Hi all.
I have a "security" question regarding "trusted IP's". Is it possible for someone to SUCCESSFULLY spoof an IP and actually make working calls?
For example, '10.10.10.10' sends calls to SER (or any other proxy server) at 20.20.20.20, but actually spoofs the IP by sending an IP address of 30.30.30.30, which happens to be trusted by the SER at 20.20.20.20.
I ask because I'm having a discussion with a vendor who is trying to tell me that using trusted IP's for SIP validation is insecure and easily hacked. I don't think it is because when SER gets an INVITE from 30.30.30.30, it is going to send it's progress messages to 30.30.30.30, regardless of the contents of the SIP messages....so the spoofer at 10.10.10.10 won't get any of the progress messages, and more importantly won't be able to establish a talk path. I suspect he may still cause SER to initiate some brief outbound calls, but they should fail when the SIP protocol falls apart.
Does anyone have any thoughts on this?
Tom
Tom Lowe wrote:
Hi all.
I have a "security" question regarding "trusted IP's". Is it possible for someone to SUCCESSFULLY spoof an IP and actually make working calls?
For example, '10.10.10.10' sends calls to SER (or any other proxy server) at 20.20.20.20, but actually spoofs the IP by sending an IP address of 30.30.30.30, which happens to be trusted by the SER at 20.20.20.20.
It is possible to successfully spoof an IP using ARP poisoning by someone with access to the local network. This could not be detected from SER because responses would actually be routed to the attacker. ARP poisoning hijacks an IP address at the link layer. Here are two articles that describe it and how to detect it and to protect against it:
http://www.watchguard.com/infocenter/editorial/135324.asp http://www.sans.org/rr/whitepapers/threats/474.php
Non-local attackers could get SER to deliver SIP messages for them by sending UDP/SIP packets with forged source IP addresses, but the attacker would not receive the responses and so should not be able to complete the INVITE/OK/ACK transaction unless they can predict the connection and header values that would be provided by the callee. If the trusted IP addresses are local, these SIP messages could be detected and dropped by an ingress filter that packets entering the network do not have source IP addresses within the network.
Hope this helps,
Jamey
Hi,
If the attacker can get his hands on a router between the proxy and the user agent then he can make the proxy believe he *IS* the trusted endpoint. And let's not forget a DOS attack, which can be achieved by simply sending spoofed packets and use up the resources of the proxy ...
Regards
Kiss Karoly
On Tue, 1 Feb 2005, Tom Lowe wrote:
Date: Tue, 1 Feb 2005 15:18:10 -0500 From: Tom Lowe tom@comprotech.com To: serusers@lists.iptel.org Subject: [Serusers] Trusted IP and security.
Hi all.
I have a "security" question regarding "trusted IP's". Is it possible for someone to SUCCESSFULLY spoof an IP and actually make working calls?
For example, '10.10.10.10' sends calls to SER (or any other proxy server) at 20.20.20.20, but actually spoofs the IP by sending an IP address of 30.30.30.30, which happens to be trusted by the SER at 20.20.20.20.
I ask because I'm having a discussion with a vendor who is trying to tell me that using trusted IP's for SIP validation is insecure and easily hacked. I don't think it is because when SER gets an INVITE from 30.30.30.30, it is going to send it's progress messages to 30.30.30.30, regardless of the contents of the SIP messages....so the spoofer at 10.10.10.10 won't get any of the progress messages, and more importantly won't be able to establish a talk path. I suspect he may still cause SER to initiate some brief outbound calls, but they should fail when the SIP protocol falls apart.
Does anyone have any thoughts on this?
Tom
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
I wouldn't do that with UDP - although the spoofer can not receive your responses, it can send an INVITE which will setup a call (which might cost $$$$).
using TCP is safer as for setting up the handshake also sequence number guessing is necessary.
regards klaus
Tom Lowe wrote:
Hi all.
I have a "security" question regarding "trusted IP's". Is it possible for someone to SUCCESSFULLY spoof an IP and actually make working calls?
For example, '10.10.10.10' sends calls to SER (or any other proxy server) at 20.20.20.20, but actually spoofs the IP by sending an IP address of 30.30.30.30, which happens to be trusted by the SER at 20.20.20.20.
I ask because I'm having a discussion with a vendor who is trying to tell me that using trusted IP's for SIP validation is insecure and easily hacked. I don't think it is because when SER gets an INVITE from 30.30.30.30, it is going to send it's progress messages to 30.30.30.30, regardless of the contents of the SIP messages....so the spoofer at 10.10.10.10 won't get any of the progress messages, and more importantly won't be able to establish a talk path. I suspect he may still cause SER to initiate some brief outbound calls, but they should fail when the SIP protocol falls apart.
Does anyone have any thoughts on this?
Tom
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
but as mitnick showed us, sequence numbers can also be guessed :-)...or should I say calculated, especially on some OS whos randomness is pretty poor.
As for using trusted IP, well not a good idea, look at IP packet if you change the route path, you could get the return message to be routed via your untrusted IP address, hence in theory u could listen: get the RTP stream, lookup source routing in IP packets,
Iqbal
Klaus Darilion wrote:
I wouldn't do that with UDP - although the spoofer can not receive your responses, it can send an INVITE which will setup a call (which might cost $$$$).
using TCP is safer as for setting up the handshake also sequence number guessing is necessary.
regards klaus
Tom Lowe wrote:
Hi all.
I have a "security" question regarding "trusted IP's". Is it possible for someone to SUCCESSFULLY spoof an IP and actually make working calls?
For example, '10.10.10.10' sends calls to SER (or any other proxy server) at 20.20.20.20, but actually spoofs the IP by sending an IP address of 30.30.30.30, which happens to be trusted by the SER at 20.20.20.20.
I ask because I'm having a discussion with a vendor who is trying to tell me that using trusted IP's for SIP validation is insecure and easily hacked. I don't think it is because when SER gets an INVITE from 30.30.30.30, it is going to send it's progress messages to 30.30.30.30, regardless of the contents of the SIP messages....so the spoofer at 10.10.10.10 won't get any of the progress messages, and more importantly won't be able to establish a talk path. I suspect he may still cause SER to initiate some brief outbound calls, but they should fail when the SIP protocol falls apart.
Does anyone have any thoughts on this?
Tom
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
.
-
Iqbal Gandham -
Jamey Hicks -
Kiss Karoly -
Klaus Darilion -
Tom Lowe