verteiltes monitoring von sip-basierten angriffen...verteiltes monitoring von sip-basierten angr...
TRANSCRIPT
-
22.10.2013
1© Technik der Rechnernetze
Verteiltes Monitoring von
59. DFN-Betriebstagung, Berlin, 15.10.2013
Prof. Dr.-Ing. Erwin P. RathgebDi k H ff t dt M S
Verteiltes Monitoring von SIP-basierten Angriffen
Dirk Hoffstadt, M.Sc.Adnan Aziz, M.Sc.Networking Technology GroupInstitute for Experimental Mathematics & Institute for Computer Science & Business Information SystemsUniversity of Duisburg-Essen
Overview
Introduction– SIP fraud and misuse scenarios– Multi-stage Toll Fraud scheme
SIP misuse detection for forensic analysis– Tools: SIP Trace Recorder and SIP Honeypots– Clustering: from packets to attacks
• Typical multi-stage attack example Distributed real-time SIP misuse detection
– Distributed Sensor System overviewDeployment options
Page 2Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
– Deployment options• Hardware• Software• Virtual sensors
-
22.10.2013
2© Technik der Rechnernetze
Voice over IP –Threats and misuse scenarios
Threat Description Goal
Flooding Flood the device with VoIP protocol packets like INVITE, OPTIONSDenial of Service
(brute force)
Fuzzing Send malformed messages to the system (e.g. PROTOS)Denial of Service
(exploit software vulnerabilities)
SPIT Unwanted calls, often initiated automatically
Trick users into spending money orrevealing secret information (Phishing)
Registration Hijacking/Toll Fraud
Compromise user account, make (toll) calls
Save money on toll callsEarn money from toll callsMake calls anonymously
Denial of Service: Generic threat,
Page 3Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
mitigation approaches known in principle (overload control, rigorous programming)
SPIT: Adaptation of generic threat, mitigation based on signalling (SPIT Filter) or media (voice recognition and analysis)
Registration Hijacking/Toll Fraud: Novel, specific threat, High damage potential (financial, legal)
State of SIP misuse –Attacks monitored by PBX vendor
Page 4Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
Data from 01/2011
-
22.10.2013
3© Technik der Rechnernetze
Benefit/cost for VoIP attacks –Attacker module for lab tests
Registration Hijacking
Denial of Service SPIT GeneratorHijacking
SIPvicious ToolBox
svmapScan for SIP
registrarssvwar
Scan for activet i
SIP-INVITE Flooder
Perform DoSattack withSIP-Invites
Asterisk SW-PBXwith call filesGenerate SPIT calls with freely
configurableannouncement
Page 5Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
extensions
svcrackPassword scan
Call fileextension for
PhishingRecord answers
Common SIP misuse scenario –Multi-stage scheme for Toll Fraud
Toll Fraud is particularly attractive– Immediate financial benefit– Caller anonymization– Predominant misuse scheme at the moment
Basic scheme– Stage 1: Find SIP server Server Scan– Stage 2: Find active extensions Extension Scan
St 3 C k d R i t ti Hij ki
Page 6Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
– Stage 3: Crack password Registration Hijacking– Stage 4: Make calls using victim‘s account Toll Fraud
-
22.10.2013
4© Technik der Rechnernetze
Internet
Common SIP misuse scenario –Stage 1: Server Scan
Anywhere 200 OK CompanySIP-Server
• Attacker sends SIP OPTIONS messages
y
OPTIONS
SIP Server
Page 7Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
Attacker sends SIP OPTIONS messages to detect active SIP server in a network
• SIP packets from one source IP address directed to multiple targets
• Scan behaviour: 1 to 96 OPTIONS messages per server• Variations by using other SIP messages (e.g. INVITE)
Result: List of active SIP servers
Common SIP misuse scenario –Stage 2: Extension Scan
Internet
250
251
100
252
• Attacker sends multiple SIP REGISTER messages
Unauthorized
Not found
REGISTER 100250
Page 8Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
