[VoiceOps] VoIP Abuse Project

James Hess mysidia at gmail.com
Mon Sep 20 20:47:51 EDT 2010 

On Mon, Sep 20, 2010 at 2:19 PM, Jay Hennigan <jay at west.net> wrote:
[snip]
> In most cases SIP transactions are UDP, hence trivially spoofed.  An
> attacker can generate failed registration/authentication attempts
> spoofed from your customer or peer IPs.  Fail2ban will then lock out
> your legitimate traffic.
[snip]

It is probably trivial to recognize a brute force attack from a single
IP,  as these are most prevalent,  and we at least have not heard of
other possible attacks such as spoofed SIP to trigger firewalls.
That may become more of an issue later,   if  fail2ban  installations
become popular,  or become a default included by some vendor.

It might be useful to think about possible deprecation of the use of
UDP  for registration,
or at least  the requiring of a firm bidirectional acknowledgement
with nonce  (as in an authenticated
request/acknowledgement), before a registration  "attempt"  can be
regarded to fail or succeed.

An attacker may spoof the source IP of single packet UDP registration
requests for an entirely different reason
-- a blast/scatter attack.

In this scenario,  an attacker may blast from 1000 source addresses,
900 of those could be spoofed third party
innocent IPs.  It wouldnn't be trivial to determine which IP address
belongs to the attacker.

It is still a a brute force attack,  but you don't know which IP's the
real attacker.
All  fake source IPs may appear to send similar number of requests as
the real sources,  in a similar pattern.

Distribution pattern can  conceal  which nodes are the "true source" addresses,
while the vast majority of the addresses are fake  (truly originating
from a few malicious nodes).


How do you reliably build a blacklist,  if the source of communication
can be arbitrarily forged by an adversary,
and you cannot detect that?  Someone might spoof one of your source
IPs for the sole purpose of attempting
to get you blacklisted.

It may be a bit paranoid to expect this will happen often,  but it
should be anticipated.

There needs to be a way to determine if the IP is spoofed or not,
within the protocol itself,
before you can have a truly reliable blacklist,  without possibly a
lot of noise and false listings.

--
-J

More information about the VoiceOps mailing list