[VOIPSEC] Blocking PING, and get REGISTER message

[Gilbert Lee]

On Sat, Dec 6, 2008 at 11:35 PM, Peter Thermos <pthermos at vopsecurity.org>wrote:

>  Gilbert, see comments inline:
>
> > -----Original Message-----
> > From: voipsec-bounces at voipsa.org
> > [mailto:voipsec-bounces at voipsa.org] On Behalf Of Gilbert Lee
> > Sent: Friday, December 05, 2008 6:14 PM
> > To: voipsec at voipsa.org
> > Subject: [VOIPSEC] Blocking PING, and get REGISTER message
> >
> > Hi, all. I have a just simple question. What do you think
> > about "Blocking PING packet of VoIP client"?Most of VoIP
> > clients adopt keep alive algorithm to keep connection with
> > SIP proxy(sending and receiving PING message periodically).
>
> I'm not sure if the VoIP UA's you have been working on have been
> consistently using PING as a keep alive mechanism.
> Typically UA's (hardware VoIP phones and softphones) maintain presence
> (availability) by sending REGISTER requests.
>

I attached capture file gilgil.cap(SIP account: gilgil at optel.org). As you
see, after registration is completed successfully, SIP client(X-Lite) sends
only 4 byte(0x0D0A0D0A) packets periodically to SIP proxy to keep
connection. As I know, Keep Alive methods are different according to SIP
service(not always accurate).


>
>
>
> >
> > For attacker to acquire victim's SIP authentication value,
> > suppose the following scenarios.
> >
> > 1. Attacker is in the middle of network between VoIP client
> > VoIP proxy.
>
> If an attacker can act as the intermediary they can pretty much do
> anything.
> I'm not sure if you are positioning the attacker "inline" (user phone <-->
> attacker <--> proxy) or passively monitoring/manipulating traffic. The
> difference is the level of control that can be exercised on the traffic.
>

inline.
I used ARP spoofing skill to be in the middle between SIP client and proxy.
before attacking : SIP client - Gateway - Internet - SIP Proxy
after attacking : ARP spoofing: SIP client - Attacker - Gateway - Internet -
SIP Proxy


>
> > 2. Attacker blocks only PING packet while other packets are
> > routed in a normal way.
> > 3. If PING packet is blocked, VoIP client should think that
> > network is disconnected, and it trys to recconnect.
>
> A variation to your scenario would be to launch a DoS attack against the
> phone or spoof a "reset" request (e.g., in SIP sometimes a NOTIFY is sent
> as
> means to reboot a phone in order to instruct it to download updates or new
> image.). This will to send a REGISTER (among other things).


 I didn't know. Thank you for your information.


>
>
> > 4. In reconnect procedures of VoIP client, it send REGISTER
> > message again.
> > 5. In this way, attacker can get REGISTER authentication
> > value without any touching VoIP client with his hand.
> >
> > I've figured out that most PING message syntax is very simple
> > that I've ever tested.
> > Of course, if authentication message is encrypted with MD5
> > and password is long enough, it is hard for attack to hack
> > it's original password.
> >
> > Any way, do you any idea, solution or mechanism that is
> > enable to detect such an attack like this?
>
> I'm not sure that there is a mechanism to detect ICMP suppression for this
> scenario since loss of ICMP packets may indicate that the phone has been
> disconnected for legitimate reasons (e.g., office move).
>

PING message which I am saying is not ICMP based packet but Keep Alive
packet used in SIP. Sorry for my confusing. :)

Attacker says, "I want to capture authentication message, but victim(SIP
client) never sends authentication message. How much time should I wait for
the packet? I would like to capture authentication packet as soon as
possible whenever attack(ARP spoofing) starts, so I will block(will not
relay) PING message to capture the packet what I need."

The only question, by contrast with this(for a security reason), is if there
is good idea how I can detect and protect this attacker's trial(suppose that
attacker can be in the middle between SIP client and SIP proxy).