Main Modules
The tool consists of three important modules: (1) client configuration module, (2) attack generation module, and (3) report generation module. The client configuration module configures the SIP clients to generate normal call load on a SIP server. The clients call each other randomly through the SIP server. Once connected, they start variable length voice sessions consisting of RTP traffic.
Client Configuration Module:The reasons to generate a normal call flow on the server are twofold: (1) to create a real-world normal call scenario for a SIP server, (2) to systematically analyze the degradation in performance -- experienced by legitimate users -- under attack scenarios. The simulated clients generate calls randomly with an average load of 3000 calls per min. The tool configures the SIP client instances on separate machines with the parameters like call rate, media port, time out value, remote host parameters and IP address.
Attack Generation Module:The attack generation module in our tool can launch flooding or malformed packet attacks along with 14 new attacks. The tool is capable of generating 9600 malformed packets of various categories: Null mutations, Space mutation, Utf-8 invalid character mutation, Escape characters mutation, Token string mutation and ASCII characters mutation. Mutations are carried on every possible position in the SIP header. Similarly our module launches DoS attack by flooding large number of unwanted INVITE messages to SIP server.
Report Generation Module:The job of the report generation module is to gather statistics from the SIP clients and the server. Each SIP client generates a report in the csv file format during the experiment. Similarly on the server machine the statistics of hardware resources are also calculated and logged in realtime. Once an experiment finishes, report generation module communicates with SIP clients, SUT, the attacking node, and generates the report of above-mentioned performance metrics.
Evaluation Strategy And TestBed Formation
The experimental testbed that should be used to evaluate the performance of different SIP servers under different types of attack scenarios is shown in Figure below. Note that the clients -- the caller and the called parties -- are instantiated on separate machines to make accurate measurements of performance metrics. The User Agent Clients (UACs) initiate the calls; while the User Agent Servers (UASs) are the SIP clients that receive the call from UACs and start the dialogue. All SIP related traffic is proxied through the SIP servers while the RTP traffic is routed directly between the UASs and UACs and has no impact on System Under Test (SUT). The flooding and parsing attacks can be separately launched from an attacker node.
Perform Analysis on Standard Metrics
Our tool genrates report on relevant performance metrics of testing because: (1) they help in examining that how general SIP servers behave under DoS attacks, (2) they help academia to better understand the severity of DoS in SIP environment and a VoIP vendor to do risk analysis of his/her business operations, and (3) they provide information from end user perspective i.e. the quality that they should expect from SIP server in case of DoS attacks.
The analysis by our tool is performed on two types of metrics: (1) SIP based metrics, and (2) SIP independent system metrics. SIP based metrics define the quality of service from an end user perspective. If these metrics are degraded in DoS attacks, it would mean service unavailability to the end users. In real world scenario it would result in VoIP customer dissatisfaction that would indirectly lead to loss of revenue and creditability of the vendor. On the other hand, if system metrics are degraded, it can lead to a complete denial of service which of course poses a significant threat.
The SIP based Metrics are as follow:
Call Completion Ratio (CCR):The ratio of the number of benign calls (The benign calls represent the calls requested by legitimate users.) that are successfully completed during an attack scenario to the number of calls successfully completed in no-attack scenario.
Call Establishment Latency (CEL):The average delay that a SIP client experiences between dialing of a number and successfully establishing the call. Specifically it is the average delay between sending of an INVITE request message by a SIP client and receiving of corresponding 200 OK response from the SIP server.
Call Rejection Ratio (CRR):The ratio of the number of benign calls rejected by a SIP server during an attack scenario to the number of calls rejected in normal no-attack scenario. The metric determines the effective loss of potential resources of a SIP server under attack scenarios. It also represents the fraction of SIP clients unable to get services from the server.
Number of Retransmitted Requests (NRR):The number of request messages which are retransmitted due to server timeout or network congestion. The metric models the congestion level in a network because of large number of INVITE packets. If NRR increases significantly during an attack, CCR, CEL and CRR will also degrade.
Analysis of Some Popular SIP Servers
INVITE of Death Vulnerability
It allows the attacker to crash the SIP server causing remote Denial of Service (DOS). From SIP Security Evaluation Tool one ca generate non-standard SIP messages (malformed), that are intelligently crafted to exploit vulnerabilities in the SIP parser or in poor implementation of a SIP server. An imposter can, using a malformed packet, overflow the specific string buffers, add large number of token characters and modify fields in an illegal fashion. As a result, a server is tricked to reach an undefined state, which can lead to call processing delays, an unauthorized access and a complete denial of service.
The vulnerability advisory along with proof of concept code can be found here. To read the full research paper click here.
Request Evaluation Copy
Please fill in the form and submit to download SIP Security Evaluation Tool.
Thanks for Requesting. You will receive an email soon...
Click Here for further queries.