p gto detect active user accounts / extensions
• SIP packets from one source IP address directed to one target host (SIP server)
• Different extensions / account names• Scan behaviour: 1 to 40,000 REGISTER messages per server
Result: List of active extensions/user accounts
-
22.10.2013
5© Technik der Rechnernetze
Common SIP misuse scenario –Stage 3: Registration Hijacking
Internet
250
REGISTER250
• Attacker sends multiple SIP REGISTER messages
Password:1234
Forbidden200 OK
Password:2244
Page 9Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
Result: Valid credentials for active extension
p gto guess the password
• Successful attack: Server sends a “200 OK” message• SIP packets from one source IP address directed
to one target host and one extension• Scan behaviour: up to 13 million messages per extension
Common SIP misuse scenario –Stage 4: Toll Fraud
Internet
Chargeable calls:abroad, 0900, mobile
Register at
250
• Attacker registers at a previously cracked extension
Register at250@
company.dewith password
2244
Page 10Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
g p y• Attacker sends INVITE messages to establish
Toll Fraud calls• Chargeable calls to abroad or premium numbers• Toll Fraud can cause the account owner substantial financial
damage
Result: Calls via victim‘s account
-
22.10.2013
6© Technik der Rechnernetze
SIP misuse detection tools –SIP Trace Recorder
DBSTRSIP Trace Recorder (STR) Passive SIP monitoring and logging Stateful correlation, e.g.
•CDR generation •Detection of successful attacks
Optional privacy preservation•Deployment in production networks
Monitoring Port
Target subnet
Internet
•Deployment in production networksFocus: Statistical attack analysis
g
Page 11Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
Target Network
SIP misuse detection tools –SIP Trace Recorder and SIP Honeypots
DBSTRSIP Trace Recorder (STR) Passive SIP monitoring and logging Stateful correlation, e.g.
•CDR generation •Detection of successful attacks
Optional privacy preservation•Deployment in production networks
Monitoring Port
No activeV IP t
Internet
•Deployment in production networksFocus: Statistical attack analysis
VoIP components
VoIP Server
Full InteractionHoneypot
Full InteractionHoneypot
Full Interaction
Full Interaction SIP Honeypot Extended SIP Server with logging function Full SIP functionality
•Call handling•Media handling
Focus: Detailed forensic analysis
NEW: Low Interaction SIP Honeypot Script based
•Low resource utilization•High flexibility
Page 12Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
Target Network
HoneypotInteractionHoneypot
Low InteractionHoneypot
Low InteractionHoneypot
Low InteractionHoneypot
•High flexibility Limited SIP functionality
Focus: Dynamic experiments
Evaluation and Presentation Consolidation of all attack data
•Automated data collection Flexible analysis capabilities
•Various views on data•Attack clustering
Web-based GUI
Evaluation and
Presentation
-
22.10.2013
7© Technik der Rechnernetze
SIP misuse detection results –Honeypot vs SIP Trace Recorder
10000
100000
1000000
10000000 New Honeypot
1
10
100
1000
10000De
c‐09
Jan‐10
Feb‐10
Mar‐10
Apr‐10
May‐10
Jun‐10
Jul‐1
0Au
g‐10
Sep‐10
Oct‐1
0No
v‐10
Dec‐10
Jan‐11
Feb‐11
Mar‐11
Apr‐11
May‐11
Jun‐11
Jul‐1
1Au
g‐11
Sep‐11
Oct‐1
1No
v‐11
Dec‐11
Jan‐12
STRMonitoring
From 2009 until November 2010Operated and monitored onl the SIP Hone pots itho t global monitoring
HoneypotMonitoring
Page 13Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
– Operated and monitored only the SIP Honeypots without global monitoring From December 2010 until now
– STR was installed to monitor complete subnets • Substantial increase in the number of captured SIP messages• Detection accuracy for multi stage attacks significantly improved
