Verizon Columbia Research on VoIP Security A Model Academia/Industry CollaborationAgendaVerizon – CATT ProgramBackground & Research FocusGoalsDefinition: VoIP Threat TaxonomyDenial of Service & Theft of ServiceSIP DoS Attack TaxonomyStrategy FocusDoS Mitigation StrategySlide 11Hardware PlatformSlide 13Integrated Testing and Analysis EnvironmentsecureSIP Test Results for DoSThe Bigger Picture - Columbia VoIP TestbedValue to VerizonNext StepsSlide 19ConclusionsThank YouBackup Slides…Intellectual Property – Six Patent ApplicationsExternal – Publications, Presentations, RecognitionSIP Security OverviewSIP Security Overview - ??SIP Detection and Mitigation FiltersTest ToolsTheft of Service OverviewTheft of Service GoalsTheft of Service ChallengesSlide 32Discussion… A “successful” collaborationA Successful Collaboration© Verizon Copyright 2008. 1January 18, 2019 Verizon Columbia Research on VoIP SecurityVerizon Columbia Research on VoIP SecurityA Model Academia/Industry CollaborationA Model Academia/Industry CollaborationGaston OrmazabalVerizon Verizon LaboratoriesLaboratories© Verizon Copyright 2008. 2AgendaAgenda•A successful collaboration–Verizon and CATT Professor Schulzrinne - three year program•Project Overview –Background, Research Focus, and Goals–DoS•DoS Detection and Mitigation Strategy •DoS Validation Methodology - DoS Automated Attack Tool•Value to Verizon–Intellectual Property/Technology Licensing•Next Steps•Conclusions© Verizon Copyright 2008. Verizon – CATT Program•Collaboration between Verizon and Center of Advanced Technology Telecommunications•Verizon•PI: Gaston Ormazabal •CATT–Columbia University •PI: Prof. Henning Schulzrinne•Graduate Students –Milind Nimesh–New York University •Polytechnic Institute© Verizon Copyright 2008. 4Background & Research FocusBackground & Research Focus•SIP is the VoIP protocol of choice for both wireline and wireless telephony–Control protocol for the Internet Multimedia Systems (IMS) architecture •VoIP services migrating to IP fast becoming attractive DoS and ToS targets–DoS attack traffic traversing network perimeter reduces availability of signaling and media for VoIP–Theft of Service must be prevented to maintain service integrity–Reduces ability to collect revenue and provider’s reputation both are at stake•Attack targets–SIP infrastructure elements (proxy, softswitch, SBC, CSCF-P/I/S)–End-points (SIP phones)–Supporting services (e.g., DNS, Directory, DHCP, HSS, DIAMETER, Authorization Servers)•Verizon needs to solve security problem for VoIP services–Protocol-aware application layer gateway for RTP–SIP DoS/DDoS detection and prevention for SIP channel–Theft of Service Architectural Integrity Verification Tool•Need to verify performance & scalability at carrier class rates –Security and Performance are a zero sum game•Columbia likes to work in real life problems & analyze large data sets –Goal of improving generic architectures and testing methodologies–Columbia has world-renowned expertise in SIP© Verizon Copyright 2008. 5GoalsGoals•Study VoIP DoS and ToS for SIP–Definition – define SIP specific threats–Detection – how do we detect an attack?–Mitigation – defense strategy and implementation–Validation – verification of defense strategy•Generate requirements for future security network elements and prototypes –Share requirements with vendors •Generate the test tools and strategies for their validation–Share tools with vendors© Verizon Copyright 2008. 6 Definition: VoIP Threat Taxonomy Definition: VoIP Threat Taxonomy Scope of our research - 2006Scope of our research - 2007*- VoIP Security and Privacy Threat Taxonomy, VoIP Security Alliance Report, October, 2005 (http://www.voipsa.org)© Verizon Copyright 2008. 7Denial of Service & Theft of ServiceDenial of Service & Theft of Service•Denial of Service – preventing users from effectively using the target services–Service degradation to a “not usable” point–Complete loss of service•Distributed Denial of Service attacks represent the main threat facing network operators*–Most attacks involve compromised hosts (bots)•botnets sized from a few thousands to over million•25% of all computers on Internet may be botnets•Theft of Service – any unlawful taking of an economic benefit of a service provider– With intention to deprive of lawful revenue or property*- Worldwide ISP Security Report, September 2005, Arbor Networks*- Criminals 'may overwhelm the web', 25 January, 2007. BBC© Verizon Copyright 2008. 8SIP DoS Attack TaxonomySIP DoS Attack Taxonomy•Denial of Service–Implementation flaws–Application level–Flooding© Verizon Copyright 2008. 9Strategy FocusStrategy Focus•VULNERABILITY : Most security problems are due to:–flexible grammar  syntax-based attacks–Plain text  interception and modification–SIP over UDP  ability to spoof SIP requests•Registration/Call Hijacking•Modification of Media sessions•SIP ‘Method’ vulnerabilities –Session teardown–Request flooding –Error Message flooding •RTP flooding•STRATEGY: Two DoS detection and mitigation filters and ToS tools–SIP: Two types of rule-based detection and mitigation filters–Media: SIP-aware dynamic pinhole filteringApplication LevelFlooding© Verizon Copyright 2008. 10DoS Mitigation StrategyDoS Mitigation Strategy•SIP infrastructure element defense–Implementation flaws are easier to deal with•Systems can be tested before used in production–Application level and flooding attacks are harder to defend against•Require layer 7 deep packet inspection•Require deep understanding and handling of SIP protocol•Commercially available solutions for general UDP/SYN flooding but none for SIP Address application level and flooding attacks specifically for SIP Identify and address architectural weaknesses before they are exploited to commit ToS© Verizon Copyright 2008. 11DoS Mitigation Solution OverviewDoS Mitigation Solution OverviewUntrustedDPPMsipdTrustedSIPSIP SIPRTP RTPFilter I Filter IIVoIP TrafficAttack TrafficUntrustedDPPMsipdTrustedSIPSIP SIPRTP RTPFilter IFilter II© Verizon Copyright 2008. 12Hardware PlatformHardware Platform10/100/ 1000 10/100E1E2BackplaneF0C3C4Gigabit Ethernet InterconnectsD0D1E1E2F0C3C4D0D134P0P0System Level Port DistributionSystem Level Port DistributionApplication Server ModulePentium