Verizon%20Columbia%20Research%20on%20VoIP%20Security%20A%20Model%20Academia/Industry%20Collaboration

1
Verizon Columbia Research on VoIP SecurityA
Model Academia/Industry Collaboration
Gaston Ormazabal Verizon Laboratories
August 21, 2018
2
Agenda

• A successful collaboration
• Verizon and CATT Professor Schulzrinne - three
  year program
• Project Overview
• Background, Research Focus, and Goals
• DoS
• DoS Detection and Mitigation Strategy
• DoS Validation Methodology - DoS Automated Attack
  Tool
• Value to Verizon
• Intellectual Property/Technology Licensing
• Next Steps
• Conclusions

3
Verizon CATT Program

• Collaboration between Verizon and Center of
  Advanced Technology Telecommunications
• Verizon
• PI Gaston Ormazabal
• CATT
• Columbia University
• PI Prof. Henning Schulzrinne
• Graduate Students
• Milind Nimesh
• New York University
• Polytechnic Institute

4
Background Research Focus

• SIP is the VoIP protocol of choice for both
  wireline and wireless telephony
• Control protocol for the Internet Multimedia
  Systems (IMS) architecture
• VoIP services migrating to IP fast becoming
  attractive DoS and ToS targets
• DoS attack traffic traversing network perimeter
  reduces availability of signaling and media for
  VoIP
• Theft of Service must be prevented to maintain
  service integrity
• Reduces ability to collect revenue and providers
  reputation both are at stake
• Attack targets
• SIP infrastructure elements (proxy, softswitch,
  SBC, CSCF-P/I/S)
• End-points (SIP phones)
• Supporting services (e.g., DNS, Directory, DHCP,
  HSS, DIAMETER, Authorization Servers)
• Verizon needs to solve security problem for VoIP
  services
• Protocol-aware application layer gateway for RTP
• SIP DoS/DDoS detection and prevention for SIP
  channel
• Theft of Service Architectural Integrity
  Verification Tool
• Need to verify performance scalability at
  carrier class rates
• Security and Performance are a zero sum game
• Columbia likes to work in real life problems
  analyze large data sets
• Goal of improving generic architectures and
  testing methodologies
• Columbia has world-renowned expertise in SIP

5
Goals

• Study VoIP DoS and ToS for SIP
• Definition define SIP specific threats
• Detection how do we detect an attack?
• Mitigation defense strategy and implementation
• Validation verification of defense strategy
• Generate requirements for future security network
  elements and prototypes
• Share requirements with vendors
• Generate the test tools and strategies for their
  validation
• Share tools with vendors

6
Definition VoIP Threat Taxonomy
Scope of our research - 2007
Scope of our research - 2006
- VoIP Security and Privacy Threat Taxonomy,
VoIP Security Alliance Report, October, 2005
(http//www.voipsa.org)
7
Denial of Service Theft of Service

• Denial of Service preventing users from
  effectively using the target services
• Service degradation to a not usable point
• Complete loss of service
• Distributed Denial of Service attacks represent
  the main threat facing network operators
• Most attacks involve compromised hosts (bots)
• botnets sized from a few thousands to over
  million
• 25 of all computers on Internet may be botnets
• Theft of Service any unlawful taking of an
  economic benefit of a service provider
• With intention to deprive of lawful revenue or
  property

- Worldwide ISP Security Report, September 2005,
Arbor Networks - Criminals 'may overwhelm the
web', 25 January, 2007. BBC
8
SIP DoS Attack Taxonomy

• Denial of Service
• Implementation flaws
• Application level
• Flooding

9
Strategy Focus

• VULNERABILITY Most security problems are due
  to
• flexible grammar ? syntax-based attacks
• Plain text ? interception and modification
• SIP over UDP ? ability to spoof SIP requests
• Registration/Call Hijacking
• Modification of Media sessions
• SIP Method vulnerabilities
• Session teardown
• Request flooding
• Error Message flooding
• RTP flooding
• STRATEGY Two DoS detection and mitigation
  filters and ToS tools
• SIP Two types of rule-based detection and
  mitigation filters
• Media SIP-aware dynamic pinhole filtering