On May, 17th, a new Honeypot was set up, resulting in a massive peak
SIP Trace Recorder Results –Network without active SIP components
1000000
10000000Network ANetwork B
1
10
100
1000
10000
100000
amou
nt of SIP M
essages
Page 14Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
All traffic in the network is generated by Server Scans used to detect SIP-capable devices– Attackers continuously search for SIP devices throughout the Internet
1
-
22.10.2013
8© Technik der Rechnernetze
SIP Trace Recorder Results –Network with active SIP components
100000
1000000
10000000Network ANetwork B
1
10
100
1000
10000
amou
nt of SIP M
essages
Page 15Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
The fraction of Server Scan packets in network with SIP server is rather low and can be traced back to occasional scans
Majority of messages in network A belongs to Registration Hijacking attacks – Attackers directly attack the SIP devices in network A and do not scan the
network repeatedly to get the addresses
SIP Trace Recorder –Evaluation & Presentation web interface
Filter Options Geolocation analysis
SIP messagesper day
Page 16Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
User agent analysis
-
22.10.2013
9© Technik der Rechnernetze
SIP misuse detection –Clustering: From packets to attacks
Server Scans – different IP addresses– extension 100
SIP method: OPTIONS
From counting packets to analysing attacks Alternative view on the collected data Identify and analyse attack variants
– SIP method: OPTIONS Extensions Scans
– same IP address– different extensions– SIP method: REGISTER
Registration Hijacking– same IP address– same extension
Month Server Scan Extension Scan Reg. Hijacking Toll Fraud
2011-01 187 98,483 0 0 1 136,081 1 221
2011-02 274 96,648 9 16,379 6 45,954 1 116
2011-03 241 103,666 127 92,740 25 125,151 3 64
2011-04 344 167,604 6 89 5 158 1 176
2011-05 238 79,243 10 35,280 7 9,603,316 1 1,032
2011-06 171 50,623 9 14,541 8 13,963,419 1 102011-07 70 71,078 6 27,482 40 10,483,106 8 684
OPTIONS REGISTER REGISTER INVITE
Page 17Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
– SIP method: REGISTER– different credentials
Toll Fraud– same IP address– known Honeypot extension– SIP method: INVITE
2011-08 56 72,889 1 12,890 20 772,207 1 542
2011-09 35 93,441 10 108,247 148 3,243,164 13 10,506
2011-10 56 70,773 2 16,487 7 228,572 12 19,571
2011-11 55 85,012 42 196,356 146 2,259,409 31 9,1952011-12 45 118,823 9 70,223 43 588,468 21 6,613
2012-01 32 102,204 36 301,491 33 3,037,620 15 358
SIP misuse detection results –Attack stage patterns
90%
100%
tacks
30%
40%
50%
60%
70%
80%
ve distribution functio
n of at
Server Scan
Extension Scan
RegistrationHijackingToll Fraud
Page 18Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
0%
10%
20%
1 10 100 1000 10000 100000 1000000 10000000
Cumulativ
Number of SIP messages
-
22.10.2013
10© Technik der Rechnernetze
SIP misuse detection results –Attack tools used
User Agent Server Scan Ext Scan RegHij. Toll Fraudfriendly-scanner 40.9331% 99.9950% 99.9999% -sundayddr 58.3421% - - -Asterisk PBX - - - 7.5429%SIPPER for Phoner - - - 26.4444%Eyebeam/X-Lite - - - 14.5568%Known Softphones - - - 21.9452%Others 0.7248% 0.0050% 0.0001% 29.5107%
Analysis based on packet count only shows that 98% are generated by Sipvicious and related implementations
Cluster based analysis– Sundayddr is strictly a server scanning tool
Page 19Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
y y g– Sipvicious is the only tool currently used for multi-stage attacks– Toll Fraud attempts are performed using popular SIP softphones
(e.g., eyebeam, X-Lite, Sipper) or the open source PBX Asterisk Asterisk PBX
– Automated calls by using scripts without human interaction
SIP misuse detection results –Improved attack stage correlation
Source IPXXX.134.235.220
Source IPXXX.98.11.143
130
Source IPXXX.157.28.97
