Deployment of Snort IDS in SIP based VoIP environments

Download Report

Transcript Deployment of Snort IDS in SIP based VoIP environments 

Deployment of Snort IDS in
SIP based VoIP environments
Jiří Markl
Jaroslav Dočkal
Motivation and targets
Evident advantages of VoIP
 The same level of availability as in
PSTN
 DoS attacks on SIP infrastructure
 Attacks identification
 Applicability of Snort IDS for attacks
detection

Identified attacks

Attacks to SIP proxies

Common TCP/IP attacks






Direct attacks (Teardrop, Ping of Death, SYN Flood)
Indirect attacks (Smurf attack)
Other TCP floods (STREAM attack, Null flood)
Distributed denial of service
Attacks using specific SIP vulnerabilities
Attacks to contributing services


DNS, ENUM
Application servers
SIP specific attacks

Brute force attack using Invite messages
alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \
(msg:"INVITE message flooding"; content:"INVITE"; depth:6; \
threshold: type both, track by_src, count 200, seconds 60; \
sid:1000100; rev:1;)
#Suppresion of alerting for known proxy 147.32.121.12
suppress gen_id 1, sig_id 1000100, track by_src, ip 147.32.121.12

Denial of service utilizing Register
message
SIP specific attacks – continuation

Tearing down sessions


Denial of service utilizing responses


Bye, Cancel
3xx, 4xx, 5xx, 6xx
Using message amplification to cause
the DoS
loops
 forking

SIP specific attacks – continuation

Brute force authentication attack
401 Unauthorized
 407 Proxy Authentication Required

alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS \
(msg:"INVITE message flooding"; \
content:"SIP/2.0 401 Unauthorized"; depth:24; \
threshold: type both, track by_src, count 100, seconds 60; \
sid:1000600; rev:1;)
SIP specific attacks – continuation
Attacks using SQL injection
 Using unresolvable DNS names

alert udp $DNS_SERVERS 53 -> $SIP_PROXY_IP any \
msg:"DNS No such name treshold"; \
content:"|83|"; offset:3; depth:1; \
threshold: type both , track by_src, count 2000, seconds 60; \
sid:1000400; rev:1;)
Snort usage conclusions

Advantages





Based on existing OpenSource solution
SIP proxy independent
Can be used for detection of various attacks and
known exploits – lots of rules available
Can be used for detection of misconfigurations in
SIP network
Drawbacks


Problems with secured connections (TLS)
Usable only for simple detection
SIP rules published on Snort.org
Developed rules can be obtained from
Snort.org within current Community Rules
set.
http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/
Community-Rules-CURRENT.tar.gz
Thanks.