可扩展的分布式VoIP安全评估系统的设计与实现
摘要
Voice over IP (VoIP)的应用日益广泛,但同时VoIP也引入了很多安全问题。以SIP协议为例,例如Bye/Cancel攻击,通过截获双方通信所发送的报文,然后伪造BYE或CANCEL报文并发送,使服务器错误地中止服务。又例如RTP注入攻击,通过截取通话双方呼叫建立时SIP报文中SDP携带的端口号,向特定的端口号发送伪造的RTP报文,使受攻击方听到伪造的语音信息。
本论文针对VoIP安全问题进行研究,设计并实现了一套VoIP的安全评估系统,具体工作如下:
1.针对各种典型的VoIP攻击进行了模拟实验,除了前面提到的攻击外,还包括:注册劫持攻击、注册擦除攻击、注册添加攻击、SIP电话重启攻击、通话劫持攻击、洪泛攻击、窃听攻击、重定向攻击等。
2.提出并实现了一套可扩展的分布式VoIP安全评估系统。该系统的特点包括:
a)集成所有常见SIP协议攻击,具备一定的深度和广度,能测试VoIP系统常见的安全漏洞;
b)采用分布式的结构,在多台VoIP系统的客户端机器上同时安装可交互的主控端和客户端,从而真实地模拟攻击时使用的网络环境;
c)具有良好的扩展性,在新的攻击方法或安全漏洞被发现时,可以方便地加入到系统中。
Voice over IP (VoIP) is being more and more widely used, but on the other side, VoIP brings a lot of secure problems. Take SIP for example, the bye/cancel attack, who captures the packets being interacted by both sides of communication, tears down, and utilizes those information to forge and send the BYE or CANCEL packets, thus makes the server wrongly terminates the service. Another example is the RTP insertion attacking, which is according to the port number brought by SDP in SIP packets captured when initiating the call, and sends forged RTP packets to specified ports, thus make the victim hear the forged voice information.
This thesis fouced on the problems of VoIP security, designed and realized an extensible distributed evaluating system of VoIP security, the detailed content are as below:
1. Aiming to the secure problems of VoIP. Simulative experiments for kinds of typical VoIP attacks were performed, including: bye/cancel attacking, RTP insertion, register hijacking, register removal, register additional, SIP phone rebooting, call hijacking, flooding, eavesdropping, and redirection attacking.
2. Based on these experiments, an extensible distributed evaluating system of VoIP security were designed and realized. The features of the system are:
a) Integrated all popular weaknesses of SIP, which focuses on certain depth and scope, so it can test VoIP system for popular VoIP weaknesses.
b) Used distributed architecture, i.e. it is installed on multiple PC clients, which is able to simulate the real network environment when attacking.
c) Extensible. When new attacking methods are found, it is convenient to be added in the system.
本论文针对VoIP安全问题进行研究,设计并实现了一套VoIP的安全评估系统,具体工作如下:
1.针对各种典型的VoIP攻击进行了模拟实验,除了前面提到的攻击外,还包括:注册劫持攻击、注册擦除攻击、注册添加攻击、SIP电话重启攻击、通话劫持攻击、洪泛攻击、窃听攻击、重定向攻击等。
2.提出并实现了一套可扩展的分布式VoIP安全评估系统。该系统的特点包括:
a)集成所有常见SIP协议攻击,具备一定的深度和广度,能测试VoIP系统常见的安全漏洞;
b)采用分布式的结构,在多台VoIP系统的客户端机器上同时安装可交互的主控端和客户端,从而真实地模拟攻击时使用的网络环境;
c)具有良好的扩展性,在新的攻击方法或安全漏洞被发现时,可以方便地加入到系统中。
Voice over IP (VoIP) is being more and more widely used, but on the other side, VoIP brings a lot of secure problems. Take SIP for example, the bye/cancel attack, who captures the packets being interacted by both sides of communication, tears down, and utilizes those information to forge and send the BYE or CANCEL packets, thus makes the server wrongly terminates the service. Another example is the RTP insertion attacking, which is according to the port number brought by SDP in SIP packets captured when initiating the call, and sends forged RTP packets to specified ports, thus make the victim hear the forged voice information.
This thesis fouced on the problems of VoIP security, designed and realized an extensible distributed evaluating system of VoIP security, the detailed content are as below:
1. Aiming to the secure problems of VoIP. Simulative experiments for kinds of typical VoIP attacks were performed, including: bye/cancel attacking, RTP insertion, register hijacking, register removal, register additional, SIP phone rebooting, call hijacking, flooding, eavesdropping, and redirection attacking.