5 minutes
2,751messages
1,420messages
130calls
162calls
504,069messages
28 hours 3 days
2012-09-1803:15:59
Server Scan
2012-09-1803:17:04
Extension Scan
2012-09-1803:20:56
Registration Hijacking
2012-09-2007:22:45
Toll FraudAttempt 1
2012-09-2310:21:46
Toll FraudAttempt 7
DynamicLow
InteractionHoneypot
Page 20Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
Typical example attack– a total of 508,643 SIP messages
Toll Fraud calls – are launched after a significant period of time– originate from different IP addresses
Attacksuccessful
Paper:Improved Detection and Correlation of Multi‐Stage VoIP Attack Patterns by using a Dynamic Honeynet System
IEEE ICC 2013, June 2013
-
22.10.2013
11© Technik der Rechnernetze
SIP misuse detection results –Identification of attack variations
Input data collected by the STR and the SIP Honeypot System– More than 90 million SIP messages– Collected between 12/2009 and 12/2012
Method– Message clustering
• Map packets to attack instances and attack stages– Comparison of instances of the same attack stages
• Based on IP and SIP header information• Based on number of messages and timing
ResultsClassification of major attack variants
Page 21Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
– Classification of major attack variants• Server Scan: 7, Extension Scan: 2,
Registration Hijacking: 2, Toll Fraud: 3• Significant number of minor variations identified
Attackers start to modify code of attack tools• Camouflage attacks, more softphone like behaviour
Generic Attack Replay Tool (GART) –Set of attack samples with broad coverage
Replaying real attack samples in arbitrary networks– Can be used to test and calibrate detection and mitigation
algorithms and componentsg Comprehensive set of attack variants
– Based on overall STR database• Currently total of 5684 attack samples
– Extraction of one typical sample per attack variant for reduced database
• Provides broad coverage– Set of sample attacks configurable
Built using
STRSTRDatabaseDatabase
> 40 GB Data
Page 22Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
Built using – Java
• Platform independent– SQLite database
• Fast• Lightweight
Stag
e 1
Varia
tion
Stag
e 2
Varia
tion
Stag
e 3
Varia
tion
Stag
e 4
Varia
tion
SQLite Database
-
22.10.2013
12© Technik der Rechnernetze
Generic Attack Replay Tool (GART) –Set of attack samples with broad coverage
Mapping of relevant header values according to local network– To send attack traffic to local SIP server– To receive responses at the sender
Attack data characteristics are preserved– Time stamps– Sequence of packets
Minimum configuration efforts Functional test was successful
Page 23Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
Paper:Development and Analysis of Generic
VoIP Attack Sequences Based on Analysis of Real Attack Traffic
IEEE TrustCom, July 2013
BMBF Project SUNsHINE
Fraud and misuse detection and mitigation for VoIP networks 4 partners
4 associated partners
Page 24Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
2 year project, ends April 2013 (plus 3 months extension) Homepage http://www.sunshineproject.net/
-
22.10.2013
13© Technik der Rechnernetze
SUNsHINE Architecture
Page 25Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
Real-time SIP misuse detection –Security Sensor System
Misuse Detection SensorPassive behaviourDifferent environments
•PBX, Router, Home GatewaysDetection by using attack signatures
SCS
Sensor
SensorSensor
Detection by using attack signatures• Dynamically loadable
Att k
Sensor
Standalone•Low Interaction Honeypot plugin
Low Interaction Honeypot
plugin
Page 26Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
Firewall SensorSensor
Sensor Central Service (SCS)Aggregation of sensor alerts
• Based on SCS rulesManagement
• Sensors• Attack signature management
Interface to mitigation components0900 Callee
