2

I would like to understand below SIP DoS attacks

  1. Message Payload Tampering [implementation errors, SIP bugs]
  2. Flow Tampering [CPU, Bandwidth, Memory]
  3. Message Flooding [lack of authentication or encryption implementation / errors]

On the other hand, I came across with five different attacks on Register, Invite, Update, Cancel, and Bye. My question is on those five attacks: which of the above three DoS attacks can they be classified as?

Mark
  • 34,390
  • 9
  • 85
  • 134
John
  • 21
  • 2

1 Answers1

2

Read this article and get all of the answers thoroughly.

Survey of network security systems to counter SIP-based denial-of-service attacks

As described in the above paper:

SIP message payload tampering: The first class of attacks is based on tampering with the actual SIP message or more specifically, the SIP payload. SIP is a text- based protocol and messages are transported usually in clear text. Attackers can try to inject harmful content into a message, e.g. by entering meaningless or wrong information with the goal of exploiting a buffer overflow at the target. Also, such messages can be used to probe for vulnerabilities in the target. Harmful code that will be executed in an unforeseen context can be introduced into the payload. An example is SQL code injection, which allows the attacker to execute SQL code within a database.

SIP message flow tampering: A special case of DoS attacks in real time communication networks are attacks that disturb the ongoing communication between users. Common internet services like web browsing or email communication have an asynchronous time model i.e. a requested web page is directly delivered to a user. The user will read it without further communication to the web server. The same applies to email – a user downloads the email and studies it independently of a server connection. In contrast, in SIP real time communication networks two communicating users establish a constant connection with each other whereby content is transmitted continuously between both parties. An attacker can now target this connection by introducing fake signalling messages into the communication channel. Several different SIP signalling messages can be misused for this task. A BYE message with the right credentials can prematurely terminate a session.

SIP message flooding: When talking about a DoS attack, one generally means flooding attacks that overwhelm a victim’s resources. There are three main resources that can be targeted in a SIP flooding attack: bandwidth, CPU, or memory.

Source: Ehlert, Sven, Dimitris Geneiatakis, and Thomas Magedanz. "Survey of network security systems to counter SIP-based denial-of-service attacks." Computers & Security 29.2 (2010): 225-243.

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
Hanna
  • 129
  • 7
  • It's recommended to highlight the most important parts of the article you linked in case the link goes dead. – Luc Aug 01 '15 at 13:01
  • I don't think such things happen for this link but I will do as you said. Thanks – Hanna Aug 01 '15 at 21:12
  • Thanks! As for why, it's a [community guideline](http://security.stackexchange.com/help/how-to-answer) (see "Provide context for links"). I do see your point though! – Luc Aug 01 '15 at 23:05