10
DoS Mitigation Strategy

• SIP infrastructure element defense
• Implementation flaws are easier to deal with
• Systems can be tested before used in production
• Application level and flooding attacks are harder
  to defend against
• Require layer 7 deep packet inspection
• Require deep understanding and handling of SIP
  protocol
• Commercially available solutions for general
  UDP/SYN flooding but none for SIP
• ? Address application level and flooding attacks
  specifically for SIP
• ? Identify and address architectural weaknesses
  before they are exploited to commit ToS

11
DoS Mitigation Solution Overview
Untrusted
Trusted
Untrusted
Trusted
Filter II
sipd
Filter I
Filter II
sipd
Filter I
DPPM
DPPM
SIP
SIP
SIP
SIP
SIP
SIP
RTP
RTP
RTP
RTP
12
Hardware Platform
System Level Port Distribution
Application Server Module Pentium 1GHz
13
Integrated DDOS and Dynamic Pinhole Filters

Linux server
ASM
DPPM
FCP/UDP
Lookup
Switch
Drop
14
Integrated Testing and Analysis Environment
Call Handlers SIPUA/SIPp
Legitimate Loaders SIPUA/SIPp
Attack Loaders SIPStone/SIPp
GigE Switch
GigE Switch
Controller secureSIP
Firewall
SIP Proxy
15
secureSIP Test Results for DoS
SIP DoS Measurements(showing max supported call
rates)
Dynamic Pinhole
Firewall Filters OFF Firewall Filters OFF Firewall Filters OFF Firewall Filters ON Firewall Filters ON Firewall Filters ON
Traffic Composition Good CPS Attack CPS CPU Load Good CPS Attack CPS CPU Load
Non-Auth Traffic 690 0 87.81 690 0 88.04
Auth Good Traffic 240 0 19.83 240 0 39.64
Auth Good Traffic 480 0 81.20 480 0 81.75
Auth Good Traffic Spoof Traffic 240 2950 83.64 240 16800 41.39
Auth Good Traffic Spoof Traffic 480 195 85.40 480 14400 82.72
Auth Good Traffic Flood of Requests 240 3230 84.42 240 8400 40.83
Auth Good Traffic Flood of Requests 480 570 86.12 480 7200 82.58
Auth Good Traffic Flood of Responses 240 2970 87.2 240 8400 41.33
Auth Good Traffic Flood of Responses 480 330 86.97 480 7200 82.58
Auth Good Traffic Flood of Out-of-State 240 2805 86.24 240 8400 40.29
Auth Good Traffic Flood of Out-of-State 480 290 84.81 480 7200 82.19
Concurrent Calls Call rate (CPS) Delay due to Firewall Delay due to Firewall
Concurrent Calls Call rate (CPS) Pinhole opening Pinhole closing
20000 300 0.73 0
25000 300 0.75 0
30000 300 0.83 15.51
30000 200 0.80 0.02
16
The Bigger Picture - Columbia VoIP Testbed

• Columbia VoIP test bed is collection of various
  open-source, commercial and home-grown SIP
  components
• provides a unique platform for validating
  research
• Columbia-Verizon Research partnership has
  addressed major security problems
• signalling, media and social threats
• Researched DoS solutions verified against
  powerful test setup at very high traffic rates
• ToS successfully validated integrity of different
  setups of test bed

17
Value to Verizon

• Enhanced VoIP security through standards and
  vendor involvement
• Worked with Verizon vendors to mitigate exposures
• Evangelize vendor community
• Rolled the requirements and lessons learned into
  the Verizon security architecture and new element
  requirements database for procurement
• Columbia requirements valid for VoIP, Presence
  and Multimedia architectures (IMS)
• Wireline and wireless
• Setup a laboratory in Verizon facilities for VoIP
  security evaluations
• Incorporate Columbia/Verizon collaborative test
  tools
• Intellectual Property with Six Patent
  Applications
• Licensing Agreement
• Taken research quickly to marketplace
• Four vendors interested
• One agreement almost finalized
• A major vendor interested