Attacker
-
22.10.2013
14© Technik der Rechnernetze
Realtime Misuse Detection & Mitigation –Security Sensor System Mitigation Interface
SCS
Alert
Sensor
SensorSensor
Att k
SensorLow Interaction
Honeypotplugin
Page 27Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
Firewall SensorSensor
0900 Callee
Attacker
Realtime Misuse Detection & Mitigation –Security Sensor System Mitigation Interface (2)
SCS
eRBLAlert
Sensor
SensorSensor
Att k
SensorLow Interaction
Honeypotplugin
Page 28Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
Firewall SensorSensor
0900 Callee
Attacker
-
22.10.2013
15© Technik der Rechnernetze
Monitoring Sensor –Overview
Rule-based attack detection and reporting of misuse in SIP-based networks Light-weight software component for different hardware and software
platformsI l t d i C i lib [1] J i l il bl– Implemented in C++ using libpcap [1], Java version also available
Input Data (Network interface, PCAP file, Socket) SIP traffic analysis
– The Sensor receives all traffic that is sent to any of the Honeypots Process of misuse detection and reporting is separated into three phases
– Capturing and filtering of SIP messages– Analysis of SIP messages
• Recognize sequences of SIP messages
Page 29Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
• Recognize sequences of SIP messages that are characterized by pre-defined rules
– Report information (e.g., source IP, signature ID) about detected attacks to the Sensor Central Service via a secure interface
ListenerMessageQueue Analyzer Notification
Rules
Monitoring Sensor –Rules (XML)
Different attack types and variations are defined as a XML sensor rules– E.g. Registration Hijacking
E h l d fi ifi tt f SIP Each rule defines a specific pattern of SIP messages and timing conditions
Sensor Analysis based on signatures– Timing conditions– IPv4 information
• Source IP, Destination IP and Ports– SIP Request / SIP Response– SIP Header fields
Page 30Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
• E.g., From, To, Via, Contact, Call-ID, Cseq
– Comparison of different header values (equal, not equal) within received SIP messages
-
22.10.2013
16© Technik der Rechnernetze
Sensor Central ServiceArchitecture / Mode of Operation
SCS Sensor Interface (SSI)
Sensor
SCS
Worker Process (WP)
Database
SCS Rules
StoreN tifi ti
Sensor ControllerProcess (SCP)
Incoming ReportsSensor Management
Configuration, Rules, Status, etc.
Store Reports
SCS
Page 31Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
SCS Notification Process (NP)
Mitigation ComponentseRBL‐Service
Actions
SCS Analyse Results Notifications
SCS Notification Interface (SNI)
Monitoring Sensor -Deployment options
Software installation in network devices– PBXs, FritzBox, router, …
Vmware Virtual MachineGuest OS: Ubuntu 12 04 LTS or Debian Linux 7 1– Guest OS: Ubuntu 12.04 LTS or Debian Linux 7.1
– 2 network interfaces (Capturing & Management) Standard PC or Server with Ubuntu 12.04 LTS
– 2 network interfaces (Capturing & Management) ALIX system boards or Raspberry Pi
– OS: Debian Linux 7.1– Up to 3 network interfaces
• E.g., Bridging, Sensor+Honeypot, Sensor standalone Optional: Honeypot Plugin
Page 32Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
Optional: Honeypot Plugin Virtual Sensor
– Central sensor / honeypot– Traffic captured on multiple remote interfaces and tunneled to sensor– Answer packets tunneled to originating interfaces
-
22.10.2013
17© Technik der Rechnernetze
Virtual
Distributed Sensor System –Current NorNet setup
SCS I1
I2Simula
VirtualMachine
SIP
Hon
eypo
tAttacker
Internet
I2
I1NTNU
I1Universiteteti Tromsø
I1
129.242.157.228
158.37.6.195
Page 33Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
Sensor I1Universiteteti Bergen
I1
I2
University Duisburg-
Essen
158.37.6.195
132.252.152.105
89.246.242.228
Distributed Sensor System –Overview
