disabling a computer by exploiting softphone
play

Disabling a Computer by Exploiting Softphone Vulnerabilities Ryan - PowerPoint PPT Presentation

Aug 16, 2022 •223 likes •535 views

Disabling a Computer by Exploiting Softphone Vulnerabilities Ryan Farley and Xinyuan Wang George Mason University September 26, 2013 Where Innovation Is Tradition Threat and Mitigation Introduction Background Disabling the

  1. Disabling a Computer by Exploiting Softphone Vulnerabilities Ryan Farley and Xinyuan Wang George Mason University September 26, 2013 Where Innovation Is Tradition

  2. Threat and Mitigation • Introduction • Background • Disabling the Softphone Host • Defenses • Experiments • Conclusion Where Innovation Is Tradition

  3. Introduction • Many VoIP exploits stem from underlying SIP – De facto signaling protocol • Previous works demonstrate protocol attacks – Remote monitoring, billing fraud, voice pharming • Focus here is on the system hosting a softphone – Stability, security – Exploitable softphone in experiments is Vonage client • And how to mitigate such threats Where Innovation Is Tradition

  4. Specifically • Two attacks that remotely disable host until reboot – A faster noisy attack effective in minutes – A slower but stealthier attack • Two rapidly deployable defenses – Do not interfere with standard SIP operation – Threshold filtering inhibits arrival rate spikes – Limited Context Aware (LCA) filtering blocks only attack signals even at low arrival rates Where Innovation Is Tradition

  5. • Introduction • Background – Fundamental Problem – Invite Flooding • Disabling the Softphone Host • Defense • Experiments • Conclusion Where Innovation Is Tradition

  6. Background • Session Initiation Protocol (SIP) – Manages multimedia sessions – Between endpoints called User Agents (UAs) – Request-response paradigm • Making a call – A sends an Invite to B – B’s proxy sends a 100 Trying back to A – B sends a 180 Ringing back to A – If answered, B sends a 200 OK to A, who Acks back Where Innovation Is Tradition

  7. The SIP Behind a VoIP Call DNS Server Location Server Obtain Obtain Address of Address of Inbound UA-B Proxy Server SIP SIP SIP SIP Phone SIP Phone Outbound Proxy Server Inbound Proxy Server UA-A UA-B Atlanta.com Boston.com (1) INVITE (2) INVITE (3) 100 Trying (4) INVITE (5) 100 Trying (6) 180 Ringing (7) 180 Ringing (8) 180 Ringing (9) 200 OK (10) 200 OK (11) 200 OK (12) ACK Media Session (13) BYE (14) 200 OK Where Innovation Is Tradition

  8. Fundamental Problem • Invites are easy to spoof – Well known Invite flooding attacks • SIP RFC provides for HTTP digest authentication – Invite, Register, Bye – From UAC to UAS, not required the other way around – Previous work shows Vonage, AT&T vulnerable • Not nearly as widely implemented as it should be Where Innovation Is Tradition

  9. Flooded Behavior • Unattended softphone will ring until timeout – Will not ring for duplicate Call-IDs repeated within 60s • Once all RTP ports reserved responds with Busy – Two ports mean two simultaneous ringing lines – Roughly only two spoofed Invites every 3 minutes needed to disrupt incoming calls • Race condition inhibits outgoing calls Where Innovation Is Tradition

  10. • Introduction • Background • Disabling the Softphone Host – Noisy Attack – Stealthy Attack • Defense • Experiments • Conclusion Where Innovation Is Tradition

  11. Disabling the Softphone Host • Previous work targets infrastructure or devices – Not clear precisely how softphone weaknesses open host up for attack • Two attacks – Can disable Windows XP machines running official Vonage softphone – First consumes memory resources in minutes – Second is slower but much stealthier Where Innovation Is Tradition

  12. Noisy Attack • Memory allocated for every Call-ID seen – e.g., RFC requires 3 Busy signaling attempts over 10 seconds – Poor memory management impacts host • Invite flood Attack Invite – Hundreds per second – Only need unique Call-ID • Host begins to thrash within a few minutes – UI frozen at 16 minutes; unusable until reboot Where Innovation Is Tradition

