extensible ,flexible and broadly used, I
> >>think SIP is definitely a tendency,I will choose SIP when realize a voip
> >>system.
> >>
> >>but please note that SIP is immature compared to h.323.
> >>
> >> >Hi Sukery
> >> >
> >> >I think you made a good summarization of the vulnerabilities and I agree
> >> >with what you say.
> >> >
> >> >Sukery i need your help.
> >> >I¡äm from cuba and in this moment i¡äm working in an project with title
> >> "Qos
> >> >in VoIP with security" as the title said my problem
> >> >is relationated with have a high level of QoS on real voip networks.
> >> >
> >> >For example:
> >> >
> >> >What happend with the QoS if a used an Firewall or VPN or NAP or IPSec on
> >> >voip networks.
> >> >
> >> >Which is better yo use on voip networks SIP or H.323???
> >> >
> >> >I need information about this terms if u have anything relationated with
> >> it,
> >> >please send me.
> >> >
> >> >Best regards,
> >> >Ing. Pavel Gonz¨¢lez G.
> >> >Administrador RED CECAT. CUJAE
> >> >Telf: 2663843,2663827
> >> >pavel at cecat.cujae.edu.cu
> >> >
> >> >
> >> >----- Original Message -----
> >> >From: "sukery" <sukerry at 126.com>
> >> >To: <Voipsec at voipsa.org>
> >> >Sent: Wednesday, December 14, 2005 8:40 AM
> >> >Subject: Re: [VOIPSEC] VoIP vulnerabilities summarization
> >> >
> >> >
> >> >>
> >> >> Hi Janne:
> >> >> thank you for your comment, I totally agree with what you said.
> >> >> I am a graduate student , our project is focused on VoIP security, we
> >> >> firstly study the vulnerabilities of voip related protocols(especially
> >> >> SIP), then define some attack senarios according to these 
> vulnerabilities
> >> >> we discovered and realize all these attacks, finally we test our attack
> >> >> system on real voip networks ( supplied by an international famous voip
> >> >> manufacturer). the attacks includes:
> >> >> exception-packet attack against server
> >> >> dos attack against server
> >> >> disturbance call attack against endpoints
> >> >> pseudo call attack against endpoints
> >> >> call leaflet attack against endpoints
> >> >> sip passwork crack
> >> >> voice eavesdropping (and maybe voice replacement and voice disturbance)
> >> >> voice broadcast & call leaflet attack against pstn terminals(via voip
> >> >> gateway)
> >> >> and maybe more
> >> >>
> >> >> I am very very sorry to say that due to the confidentiality of this
> >> >> project , I can not make our attack system public yet. that's the 
> meaning
> >> >> of the sponsor of this project .
> >> >> anyway , I like to discuss with you as much as possible  :)
> >> >>
> >> >>
> >> >>>Hi Sukery,
> >> >>>
> >> >>>I think you made a good summarization of the vulnerabilities and I 
> agree
> >> >>>with what you say.
> >> >>>
> >> >>>But I think several of the problems you mention can be solved by using
> >> >>>TLS to protect the signalling and SRTP to protect the media as 
> described
> >> >>>in existing standards and drafts. These technologies may not be widely
> >> >>>spread among existing implementations but they exist and your list
> >> >>>provides some good reasons that may motivate others to follow.
> >> >>>
> >> >>>I'm also interested in what tool you used.
> >> >>>
> >> >>>Cheers
> >> >>>/Janne
> >> >>>
> >> >>>> 2.SIP reuses  authentication mechanism from HTTP protocol ,in fact
> >> >>>Http
> >> >>>> authentication is totally imperfect when applied to SIP protocol,for
> >> >>>that
> >> >>>> it is a single-direction authentication, which means that only the
> >> >>>server
> >> >>>> authenticates the endpoints,the endpoints do not authenticate the
> >> >>>> server,this situation makes it easy to deceive endpoints because they
> >> >>>do
> >> >>>> not authenticate any entity in the network. Pseudo call (call someone
> >> >>>with
> >> >>>> a false user id) ,server impersontation are dangerous attacks due to
> >> >>>this
> >> >>>> vulnerability
> >> >>>>
> >> >>>> 3. SIP communication is based on message transaction, however sip
> >> >>>> transaction mechanism is quite complicated.for example, when  a
> >> >>>stateful
> >> >>>> proxy server receives a sip request message, it firstly computes the
> >> >>>> transaction ID for this message,if the transaction ID is not existed
> >> >>>> before, this request message is regarded as  a new message, the 
> server
> >> >>>> will do a lot things for this new message:  save this message, create
> >> >>>a
> >> >>>> finite statemachine for this message, construct a provisional 
> response
> >> >>>> message and send it back, save this response message,update the 
> finite
> >> >>>> statemachine, decide the next hop of this request message basing on
> >> >>>the
> >> >>>> complex routing rules,transfer the request message, create one or 
> more
> >> >>>> client transactions for the request message ...these steps surely
> >> >>>consume
> >> >>>> lots of CPU and memory resources.  as a result,the server is
> >> >>>susceptible
> >> >>>> to DoS Attacks when a hacker continually sends large quantities 
> of SIP
> >> >>>> request messages with different Call-ID
> >> >>>>
> >> >>>> 4.Un-encrypted media stream such as RTP data is easy to be wiretapped
> >> >>>>
> >> >>>> 5.almost all VoIP software has some code flows, in this case,even a
> >> >>>> malicious packet may bring down the server, we call this packet
> >> >>>exception
> >> >>>> packet, in fact we have found exception packets againtst both sip
> >> >>>servers
> >> >>>> and h.323 servers
> >> >>>>
> >> >>>> 6.voip endpoints are much more intellectualized than traditional PSTN
> >> >>>> terminals,however,when this capability is abused,a lot of  malicious
> >> >>>> network attacks appear:
> >> >>>>      disturbance call
> >> >>>> call leaflet
> >> >>>>      voice broadcast
> >> >>>>      and more...
> >> >>>>
> >> >>>>
> >> >>>> >Chris
> >> >>>> >
> >> >>>> >I'm pretty heavily involved in SIP standards development, and have
> >> >>>been
> >> >>>> for
> >> >>>> >some time.  I talk regularly with the kind of folks that I think
> >> >>>would
> >> >>>> know
> >> >>>> >if their stuff had been "hit".  I know about plenty of attacks 
> on the
> >> >>>> >underlying infrastructure, including the platform attacks.  I have
> >> >>>NEVER
> >> >>>> >heard even a whisper of an actual attack on VoIP equipment that used
> >> >>>> >exploits specifically related to SIP (which I don't think is
> >> >>>> substantially
> >> >>>> >better or worse than other VoIP protocols).
> >> >>>> >_______________________________________________
> >> >>>> >Voipsec mailing list
> >> >>>> >Voipsec at voipsa.org
> >> >>>> >http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >
> >> >
> >> >---------------------------------------------------------------------- 
> ---
> >> -------
> >> >
> >> >
> >> >> _______________________________________________
> >> >> Voipsec mailing list
> >> >> Voipsec at voipsa.org
> >> >> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >> >>
> >>
> >>
> >>
> >>
> >>_______________________________________________
> >>Voipsec mailing list
> >>Voipsec at voipsa.org
> >>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
> >Simon Horne
> >Director
> >Packetizer Labs
> >www.packetizer.com/labs
>
>
>
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list