461 research outputs found
Detecting and Mitigating Denial-of-Service Attacks on Voice over IP Networks
Voice over IP (VoIP) is more susceptible to Denial of Service attacks than traditional data traffic, due to the former's low tolerance to delay and jitter. We describe the design of our VoIP Vulnerability Assessment Tool (VVAT) with which we demonstrate vulnerabilities to DoS attacks inherent in many of the popular VoIP applications available today. In our threat model we assume an adversary who is not a network administrator, nor has direct control of the channel and key VoIP elements. His aim is to degrade his victim's QoS without giving away his presence by making his attack look like a normal network degradation. Even black-boxed, applications like Skype that use proprietary protocols show poor performance under specially crafted DoS attacks to its media stream. Finally we show how securing Skype relays not only preserves many of its useful features such as seamless traversal of firewalls but also protects its users from DoS attacks such as recording of conversations and disruption of voice quality. We also present our experiences using virtualization to protect VoIP applications from 'insider attacks'.
Our contribution is two fold we: 1) Outline a threat model for VoIP, incorporating our attack models in an open-source network simulator/emulator allowing VoIP vendors to check their software for vulnerabilities in a controlled environment before releasing it. 2) We present two promising approaches for protecting the confidentiality, availability and authentication of VoIP Services
Preventing Distributed Denial-of-Service Attacks on the IMS Emergency Services Support through Adaptive Firewall Pinholing
Emergency services are vital services that Next Generation Networks (NGNs)
have to provide. As the IP Multimedia Subsystem (IMS) is in the heart of NGNs,
3GPP has carried the burden of specifying a standardized IMS-based emergency
services framework. Unfortunately, like any other IP-based standards, the
IMS-based emergency service framework is prone to Distributed Denial of Service
(DDoS) attacks. We propose in this work, a simple but efficient solution that
can prevent certain types of such attacks by creating firewall pinholes that
regular clients will surely be able to pass in contrast to the attackers
clients. Our solution was implemented, tested in an appropriate testbed, and
its efficiency was proven.Comment: 17 Pages, IJNGN Journa
Telephony Denial of Service Defense at Data Plane (TDoSD@DP)
The Session Initiation Protocol (SIP) is an application-layer control protocol used to establish and terminate calls that are deployed globally. A flood of SIP INVITE packets sent by an attacker causes a Telephony Denial of Service (TDoS) incident, during which legitimate users are unable to use telephony services. Legacy TDoS defense is typically implemented as network appliances and not sufficiently deployed to enable early detection. To make TDoS defense more widely deployed and yet affordable, this paper presents TDoSD@DP where TDoS detection and mitigation is programmed at the data plane so that it can be enabled on every switch port and therefore serves as distributed SIP sensors. With this approach, the damage is isolated at a particular switch and bandwidth saved by not sending attack packets further upstream. Experiments have been performed to track the SIP state machine and to limit the number of active SIP session per port. The results show that TDoSD@DP was able to detect and mitigate ongoing INVITE flood attack, protecting the SIP server, and limiting the damage to a local switch. Bringing the TDoS defense function to the data plane provides a novel data plane application that operates at the SIP protocol and a novel approach for TDoS defense implementation.Final Accepted Versio
SecSip: A Stateful Firewall for SIP-based Networks
SIP-based networks are becoming the de-facto standard for voice, video and
instant messaging services. Being exposed to many threats while playing an
major role in the operation of essential services, the need for dedicated
security management approaches is rapidly increasing. In this paper we present
an original security management approach based on a specific vulnerability
aware SIP stateful firewall. Through known attack descriptions, we illustrate
the power of the configuration language of the firewall which uses the
capability to specify stateful objects that track data from multiple SIP
elements within their lifetime. We demonstrate through measurements on a real
implementation of the firewall its efficiency and performance
SIP threats detection system
The paper deals with detection of threats in IP telephony, the authors developed a penetration testing system
that is able to check up the level of protection from security threats in IP telephony. The SIP server is a key komponent
of VoIP infrastructure and often becomes the aim of attacks and providers have to ensure the appropriate level of
security. We have developed web-based penetration system which is able to check the SIP server if can face to the
most common attacks.The developed application is distributed as an open-source and is equipped with four modules.
The result is reported to the particular e-mail and information supplemeted to the report should help to improve the
overall protection of the SIP server. The developed application represents effective tool which is able to point out the
weaknesses of the tested system.Scopu
Intrusion detection mechanisms for VoIP applications
VoIP applications are emerging today as an important component in business
and communication industry. In this paper, we address the intrusion detection
and prevention in VoIP networks and describe how a conceptual solution based on
the Bayes inference approach can be used to reinforce the existent security
mechanisms. Our approach is based on network monitoring and analyzing of the
VoIP-specific traffic. We give a detailed example on attack detection using the
SIP signaling protocol
Recommended from our members
A Comprehensive Survey of Voice over IP Security Research
We present a comprehensive survey of Voice over IP security academic research, using a set of 245 publications forming a closed cross-citation set. We classify these papers according to an extended version of the VoIP Security Alliance (VoIPSA) Threat Taxonomy. Our goal is to provide a roadmap for researchers seeking to understand existing capabilities and to identify gaps in addressing the numerous threats and vulnerabilities present in VoIP systems. We discuss the implications of our findings with respect to vulnerabilities reported in a variety of VoIP products. We identify two specific problem areas (denial of service, and service abuse) as requiring significant more attention from the research community. We also find that the overwhelming majority of the surveyed work takes a black box view of VoIP systems that avoids examining their internal structure and implementation. Such an approach may miss the mark in terms of addressing the main sources of vulnerabilities, i.e., implementation bugs and misconfigurations. Finally, we argue for further work on understanding cross-protocol and cross-mechanism vulnerabilities (emergent properties), which are the byproduct of a highly complex system-of-systems and an indication of the issues in future large-scale systems
A Robust Mechanism for Defending Distributed Denial OF Service Attacks on Web Servers
Distributed Denial of Service (DDoS) attacks have emerged as a popular means
of causing mass targeted service disruptions, often for extended periods of
time. The relative ease and low costs of launching such attacks, supplemented
by the current inadequate sate of any viable defense mechanism, have made them
one of the top threats to the Internet community today. Since the increasing
popularity of web-based applications has led to several critical services being
provided over the Internet, it is imperative to monitor the network traffic so
as to prevent malicious attackers from depleting the resources of the network
and denying services to legitimate users. This paper first presents a brief
discussion on some of the important types of DDoS attacks that currently exist
and some existing mechanisms to combat these attacks. It then points out the
major drawbacks of the currently existing defense mechanisms and proposes a new
mechanism for protecting a web-server against a DDoS attack. In the proposed
mechanism, incoming traffic to the server is continuously monitored and any
abnormal rise in the inbound traffic is immediately detected. The detection
algorithm is based on a statistical analysis of the inbound traffic on the
server and a robust hypothesis testing framework. Simulations carried out on
the proposed mechanism have produced results that demonstrate effectiveness of
the proposed defense mechanism against DDoS attacks.Comment: 18 pages, 3 figures, 5 table
- …