  13. Stealthy Attack • Noisy, is well, noisy – Cancels can stop the ringing – Tells receiver to ignore Invites with same Call-ID Attack Invite – But memory consumption still happens Attack Cancel • Multiple Cancels – Secure chance of silence – Reduce arrival rate to 1/(n+1), with n cancels • Same result, longer period, stealthier – Two hours Where Innovation Is Tradition

  14. • Introduction • Background • Disabling the Softphone Host • Defense – Threshold – Limited Context Aware • Experiments • Conclusion Where Innovation Is Tradition

  15. Defenses • Must defend against single packet attacks – Group packets to be analyzed • External factors help define meaningful calls – More than 1-2 calls a second beyond human threshold • Our first defense limits the rate of invites • But the second attack defeats this with its low arrival rate – If canceled unreasonably fast, then why ring at all? • Our second defense builds a context to stop meaningless calls Where Innovation Is Tradition

  16. Threshold Filter • Noisy attack makes finding signature difficult – Both in network and application layer – Only an arrival rate threshold indicates possible attack • Some attack packets may pass, but very low rate – Phone would ring extended time, most likely alert user Threshold Filter Queue Without Filter With Filter s e c o n d s 0.0 0.25 0.5 0.75 1.0 Legitimate Invite Attack Invite Legitimate Invite Attack Invite Arrival/Departure Rejection Where Innovation Is Tradition

  17. Limited Context Aware Filter • Stealthy arrival rate is lower than noisy – Threshold filter not as effective – Signature: at least one Cancel per Invite • Queue forms a limited, by time, context – Time is the acceptable delay to begin ringing – Determine if in that time any Cancels appear LCA Filter Queue Without Filter With Filter Legitimate Invite Attack Invite Attack Cancel seconds 0.0 0.25 0.5 0.75 1.0 1.25 1.5 1.75 2.0 Legitimate Invite Attack Invite Attack Cancel Arrival/Departure Rejection Next Packet in Queue Where Innovation Is Tradition

  18. • Introduction • Background • Disabling the Softphone Host • Defense • Experiments – Attacks – Defense • Conclusion Where Innovation Is Tradition

  19. Experiments • Implementation – Attacks from Linux socket programs • Invite template from PCAP trace of legitimate call to target – Filters through FreeBSD divert sockets • Within a transparent network bridge – Targets were Windows XP virtual machines • 256 MB RAM • X-PRO Vonage 2.0 Softphone, release 1105x build 17305 – Any unnecessary outbound traffic blocked at network’s public edge to protect Vonage servers Where Innovation Is Tradition

  20. Before Attack Where Innovation Is Tradition

  21. After Attack Where Innovation Is Tradition

  22. Noisy Attack Softphone Memory Usage During Noisy Attack 900 800 Crash point 700 No filter Memory Usage (MB) Threshold filter 600 Baseline 500 400 300 200 100 0 0 2 4 6 8 10 12 14 16 Time (mins) Where Innovation Is Tradition

  23. Stealthy Attack Softphone Memory Usage During Stealthy Attack 900 800 Crash point 700 No filter Memory Usage (MB) LCA Filter 600 Baseline 500 400 300 200 100 0 0 2 4 6 8 10 12 14 16 Time (mins) Where Innovation Is Tradition

  24. Defense Effectiveness Effectiveness of Filters 100 Percentage of Attack Invites Blocked 98 96 94 92 90 Noisy v. TH Stealthy v. TH Stealthy v. LCA Stealthy v. Both Attack Type v. Filter to Measure • Stealthy invites accounted for only 15.2% of packets against TH • LCA tested with mixture of legitimate and illegitimate invites. • ‘Both’ involves LCA feeding its output into TH Where Innovation Is Tradition

