2 Jan
2014
2 Jan
'14
6 p.m.
Hi All,
Background:
We are a service provider offering VoIP/Data services to business
customers. All hosted VoIP systems and Customers are mostly on-net,
VoIP systems not exposed to the Internet, but all hosted PBX's do have
public IP address. I do have some Customers with off-net phones/users
so I basically white list their IP's so the phones can register back
to their hosted PBX. This works well and keeps SIP attack vectors to
a minimum. I've been working on a single point of registration
Kamailio server to backend PBX's so I can further control public
Internet access to hosted PBX's. I've got this working in the lab but
have some concerns about RTP streams.
I know I can use a RTP/Media Proxy to also have a single point of
entry for media streams to the the backend PBX's but don't believe
this to be the best method. Researching SBC's and what I know about
SIP and RTP Streams, it's best to have media controlled via the B2BUA
(Asterisk in this case) and since all my hosted PBX's have public IP's
there would be no compelling reason to proxy RTP adding another hop,
latency and point of failure other than for security. I'm not
transcoding media or doing anything outside of the capability of the
B2BUA as far as media goes.
Question:
Would it be prudent to open UDP media ports from Internet to PBX's on
a case-by-case basis, basically white listing media streams or is
there any attack vulnerability with UDP in the media port range or
should I open up media port range to all PBX's and not worry about
attacks. Are there any UDP Media exploits that I should be concerned
with, or UDP flood attacks that could DOS my hosted PBX's?
Thanks for any feedback.
JR
--
JR Richardson
Engineering for the Masses
2 Jan
2 Jan
6:27 p.m.
New subject: SIP Security Architectural Question to Use RTP/Media Proxy or Not?
Generally opening media ports range is fine. Media ports are usually
dynamically allocated and not easy to guess for an attacker.
Secondly using proxy like mediaproxy or mediraproxy-ng which use Kernel
based RTP packet forwarding, its not easy to create DOS attack, since
kernel will only accept RTP packets from IP addresses advertised by SIP UAs.
Thank you.
On Thu, Jan 2, 2014 at 5:00 PM, Jr Richardson <jmr.richardson(a)gmail.com>wrote;wrote:
Hi All,
Background:
We are a service provider offering VoIP/Data services to business
customers. All hosted VoIP systems and Customers are mostly on-net,
VoIP systems not exposed to the Internet, but all hosted PBX's do have
public IP address. I do have some Customers with off-net phones/users
so I basically white list their IP's so the phones can register back
to their hosted PBX. This works well and keeps SIP attack vectors to
a minimum. I've been working on a single point of registration
Kamailio server to backend PBX's so I can further control public
Internet access to hosted PBX's. I've got this working in the lab but
have some concerns about RTP streams.
I know I can use a RTP/Media Proxy to also have a single point of
entry for media streams to the the backend PBX's but don't believe
this to be the best method. Researching SBC's and what I know about
SIP and RTP Streams, it's best to have media controlled via the B2BUA
(Asterisk in this case) and since all my hosted PBX's have public IP's
there would be no compelling reason to proxy RTP adding another hop,
latency and point of failure other than for security. I'm not
transcoding media or doing anything outside of the capability of the
B2BUA as far as media goes.
Question:
Would it be prudent to open UDP media ports from Internet to PBX's on
a case-by-case basis, basically white listing media streams or is
there any attack vulnerability with UDP in the media port range or
should I open up media port range to all PBX's and not worry about
attacks. Are there any UDP Media exploits that I should be concerned
with, or UDP flood attacks that could DOS my hosted PBX's?
Thanks for any feedback.
JR
--
JR Richardson
Engineering for the Masses
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Mit freundlichen Grüßen
Muhammad Shahzad
-----------------------------------
CISCO Rich Media Communication Specialist (CRMCS)
CISCO Certified Network Associate (CCNA)
Cell: +49 176 99 83 10 85
MSN: shari_786pk(a)hotmail.com
Email: shaheryarkh(a)googlemail.com
7:12 p.m.
New subject: SIP Security Architectural Question to Use RTP/Media Proxy or Not?
On 01/02/2014 11:00 AM, Jr Richardson wrote:
or should I open up media port range to all PBX's
and not worry
about attacks.
You should open up the media port range to all PBXs and not worry about
attacks.
As Muhammad said, RTP ports are dynamic enough to preclude most MITM
attacks. Any decently implemented SIP UA should not accept media
packets from anywhere other than the indicated stream source.
Additionally, almost all (D)DoS attack patterns reliant on simple packet
flooding exploit TCP stacks, since TCP allocates resources (memory) and
state for TCP connections for a period of time. UDP is largely immune
to that, since it's such a dumb fire-and-forget mechanism with no
reliability abstraction layer.
This really isn't worth worrying about.
-- Alex
--
Alex Balashov - Principal
Evariste Systems LLC
235 E Ponce de Leon Ave
Suite 106
Decatur, GA 30030
United States
Tel: +1-678-954-0670
Web: http://www.evaristesys.com/, http://www.alexbalashov.com/
7 Jan
7 Jan
11:56 a.m.
New subject: SIP Security Architectural Question to Use RTP/Media Proxy or Not?
On 02.01.2014 17:00, Jr Richardson wrote:
Would it be prudent to open UDP media ports from
Internet to PBX's on
a case-by-case basis, basically white listing media streams or is
there any attack vulnerability with UDP in the media port range or
should I open up media port range to all PBX's and not worry about
attacks. Are there any UDP Media exploits that I should be concerned
with, or UDP flood attacks that could DOS my hosted PBX's?
Media proxies are usually just simple "UDP" forwarder. Thus, they do not
check the payload of the UDP packet. Therefore, from point of view of
the application which processes the RTP packet, there is no additional
security by using a media proxy, as for example a malicious RTP packet
will just be forwarded the PBX. Nevertheless it can be useful to use
them, e.g. to have a single entry point for FW configuration, debugging
... When using a media relay, I always configure a very wide port range
to make it for attackers more difficult to guess the port. Of course you
should avoid other processes on this server listening in the same port
range, as you have to open the whole port range on the firewall.
If you want to protect the RTP layer of your PBX, you need a B2BUA which
fully checks the whole UDP payload to verify if it is a proper RTP
packet. But on the other hand, you never know which RTP stack is more
robust (the one from your PBX or the one from the B2BUA).
I personally add media relays, but not for additional RTP layer
security, but for operational issues (debugging, single entry point ...).
regards
Klaus
3972
days inactive
3977
days old
3 comments
4 participants
participants (4)
-
Alex Balashov -
Jr Richardson -
Klaus Darilion -
Muhammad Shahzad