2. Based on these experiments, an extensible distributed evaluating system of VoIP security were designed and realized. The features of the system are:
a) Integrated all popular weaknesses of SIP, which focuses on certain depth and scope, so it can test VoIP system for popular VoIP weaknesses.
b) Used distributed architecture, i.e. it is installed on multiple PC clients, which is able to simulate the real network environment when attacking.
c) Extensible. When new attacking methods are found, it is convenient to be added in the system.
引文
[1] J. Rosenberg, H. Schulzrinne, G. Camarillo, RFC3261 - SIP: Session Initiation Protocol, IETF, 2002.
[2] David Endler, Mark Collier, Hacking Exposed VoIP, 2007.
[3] Jeffrey Albers, Bradley Hahn, Shawn McGann, Seungwoo Park, Rundong Zhu, An Analysis of Security Threats and Tools in SIP-Based Voip System, VoIP Security Capstone, 2005.
[4] Martin Petraschek, Attacks On Sip, ftw, 2006.
[5] SiVuS User Guide, VoIP Security Forum, 2004.
[6] RTP: A Transport Protocol for Real-Time Applications, RFC1889.
[7] The Secure Real-time Transport Protocol[S], RFC3711.
[8] CSI/FBI Computer Crime Survey. http://www.gocsi.com/
[9] Long, Johnny. “Google Hacking Mini-Guide” May 7th, informit, 2004.
[10] Nessus documentation. http://www.nessus.org/documentation/
[11] Nmap Reference Guide. http://insecure.org/rumap/man
[12] Nmap OS Identification. http://insecure.org/nmap/osdetect/
[13] Port Scanner. http://en.wikipedia.org/wiki/Port_scanner
[14] Aharoni, Matti. “SNMP Enumeration and Hacking.” SecurityProNews. Sep 9th, 3003.
[15] Arkin, Ofir. “The Trivial Cisco IP Phones Compromise.” Sep, 2002.
[16] Merdinger, Shawn. “VoIP WiFi Phone Handset Security Analysis.” Shmoocon, 2006.
[17] Sinnreich, Henry, Alan B. Johnston, Robert J. Sparks, and Vinton G. Cert. SIP Beyond VoIP: The Next Step in IP Communications. Melville: VON Publishing LLC, 2005.
[18] Cisco Systems. “Quality of Service for Voice over IP.”
[19] Montoro, Massimiliano. “Introduction to ARP Poison Rounting”.
[20] Bronson, Joshua. “Protecting Your Network from ARP Spoofing-based Attacks”. Foundstone, 2004.
[21] “Guide to ARP Spoofing.”, hackinthebox.
[22] “Introduction to ARP Poison Routing, oxid.
[23] Nachreiner, Corey, “Anatomy of an ARP Poisoning Attack”, watchguard.
[24] Whalen, Sean. “An Introduction to ARP Spoofing.” Node99.
[25] Bishop, Matt and David Bailey. “A Critical Analysis of Vulnerability Taxonomies.” CSE-96-11, Sep 1996. Ucdavis.
[26] Christey, Steve. “Off-by-One Errors: A Brief Explanation.” Secprog and SC-L mailing list posts, May, 2004.
[27] Flake, Halvar. “Third Generation Exploits.” Presentation at Black Hat Europe 2001.
[28] Franz, Matt. “Fuzzing wiki.” Scadasec.
[29] Howard, Michael. “Reviewing Code for Integer Manipulation Vulnerablities.” Microsoft.
[30] Howard, Michiael. “When Scrubbing Secrets in Memory Doesn’t Work.” Bugtraq, Nov 2002. Microsoft.
[31] McGraw, Gray and Greg Hoglund. Exploiting Software: How to Break Code. Boston: Addison Wesley, 2004.
[32] Newsham, Tim. “Format String Attacks.” Guaradent. Sep 2000. Lava.
[33] Wagner, Joseph. “GNU GCC: Optimizer Removes Code Necessary for Security.” Bugtraq, Nov. 2002. Derkeiler.
[34] Arkin, Ofir. “Registration Hijacking Presentation.” Black Hat Conference. Blackhat.
[35] rammel, Dustin. “Dustin STrammell’s Presentation on VoIP Attacks.” Dustintrammell.
[36] Niccolini, S., S. Tartarelli, M. Stiemerling, and S. Srivastava. SIP Extensions for SPIT Identification. Draft-niccolini-sipping-feedback-spit-02. ietf.
[37] Rosenberg, J., C. Jennings, and J. Peterson. The Session Initiation Protocol (SIP) and Spam. Draft-ietf-sipping-spam-02.txt. ietf.
[38] Schwartz, D., B. Sterman, and E. Katz. SPAM for Internet Telephony (SPIT) Prevention Using the Security Assertion Markup Language(SAML). Draft-schwatz-sipping-spit-saml-01.txt. ietf.