18
Next Steps

• New vulnerability require a new mitigation
  technology for VoIP products
• VoIP should not be deployed without protection
• SIP proxies are vulnerable to crash
• Attack tool is easy to build and use
• Carriers (e.g., Verizon) will need new network
  elements
• RFP will include these requirements
• Vendors must have a ready solution
• Conversion of research into a product that
  carriers can use
• Need to determine optimal architecture for DoS
  prevention functionality for VoIP
• Security vs. Performance
• Hardware vs. Software Implementation
• Proxy/Softswitch (SW)
• SBC or New network element (HW/SW), Router?
• Use internally (protect VZ Network)
• Use externally (sell new security services to
  large customers)
• Get other companies interested to synergize
  resources and share results

19
Next Steps

• Cisco has just joined project funding research at
  NYU Polytechnic Institute to develop hardware
  prototype
• Objective is to research the optimal hardware
  platform to implement Columbia-Verizon SIP
  algorithms
• Use Cisco experimental cards that will eventually
  become router blades
• Continue relationship with Columbia
• Cisco is funding maintenance of the Verizon
  testbeds
• For further research in distributed computing and
  traffic generation enhancements
• To assist NYU Poly in testing and validation of
  new prototype against previous benchmarks
• To assist in eventual product development during
  product testing cycle
• Feedback loop of research and product cycle
• Other research in related areas
• Proposal to study SRTP/RTSP
• What can we do to make the working relationship
  even more productive?
• Have the synergistic combination of both CATT
  components (NYU Polytech and Columbia) and two
  major industry players (Cisco and Verizon)
• A model worth emulating!

20
Conclusions

• Research Results
• Demonstrated SIP vulnerabilities for VoIP
  resulting in new DoS susceptibility for both
  wireline and wireless
• Work is fully reusable to secure a Presence and
  IMS infrastructure
• Implemented some carrier-class mitigation
  strategies
• Prototype is first of its kind in the world
• Removed SIP DoS traffic at carrier class rates
• Developed new generic requirements
• Built a validation testbed to measure performance
• Developed customized test tools
• Built a high powered SIP-specific Dos Attack tool
  using parallel computing
• Crashed a SIP Proxy in seconds
• Built a Theft of Service Architectural Integrity
  Validation Tool using parallel computing
• Intellectual Property
• Research activity resulted in six patent
  applications
• Commercialization
• Licensing agreements currently under negotiation
• Have socialized new requirements and test tools
  with vendor community to address rapid field
  deployment
• Major Vendors interested in new opportunities
• Rapid implementation is now expected

20
21
Thank You

• Thank you
• Questions?
• gaston.s.ormazabal_at_verizon.com
• Paper published by Springer Verlag - Principles,
  Systems and Applications of IP Telecommunications
  in October 2008 http//www.springerlink.com/cont
  ent/r5t1652v3572/
• Book available athttp//www.amazon.com/Principle
  s-Applications-Telecommunications-Services-Generat
  ion/dp/354089053X/refsr_1_1?ieUTF8sbooksqid1
  226098298sr1-1