SCS Sensor Interface (SSI)– Each sensor is connected to SCS
• Sensor ID, secret, MAC address, location infoTLS d (HTTPS) ith tifi t h k• TLS secured (HTTPS) with server certificate check
– Status updates and keep-alive messages Auto provisioning which is managed and controlled by SCS
– Configuration– Signatures
SIP traffic analysis based on sensor signatures Report generator
Sends reports to SCS according to sensor signature settings
Page 34Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
– Sends reports to SCS according to sensor signature settings• Source IP, destination IP, signature ID, sensor ID, timestamp, source
port, destination port, signature version– Optional: extended reports
• Pre-defined SIP header values
-
22.10.2013
18© Technik der Rechnernetze
Distributed Sensor Systems –Sensor Central Service Overview
Sensor Management– Configuration– Signatures ( Web-Editor or XML file)
• Sensor signature mapping– Status, report and statistics presentation– Central logging
SCS Features– Receives sensor reports via SCS Sensor Interface (SSI)– Central MySQL database
• Reports, signatures, SCS rules, sensor configurations, status, etc.– Analysis based on SCS rules
• Depends on “Sensor ID” and “Sensor Signature ID”• PHP script logic with pre-defined variables and result values
N tifi ti i t f t iti ti t
Page 35Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
– Notification interface to mitigation components• Up to three different actions per SCS rule• Actions
– eRBL– Firewall alert– PBX notification
Sensor Central Service –Management Website (Screenshot)
Page 36Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
-
22.10.2013
19© Technik der Rechnernetze
Distributed Sensor System –The NorNet approach
Physically distributed sensors at different sites in the internet– Deployment of hardware or installation of software reqired
• Local management necessary– Privileged access to network interfaces requiredPrivileged access to network interfaces required
Virtually distributed sensors (NorNet approach)– One central Sensor only (in Essen, Germany)– Distributed NorNet nodes to capture input traffic
• GRE Tunnel(s) between each node and the central Sensor• Filters TCP/UDP traffic on port 5060• Traffic redirection to the central Sensor
by using DNAT via GRE tunnels• Reverse direction is realized by routing policies
Page 37Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
Reverse direction is realized by routing policies– Pros
• No software component on productive systems (no influence)• Easy to manage single sensor
– Cons• More bandwidth required in contrast to distributed approach• Possible delays
Distributed Sensor System –First NorNet results
Node IP Node Name Numberof Reports172.31.1.1 Simula 57518172.31.1.2 Simula 344172.31.4.1 Uni Tromsø 3172.31.4.1 ø 3172.31.42.1 UDE 73172.31.42.2 UDE 144172.31.5.1 Uni Stavanger 67172.31.6.1 Uni Bergen 24839172.31.8.1 Høgskolen i Narvik 8172.31.9.1 NTNU 1
01.09.-12.09.2013
Page 38Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
-
22.10.2013
20© Technik der Rechnernetze
VoIP fraud and misuse detection –Conclusions
SIP devices on the Internet are constantly scanned and attacked– Significant damage possible
Flexible and powerful attack tools readily avaiable for downloadp y– SIPvicious
Local monitoring over several years– Development of sophisticated monitoring tools– Analysis of attack traffic
Distributed monitoring required to get a global view– Distributed Sensors System
S l d l d d G
Page 39Verteiltes Monitoring von SIP-basierten Angriffen (59. DFN-Betriebstagung, 15.10.2013)
– Several sensors deployed around Germany– NorNet adds significant number of additional monitoring points
Technical details and live demos in the VoIP session Cooperation with DFN would be highly appreciated
– Deployment of hardware/software/virtual sensors