[VoiceOps] Mitigating SIP threats with SBC policies, configuration settings

[Patrick McNeil]

Rob,

Re: First
Just make sure you follow the appendix on DDoS Prevention for Peering
Environments and you should be ok. If you are peering / trunking over the
Internet, and more than just the trunk provider can hit your IP, then
you've likely got one of the following issues:

1. sip-interface > sip-ports is not set to agents-only (Note: That
automatically sets up a default deny-all and a permit ACL for just the
remote session-agent you've defined - i.e. the telco at the other end)
2. You've got an ACL implemented with a trust level that does not match the
realm trust level. See the trust level table in that document. If they
don't match you will get results that are not intuitive.

It *can* be a good idea to connect a SIP interface to the Internet under
the right circumstances - like when supporting remote SIP clients. However
in your case it just sounds like you're misconfigured.

Re: Second
The varying response messages are because Acme Packet had to play nice by
the RFCs if the port is open. If you get your config right it won't be
reachable. Also note that there is extensive DoS and fuzzing testing
conducted during development so it's not likely you'd create an issue.

Again - just watch the agents-only setting and that will set up the ACLs to
work as you suggest - only allow traffic from a trusted endpoint.


You should also check out the Oracle | Acme Packet Community. Registration
is free, and these types of questions can be answered there if you can't
find an old thread.  http://community.acmepacket.com/


Cheers,
Patrick McNeil

---------- Forwarded message ----------
From: Robert Nystrom <ronystrom at gmail.com>
To: VoiceOps at voiceops.org
Cc:
Date: Wed, 3 Sep 2014 10:49:44 -0500
Subject: [VoiceOps] Mitigating SIP threats with SBC policies, configuration
settings
Hello Everyone,

New to the list, so please take it easy on me :-)  I'm reviewing the
security configuration for a customer that is using ACME SBC for SIP trunk
to their carrier, and have some questions.  I thought you guys on the list
would have a lot of experience with ACME security architecture and best
practices recommendations.

First:  Customer's ACME is visible from public Internet on udp/5060, and
SIP trunk is only being used to interconnect to SIP trunk carrier for
inbound and outbound dialing.  I've tested the SBC from the Internet and it
actually responds to INVITE and REGISTER messages (with 403 Forbidden).
 They are alsonot supposed to be allowing any REGISTER for remote user MD5
Digest Authentication - but it does respond.  Question:  Is there any
operational need or business usage case that you would see that would make
this setup a good idea?  Because this appears to be a very risky and poor
security.  I would think that the SBC needs to be silently discard/drop any
SIP message rather than respond, as this increases the visible footprint
and encourages malicious actors / scanning tools.  Would think that having
ACLs that only permit traffic to/from the carrier's SBC would be the best
configuration.  Is their an opposing view?

Second:  I have written some SIP software that sends malformed message
headers, and have noticed that the SBC responds with different errors other
than 403 Forbidden when headers have unexpected values.  For example, when
I send an INVITE with extra CRLFs, I get a 400 CSeq missing header.  When I
send a Contact header of "None", I get 400 Invalid Contact.  This leads me
to believe that the SBC sip parser is parsing all of the SIP message rather
than always sending a 403 Forbidden to an IP address sourced from the
untrusted public Internet...this also seems to be very risky.  Is there a
specific security configuration with the policies that you would recommend?
 It seems like this introduces the risk of DoS and fuzzing attacks if the
SBC is parsing more of the SIP message rather than just dropping the
message based on invalid source IP.  Could lead to cpu and memory issues if
the queues are filled from invalid and fuzzed traffic.

I have read the Oracle SCME Security Guide (July, 2014), and learned
rudimentary that there are IP ACLs, realm trust level settings, and traffic
queues.  But really looking for practical advice based on experience with
ACME.  This customer takes security very seriously, and it is informative
of them to see how the SBC responds, black box, to attacks from the
outside.  I'd like to recommend security settings.  It seems like the best
would be just to drop/discard any SIP message from the public
Internet...but wanted to get the expert's opinion on ACME.

TIA, Rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20140903/e193ccfb/attachment-0001.html>