  25. Defense Latency Latency of Filters Latency (msecs) with 95% Confidence 10 8 6 4 2 0 e h n A t e o H C o n H N T L B o T N v . v . v . v . . . v y y y y v y h h h h y s t t t t s o i a l a l a l a l o i N e e e e t t t t N S S S S Attack Type v. Filter to Measure • Per RFC 2544 • TH introduces less than 1 millisecond, LCA less than 5 milliseconds • No noticeable impact on VoIP signaling functionality observed Where Innovation Is Tradition

  26. • Introduction • Background • Disabling the Softphone Host • Defense • Experiments • Conclusion Where Innovation Is Tradition

  27. Conclusion • Features exploited are SIP, not Vonage – Enforcing SIP authentication could help mitigate • First to demonstrate disabling the VoIP application host; via two attacks – Noisy attack effective in minutes – Stealthy attack only 1/(n+1) the noisy rate • Presented packet filters to mitigate – Threshold: ultra-low overhead, highly effective – LCA: accurately drops stealthy attack from valid traffic Where Innovation Is Tradition

  28. Thank you for your time • Any questions? Post conference, please contact Dr. Xinyuan Wang • xwangc@gmu.edu Where Innovation Is Tradition

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data Gerome Miklau University of Massachusetts, Amherst DIMACS Workshop on Recent Work on Di ff erential Privacy across Computer Science October 2012

1.39k views • 136 slides
Exploiting the Power of MIP Solvers in MAXSAT Jessica Davies 1 and Fahiem Bacchus 2 1 MIAT, INRA,

Exploiting the Power of MIP Solvers in MAXSAT Jessica Davies 1 and Fahiem Bacchus 2 1 MIAT, INRA,

Exploiting the Power of MIP Solvers in MAXSAT Jessica Davies 1 and Fahiem Bacchus 2 1 MIAT, INRA, Toulouse, France 2 Department of Computer Science, University of Toronto Outline 1. Background 2. The MaxHS Approach 3. Exploiting CPLEX 4.

630 views • 43 slides
Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer

Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer

Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer Architect, Red Hat, Inc. jcm@redhat.com | @jonmasters 2 Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Overview

2.11k views • 184 slides
Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer

Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer

Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer Architect, Red Hat, Inc. jcm@redhat.com | @jonmasters 2 Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Overview

1.58k views • 140 slides
Symmetrically Exploiting XML Shuohao Zhang and Curtis Dyreson School of E.E. and Computer Science

Symmetrically Exploiting XML Shuohao Zhang and Curtis Dyreson School of E.E. and Computer Science

Symmetrically Exploiting XML Shuohao Zhang and Curtis Dyreson School of E.E. and Computer Science Washington State University Pullman, Washington, USA The 15 th International World Wide Web Conference May 2006 Edinburgh, Scotland 1970s

496 views • 22 slides
Exploiting Transport-Level Characteristics of Spam Robert Beverly 1 Karen Sollins MIT Computer

Exploiting Transport-Level Characteristics of Spam Robert Beverly 1 Karen Sollins MIT Computer

Exploiting Transport-Level Characteristics of Spam Robert Beverly 1 Karen Sollins MIT Computer Science and Artificial Intelligence Laboratory 1 now at BBN Technologies {rbeverly,sollins}@csail.mit.edu August 21, 2008 Conference on Email and

772 views • 49 slides
Exploiting Insecurity to Secure Software Update Systems Justin Cappos Department of Computer

Exploiting Insecurity to Secure Software Update Systems Justin Cappos Department of Computer

Exploiting Insecurity to Secure Software Update Systems Justin Cappos Department of Computer Science and Engineering University of Washington Introduction software update system -- a piece of software that installs, updates, removes, or

431 views • 10 slides
Making global water efforts disability inclusive 29 August 2018, World Water Week Disabling

Making global water efforts disability inclusive 29 August 2018, World Water Week Disabling

One Billion Left Behind: Making global water efforts disability inclusive 29 August 2018, World Water Week Disabling Menstrual Barriers Research Project Kavre district, Nepal Jane Wilbur (Principle Investigator) Chelsea Huggett (Technical

