[VOIPSEC] Blocking PING, and get REGISTER message

Gilbert Lee gilgil1973 at gmail.com
Tue Dec 9 13:37:09 CST 2008 

See the following captured file, please.
http://gilgil.springnote.com/pages/2250034 - gilgil.cap
SIP client(X-Lite) seldom sends REGISTER authentication message for quite a
time.

While, see the following video(ths same SIP client and SIP proxy).
http://gilgil.springnote.com/pages/2250034 - 03._sniff_other_ping_1.wmv
If attacker blocks keep alive packet, SIP client pretends to send
REGISTER(with authentication) sooner or later,

My VoIP phone in my home sends not REGISTER message but PING message(never
including credentials) for keep alive.
(Is "PING" standard protocol? Well, I don't know very well).
http://gilgil.springnote.com/pages/2250034 - 05._sniff_other_ping_3.wmv
In my opinion, it depends on a certain SIP environment(client or server).

Not so important.... never mind. :)


On Wed, Dec 10, 2008 at 12:52 AM, Klaus Darilion <
klaus.mailinglists at pernau.at> wrote:

> What for are you blocking PING?
>
> If
> > 1. Attacker is in the middle of network between VoIP client VoIP proxy.
>
> just wait and after some time the reREGISTER will tell you the credentials,
> as the REGISTER will be sent periodically to the proxy (typically 1 - 60
> minutes).
>
>
>
> regards
> klaus
>
> Gilbert Lee schrieb:
>
>> Hi, all. I have a just simple question. What do you think about "Blocking
>> PING packet of VoIP client"?Most of VoIP clients adopt keep alive
>> algorithm
>> to keep connection with SIP proxy(sending and receiving PING message
>> periodically).
>>
>> Attacker would like to get VoIP client's SIP message including
>> authentication value(MD5 or plain),
>> but unless VoIP client reboots(REGISTER) or make a call(INVITE), it never
>> sends authentication value through network.
>>
>> For attacker to acquire victim's SIP authentication value, suppose the
>> following scenarios.
>>
>> 1. Attacker is in the middle of network between VoIP client VoIP proxy.
>> 2. Attacker blocks only PING packet while other packets are routed in a
>> normal way.
>> 3. If PING packet is blocked, VoIP client should think that network is
>> disconnected, and it trys to recconnect.
>> 4. In reconnect procedures of VoIP client, it send REGISTER message again.
>> 5. In this way, attacker can get REGISTER authentication value without any
>> touching VoIP client with his hand.
>>
>> I've figured out that most PING message syntax is very simple that I've
>> ever
>> tested.
>> Of course, if authentication message is encrypted with MD5 and password is
>> long enough, it is hard for attack to hack it's original password.
>>
>> Any way, do you any idea, solution or mechanism that is enable to detect
>> such an attack like this?
>> _______________________________________________
>> Voipsec mailing list
>> Voipsec at voipsa.org
>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>
>

More information about the Voipsec mailing list