22
Backup Slides
23
Intellectual Property Six Patent Applications

• Fine Granularity Scalability and Performance of
  SIP Aware Border Gateways Methodology and
  Architecture for Measurements
• Inventors Henning Schulzrinne, Kundan Singh,
  Eilon Yardeni (Columbia), Gaston Ormazabal
  (Verizon)
• Architectural Design of a High Performance
  SIP-aware Application Layer Gateway
• Inventors Henning Schulzrinne, Jonathan Lennox,
  Eilon Yardeni (Columbia), Gaston Ormazabal
  (Verizon)
• Architectural Design of a High Performance
  SIP-aware DOS Detection and Mitigation System
• Inventors Henning Schulzrinne, Eilon Yardeni,
  Somdutt Patnaik (Columbia), Gaston Ormazabal
  (Verizon)
• Architectural Design of a High Performance
  SIP-aware DOS Detection and Mitigation System -
  Rate Limiting Thresholds
• Inventors Henning Schulzrinne, Somdutt Patnaik
  (Columbia), Gaston Ormazabal (Verizon)
• System and Method for Testing Network Firewall
  for Denial of Service (DoS) Detection and
  Prevention in Signaling Channel
• Inventors Henning Schulzrinne, Eilon Yardeni,
  Sarvesh Nagpal (Columbia), Gaston Ormazabal
  (Verizon)
• Theft of Service Architectural Integrity
  Validation Tools for Session Initiation Protocol
  (SIP) Based Systems
• Inventors Henning Schulzrinne, Sarvesh Nagpal
  (Columbia), Gaston Ormazabal (Verizon)

24
External Publications, Presentations,
Recognition

• Importance of rapid dissemination of results in
  industry and academia
• For knowledge diffusion and ubiquity among
  research practitioners
• For PR reasons (licensing agreements and
  potential sales)
• Presentation at NANOG 38 Oct. 10 2006 (HS/GO)
• Paper published in NANOG 38 2006 Proceedings -
  Scalable Mechanisms for Protecting SIP-Based
  VoIP Systems
• Made a headline in VON Magazine on October 11,
  2006 http//www.vonmag.com/webexclusives/2006/10/
  10_NANOG_Talks_Securing_SIP.asp
• Presentation to at Global 3G Evolution Forum
  Tokyo, Japan, Jan. 2007 (GO)
• Presentation/demo at IPTComm 2007 New York
  City, July, 2007 (GO)
• Presentation at OSS/BSS Summit Tucson, AZ,
  September, 2007 (GO)
• Presentation at Columbia Science and Technology
  Ventures Symposium From Signal to Information
  Displayed in a Wireless World, April 2008
  (HS/GO)
• Presentation at IPTComm 2008 Heidelberg, July,
  2008 Secure SIP A scalable prevention mechanism
  for DoS attacks on SIP based VoIP systems (GO)
• Presentation at IIT VoIP Conference and Expo IV
  Chicago, October, 2008 (GO)
• Paper published by Springer Verlag - Principles,
  Systems and Applications of IP Telecommunications
  in October 2008 http//www.springerlink.com/cont
  ent/r5t1652v3572/
• Work incorporated in a new Masters level course
  on VoIP Security taught at Columbia since Fall
  2006, every year
• COMS 4995-1 Special Topics in Computer Science
  VoIP Security (HS)
• CATT Technological Impact Award - 2007

25
SIP Security Overview

• Application Layer Security
• SIP RFC 2543 little security
• SIP RFC 3261 security enhancements
• Digest Authentication
• TLS
• IPSec
• SRTP/ZRTP (RFC 3711)
• Perimeter Protection
• SIP aware Filtering Mechanisms
• SIP aware DOS Protection
• Detection and Mitigation

26
SIP Security Overview - ??

• Application layer security
• Digest Authentication, TLS, S/MIME, IPSec,
  certificates
• SRTP/ZRTP for media
• Convergence leads to converged attacks
• Data network attacks
• DDoS, spoofing, content alteration, platform
  attacks
• Voice over IP network attacks
• Toll fraud, session hijacking, theft of service,
  spam/spit
• Most security problems are due to
• User Datagram Protocol (UDP) instead of TCP/TLS
• Plain text instead of S/MIME
• Message/Method vulnerability
• Flexible grammar --gt syntax-based attacks

26
27
SIP Detection and Mitigation Filters

• Authentication Based - Return Routability Check
• Require SIP built-in digest authentication
  mechanism
• Null-authentication (no shared secret)
• Filter out spoofed sources
• Method Specific Based Rate Limiting
• Transaction based
• Thresholding of message rates
• INVITE
• Errors
• State Machine sequencing
• Filter out-of-state messages
• Allow in-state messages
• Dialog based
• Only useful in BYE and CANCEL messages
• Dynamic Pinhole Filtering for RTP
• Only signaled RTP media channels can traverse
  perimeter
• Obtain from SDP interception
• End systems are protected against flooding of
  random RTP