606 views • 11 slides
Reducing Dynamic Power in Streaming CNN Hardware Accelerators by Exploiting Computational

Reducing Dynamic Power in Streaming CNN Hardware Accelerators by Exploiting Computational

Reducing Dynamic Power in Streaming CNN Hardware Accelerators by Exploiting Computational Redundancies Duvindu Piyasena, Rukshan Wickramasinghe, Debdeep Paul, Siew-Kei Lam and Meiqing Wu School of Computer Science and Engineering (SCSE)

334 views • 10 slides
The Art of Exploiting Logical Flaws in Web Apps Sumit sid Siddharth Richard deanx

The Art of Exploiting Logical Flaws in Web Apps Sumit sid Siddharth Richard deanx

The Art of Exploiting Logical Flaws in Web Apps Sumit sid Siddharth Richard deanx Dean A GREAT COLLABORATION! 2 competitors working together! Thanks to: 7Safe, Part of PA Consulting Group Portcullis Computer Security Limited

1.17k views • 78 slides
Chapt hapter er 5 5 Large and Fast: Exploiting Memory Hierarchy 5.1 Introduction

Chapt hapter er 5 5 Large and Fast: Exploiting Memory Hierarchy 5.1 Introduction

COMPUTER ORGANIZATION AND DESIGN 5 th Edition The Hardware/Software Interface Chapt hapter er 5 5 Large and Fast: Exploiting Memory Hierarchy 5.1 Introduction Principle of Locality Programs access a small proportion

1.55k views • 105 slides
Exploiting the Client Vulnerabilities in Internet E-voting Systems: Hacking Helios 2.0 as an

Exploiting the Client Vulnerabilities in Internet E-voting Systems: Hacking Helios 2.0 as an

Exploiting the Client Vulnerabilities in Internet E-voting Systems: Hacking Helios 2.0 as an Example Saghar Estehghari 1 Yvo Desmedt 1 , 2 1 Department of Computer Science University College London, UK 2 Research Center for Information Security

572 views • 28 slides
Learning Accurate Cutset Networks by Exploiting Decomposability N. Di Mauro, A. Vergari, and F.

Learning Accurate Cutset Networks by Exploiting Decomposability N. Di Mauro, A. Vergari, and F.

Learning Accurate Cutset Networks by Exploiting Decomposability N. Di Mauro, A. Vergari, and F. Esposito Department of Computer Science, LACAM Laboratory University of Bari Aldo Moro, Italy 14th Conference of the Italian Association for

521 views • 10 slides
Exploiting Justifications for Lazy Grounding of Answer Set Programs Bart Bogaerts Antonius

Exploiting Justifications for Lazy Grounding of Answer Set Programs Bart Bogaerts Antonius

Exploiting Justifications for Lazy Grounding of Answer Set Programs Bart Bogaerts Antonius Weinzierl KU Leuven, Department of Computer Science Celestijnenlaan 200A, Leuven, Belgium Aalto University, Department of Computer Science

757 views • 31 slides
CSE 3320 Operating Systems Deadlock Jia Rao Department of Computer Science and Engineering

CSE 3320 Operating Systems Deadlock Jia Rao Department of Computer Science and Engineering

CSE 3320 Operating Systems Deadlock Jia Rao Department of Computer Science and Engineering http://ranger.uta.edu/~jrao Recap of the Last Class Race conditions Mutual exclusion and critical regions Two simple approaches Disabling

721 views • 35 slides
C3 B: Exploiting the Num erous C3 B: Exploiting the Num erous Possibilities W eb Technology

C3 B: Exploiting the Num erous C3 B: Exploiting the Num erous Possibilities W eb Technology

C3 B: Exploiting the Num erous C3 B: Exploiting the Num erous Possibilities W eb Technology Offers to Elevate Questions Offers to Elevate Questions Arnaud Wijnant wijnant@uvt.nl Maurice Martens m.g.j.martens@uvt.nl IBUC 2010 Baltimore 11/

403 views • 12 slides
OMNeT++ Community Summit, 2016 Visualization in the INET Framework Brno University of Technology

