The Attack of SIP protocol
We previously discussed in this blog the SIp protocol. We have also said that “Session Initiation Protocol” (SIP) is becoming popular quite fast and it has also achieved quick acceptance in “mixed-vendor VoIP networks”. One of the most striking properties of SIP is its use of “existing protocols”. And by default, SIP messages are sometimes sent in the form of plain (normal) text.
This is quite unfortunate as the very properties that make SIP striking can also be leveraged by attackers to make a compromise regarding the security of a particular SIP network. For example, an attacker could trigger a “man-in-the-middle attack”, in this the sending of “STP” packets to the PC of attacker takes place when the attacker convinces a phone or router, or even the server of SIP.
As a result the “registration hijacking” can be done by attacker, which permits the attacker to cut off calls that are about to come and conclude how those calls are routed.
Also due to the reason that SIP messages are than transmitted in normal plain text and this happens by default, an attacker could influence the messages of SIP. Even attacker can easily change the SIP addresses into the messages. This type of attack is known as “message tampering”
Because SIP networks often depend on SIP servers (examples include, SIP registrar, location, proxy, and/or redirect servers), an attacker could also trigger a DoS attack against one of those servers. For example, if a DoS attack made a SIP registrar server useless, it would be difficult for the new SIP phones to get registered with the network.
In order to overcome such problems like attacks to SIP network Cisco offers many solutions. For example, “secure tunnel” can be utilized such as IPSec, in order to decode SIP messages that are traveling to and fro the routers. In fact, a Cisco Unified Communications Manager server can serve as a “peer” in an IPSec tunnel. And, in order to detect and diminish the common attacks of DoS the firewall or IPS sensor could be utilized. One can prevent the man-in-the- middle attacks (such as using Dynamic ARP Inspection [DAI]) with the use of Cisco Catalyst switches.
There’s more
There are different types of attacks that can be directed to voice networks. In this series of articles we will discuss all four types of VoIP vulnerabilities and attacks. This will certainly be enough to explain how VoIP telephony communication can be disabled or reduced in quality. The main four VoIP Vulnerabilities are:
- SPIT – spam over IP telephone (SPIT) includes, for example, sending unwanted messages to an IP phone’s display or making the IP phone to ring time to time.
- Vishing – is just like phishing, the difference is that the victim provides her/his personal information over the telephone rather than on website.
- Toll fraud – it happens when users incorrectly use a telephone system to make toll calls (for example international and or long distance calls) that they do not have approval to make.
- SIP attacks – they try to develop SIP’s use of famous protocols to intercept or manipulate SIP messages. Also, an attacker may trigger a DoS attack against a SIP server.
Hi. i want to have some log files for dos attack in sip servers to detecting the attack.
thanks