[39] Van Meggelen, Jim, Jared Smith, and Leif Madsen. Asterisk: The Future ofTelephony. Sebastopol: O’Reilly Media, Inc, 2005.
[40] Beardsley, Tod. “Phishing Detection and Prevention: Practical Counter-Fraud Solutions.” Tippingpoint.
[41] R.Rivest. RFC1321 - The MD5 Message-Digest Algorithm, IETF, 1992.
[42] 方鑫、喻靓、王一,SIP 攻击 I 技术文档,上海交通大学下一代网络实验室,2006.
[43] 方鑫、周文,SIP 攻击 II 技术文档(1),上海交通大学下一代网络实验室,2006.
[44] 杨杉、喻靓,SIP 攻击 II 技术文档(2),上海交通大学下一代网络实验室,2006.
[45] 方鑫、陈凯、白英彩、朱亚楠,SIP Bye/Cancel 攻击的实现与防范,信息安全与通信保密,2007年第 9期.
[46] 喻靓、陈凯、白英彩、方鑫,SIP 注册劫持攻击的实现与防范,信息安全与通信保密,2007 年第 12期.
[47] 朱亚楠、陈凯、白英彩、方鑫:高可移植 SIP UA 设计与实现,计算机软件与应用.
[48] 司端峰, 潘爱民, IP 电话(VoIP)中的安全性问题, 计算机工程, 2004.
[49] 娄颖, SIP 协议安全机制研究, 广东通信技术, 2004.
[50] 索望, 方勇, 王昆, SIP 协议中的安全机制, 网络信息安全, 2004.
[51] 贺平, 蒋亚军, SIP 应用的安全性研究, 微计算机应用, 2005.
[52] 蔡汉生, VoIP 安全与防范, 软件世界, 2005.
[53] 邓志, 文雨, VoIP 的安全机制, 四川轻化工学院学报, 2003.
[54] 张俊良, 杨波, VoIP 的安全性分析与运用, 网络通讯与安全, 2005.
[55] 韩晶, 戚银城, 王斌, 李鹏飞, VoIP 中的安全问题分析, 2005.
[56] 刘华, 王琨, 基于 PKI 的 SIP 协议安全的研究, 电子科技, 2005.
[57] 闵涵, 陈莘萌, 张琦辉, 基于 SIP 协议的网络安全性分析, 计算机工程与设计, 2004.
[58] 王原丽, 严剑, 基于 S/MIME 的 SIP 安全机制, 信息安全与通信保密, 2005.
[2] David Endler, Mark Collier, Hacking Exposed VoIP, 2007.
[3] Jeffrey Albers, Bradley Hahn, Shawn McGann, Seungwoo Park, Rundong Zhu, An Analysis of Security Threats and Tools in SIP-Based Voip System, VoIP Security Capstone, 2005.
[4] Martin Petraschek, Attacks On Sip, ftw, 2006.
[5] SiVuS User Guide, VoIP Security Forum, 2004.
[6] RTP: A Transport Protocol for Real-Time Applications, RFC1889.
[7] The Secure Real-time Transport Protocol[S], RFC3711.
[8] CSI/FBI Computer Crime Survey. http://www.gocsi.com/
[9] Long, Johnny. “Google Hacking Mini-Guide” May 7th, informit, 2004.
[10] Nessus documentation. http://www.nessus.org/documentation/
[11] Nmap Reference Guide. http://insecure.org/rumap/man
[12] Nmap OS Identification. http://insecure.org/nmap/osdetect/
[13] Port Scanner. http://en.wikipedia.org/wiki/Port_scanner
[14] Aharoni, Matti. “SNMP Enumeration and Hacking.” SecurityProNews. Sep 9th, 3003.
[15] Arkin, Ofir. “The Trivial Cisco IP Phones Compromise.” Sep, 2002.
[16] Merdinger, Shawn. “VoIP WiFi Phone Handset Security Analysis.” Shmoocon, 2006.
[17] Sinnreich, Henry, Alan B. Johnston, Robert J. Sparks, and Vinton G. Cert. SIP Beyond VoIP: The Next Step in IP Communications. Melville: VON Publishing LLC, 2005.
[18] Cisco Systems. “Quality of Service for Voice over IP.”
[19] Montoro, Massimiliano. “Introduction to ARP Poison Rounting”.
[20] Bronson, Joshua. “Protecting Your Network from ARP Spoofing-based Attacks”. Foundstone, 2004.
[21] “Guide to ARP Spoofing.”, hackinthebox.
[22] “Introduction to ARP Poison Routing, oxid.