OMNeT++ Community Summit, 2016 Visualization in the INET Framework Brno University of Technology

OMNeT++ Community Summit, 2016 Visualization in the INET Framework Brno University of Technology Czech Republic September 15-16, 2016 Levente Mszros Motivation Example Implemented Visualizations for Communication Physical layer

469 views • 13 slides
XDP in Practice DDoS Mitigation @Cloudflare Gilberto Bertin About me Systems Engineer at

XDP in Practice DDoS Mitigation @Cloudflare Gilberto Bertin About me Systems Engineer at

XDP in Practice DDoS Mitigation @Cloudflare Gilberto Bertin About me Systems Engineer at Cloudflare London DDoS Mitigation Team Enjoy messing with networking and Linux kernel Agenda Cloudflare DDoS mitigation pipeline Iptables and

802 views • 65 slides
LOGIC II DAY 1 Oklahoma GEAR UP WHICH SHAPE ARE YOU? SETTING THE NORMS Whats said

LOGIC II DAY 1 Oklahoma GEAR UP WHICH SHAPE ARE YOU? SETTING THE NORMS Whats said

LOGIC II DAY 1 Oklahoma GEAR UP WHICH SHAPE ARE YOU? SETTING THE NORMS Whats said here stays here. Whats learned here leaves here. Everyone has a voice be respectful. 25 minute technology break . LOGIC Leadership

560 views • 35 slides
Oak Park and River Forest High School District 200 201 North Scoville Avenue Oak Park, IL

Oak Park and River Forest High School District 200 201 North Scoville Avenue Oak Park, IL

Oak Park and River Forest High School District 200 201 North Scoville Avenue Oak Park, IL 60302-2296 TO: Board of Education FROM: Cyndi Sidor, CFO/CSBO DATE: November 21, 2019 RE: Five-Year Financial Projections BACKGROUND: This

382 views • 9 slides
NAT & IPTables NAT & IPTables NAT & IPTables From ACCEPT to MASQUERADE From ACCEPT

NAT & IPTables NAT & IPTables NAT & IPTables From ACCEPT to MASQUERADE From ACCEPT

NAT & IPTables NAT & IPTables NAT & IPTables From ACCEPT to MASQUERADE From ACCEPT to MASQUERADE Tim(othy) Clark (eclipse) Tim(othy) Clark (eclipse) NAT IPv4 Hack One external IP for a whole network Used commonly

732 views • 13 slides
Hypothesis Testing for Network Security Philip Godfrey, Matthew Caesar, David Nicol, William H.

Hypothesis Testing for Network Security Philip Godfrey, Matthew Caesar, David Nicol, William H.

Hypothesis Testing for Network Security Philip Godfrey, Matthew Caesar, David Nicol, William H. Sanders, Dong Jin INFORMATION TRUST INSTITUTE University of Illinois at Urbana-Champaign We need a science of security Practice of doing

373 views • 24 slides
Problem Problem Problem A.R.S.S (Anonymity) AdBlock VPN DNS Crypt A.R.S.S (Reliability)

Problem Problem Problem A.R.S.S (Anonymity) AdBlock VPN DNS Crypt A.R.S.S (Reliability)

Problem Problem Problem A.R.S.S (Anonymity) AdBlock VPN DNS Crypt A.R.S.S (Reliability) OpenBSD Higher Availability IDS M:Tier A.R.S.S (Security) DNS Reshaping DNS Local Resolver NTP DMZ A.R.S.S (Stability) Packet

415 views • 16 slides
Flow Visualization Using MS-Excel Visualization for the Common Man Presented by Lee Rock and Jay

Flow Visualization Using MS-Excel Visualization for the Common Man Presented by Lee Rock and Jay

Flow Visualization Using MS-Excel Visualization for the Common Man Presented by Lee Rock and Jay Brown US-CERT Analysts Einstein Program Background US-CERT Mission Einstein Program > Large volumes of traffic > Architecture

529 views • 36 slides

More recommend