28
Test Tools

• SIPp, SIPStone, and SIPUA are benchmarking tools
  for SIP proxy and redirect servers
• Establish calls using SIP in Loader/Handler mode
• A controller software module (secureSIP) wrapped
  over SIPp/SIPUA/SIPStone launches legitimate and
  illegitimate calls at a pre-configured workload
• SIPp
• Robust open-source test tool / traffic generator
  for SIP
• Customizable XML scenarios for traffic generation
• 5 inbuilt timers to provide accurate statistics
• Customized to launch attack (SIP DoS) traffic
  designed to cause proxy to fail
• SIPStone continuously launches spoofed calls
  which the proxy is expected to filter
• For this project enhanced with
• Null Digest Authentication
• Optional spoofed source IP address SIP requests
• SIPUA Test Suite
• Has built-in Digest Authentication functionality
• Sends 160 byte RTP packets every 20ms
• Settable to shorter interval (10ms) if needed for
  granularity
• Starts RTP sequence numbers from zero
• Dumps call number, sequence number, current
  timestamp and port numbers to a file

29
Theft of Service Overview

• VoIP is different
• Not a static but a real-time application
• Direct comparisons with PSTN
• According to Subex Azure 3 of total revenue is
  subject to fraud
• VoIP can be expected to be at least twice as
  large a proportion of revenue
• Theft of Service is more daunting problem in VoIP
• Implications of ToS
• Lost revenue and bad reputation
• Abused resources cause monetary losses to network
  providers
• Unauthorized usage degrades whole systems
  performance
• Scenarios
• Using services without paying
• Illegal Resource Sharing (unlimited-plans)
• Compromised Systems
• Call Spoofing and Vishing

Billing World and OSS Magazine Top Telco
Frauds and How to Stop Them, January 2007, by
Geoff Ibett
30
Theft of Service Goals

• Verification of security implementation
• Automate validation process
• Creating new tools and scripts
• Modify existing tools to create a package
• Architectural Integrity Verification Tool
• Identity Assurance
• Multiple End Points
• Intrusion Detection
• Black-box type abstraction

31
Theft of Service Challenges

• Client-side threats
• Illegal resource sharing
• Compromised hardware
• Weak password
• Server-side threats
• Identity assurance
• Unauthorized registration, unauthenticated INVITE
  
• Digest authentication (nonce usage, password
  guessing)
• Transport protocol choice (TCP/UDP)
• TLS crypto strength
• Spoofing to gain privileged access
• DoS/DDoS attacks
• Implementation flaws
• Flooding billing system
• DoS amplification prevention on Billing systems
• Application level flaws
• Counter Method-based vulnerabilities
• BYE attack validation

32
Theft of Service Challenges

• Service threats
• Distinguish between audio call, single media
  stream or multiple destination signaling
• Multimedia services, messages, etc.
• Launching multiple simultaneous accounts
• Multiple end-points
• Authorization Safeguards
• 800 numbers, emergency number
• Voicemail messages checking portability ensured
• Intrusion detection
• Existing call logs help find patterns and detect
  anomaly

33
Discussion A successful collaboration
33
34
A Successful Collaboration

• Want a realistic perspective on what makes
  projects succeed and what is unlikely to work
• Project is not in critical path of current
  deployments but is very relevant
• Industry must see value or need to pursue IP
• Rapid commercialization/productization for
  in-house use
• Agreement on fair distribution of
  rights/obligations
• Typical arrangement GRA professor
• Frequently needs to supervise multiple projects
  at the same time
• Companies often seem to have the illusion that
  they get the faculty's full attention...
• Require full attention of industry SME
• Student mentoring/coaching
• Industry perspective
• Writing/Presentation skills
• Clear understanding of deliverables
• Standards
• Reports
• Systems/Prototypes
• Timelines
• Start time and academic calendar - MS GRA vs. PhD