[23] Nachreiner, Corey, “Anatomy of an ARP Poisoning Attack”, watchguard.
[24] Whalen, Sean. “An Introduction to ARP Spoofing.” Node99.
[25] Bishop, Matt and David Bailey. “A Critical Analysis of Vulnerability Taxonomies.” CSE-96-11, Sep 1996. Ucdavis.
[26] Christey, Steve. “Off-by-One Errors: A Brief Explanation.” Secprog and SC-L mailing list posts, May, 2004.
[27] Flake, Halvar. “Third Generation Exploits.” Presentation at Black Hat Europe 2001.
[28] Franz, Matt. “Fuzzing wiki.” Scadasec.
[29] Howard, Michael. “Reviewing Code for Integer Manipulation Vulnerablities.” Microsoft.
[30] Howard, Michiael. “When Scrubbing Secrets in Memory Doesn’t Work.” Bugtraq, Nov 2002. Microsoft.
[31] McGraw, Gray and Greg Hoglund. Exploiting Software: How to Break Code. Boston: Addison Wesley, 2004.
[32] Newsham, Tim. “Format String Attacks.” Guaradent. Sep 2000. Lava.
[33] Wagner, Joseph. “GNU GCC: Optimizer Removes Code Necessary for Security.” Bugtraq, Nov. 2002. Derkeiler.
[34] Arkin, Ofir. “Registration Hijacking Presentation.” Black Hat Conference. Blackhat.
[35] rammel, Dustin. “Dustin STrammell’s Presentation on VoIP Attacks.” Dustintrammell.
[36] Niccolini, S., S. Tartarelli, M. Stiemerling, and S. Srivastava. SIP Extensions for SPIT Identification. Draft-niccolini-sipping-feedback-spit-02. ietf.
[37] Rosenberg, J., C. Jennings, and J. Peterson. The Session Initiation Protocol (SIP) and Spam. Draft-ietf-sipping-spam-02.txt. ietf.
[38] Schwartz, D., B. Sterman, and E. Katz. SPAM for Internet Telephony (SPIT) Prevention Using the Security Assertion Markup Language(SAML). Draft-schwatz-sipping-spit-saml-01.txt. ietf.
[39] Van Meggelen, Jim, Jared Smith, and Leif Madsen. Asterisk: The Future ofTelephony. Sebastopol: O’Reilly Media, Inc, 2005.
[40] Beardsley, Tod. “Phishing Detection and Prevention: Practical Counter-Fraud Solutions.” Tippingpoint.
[41] R.Rivest. RFC1321 - The MD5 Message-Digest Algorithm, IETF, 1992.
[42] 方鑫、喻靓、王一,SIP 攻击 I 技术文档,上海交通大学下一代网络实验室,2006.
[43] 方鑫、周文,SIP 攻击 II 技术文档(1),上海交通大学下一代网络实验室,2006.
[44] 杨杉、喻靓,SIP 攻击 II 技术文档(2),上海交通大学下一代网络实验室,2006.
[45] 方鑫、陈凯、白英彩、朱亚楠,SIP Bye/Cancel 攻击的实现与防范,信息安全与通信保密,2007年第 9期.
[46] 喻靓、陈凯、白英彩、方鑫,SIP 注册劫持攻击的实现与防范,信息安全与通信保密,2007 年第 12期.
[47] 朱亚楠、陈凯、白英彩、方鑫:高可移植 SIP UA 设计与实现,计算机软件与应用.
[48] 司端峰, 潘爱民, IP 电话(VoIP)中的安全性问题, 计算机工程, 2004.
[49] 娄颖, SIP 协议安全机制研究, 广东通信技术, 2004.
[50] 索望, 方勇, 王昆, SIP 协议中的安全机制, 网络信息安全, 2004.
[51] 贺平, 蒋亚军, SIP 应用的安全性研究, 微计算机应用, 2005.
[52] 蔡汉生, VoIP 安全与防范, 软件世界, 2005.
[53] 邓志, 文雨, VoIP 的安全机制, 四川轻化工学院学报, 2003.
[54] 张俊良, 杨波, VoIP 的安全性分析与运用, 网络通讯与安全, 2005.
[55] 韩晶, 戚银城, 王斌, 李鹏飞, VoIP 中的安全问题分析, 2005.
[56] 刘华, 王琨, 基于 PKI 的 SIP 协议安全的研究, 电子科技, 2005.
[57] 闵涵, 陈莘萌, 张琦辉, 基于 SIP 协议的网络安全性分析, 计算机工程与设计, 2004.
[58] 王原丽, 严剑, 基于 S/MIME 的 SIP 安全机制, 信息安全与通信保密, 2005.