SLIDE 1
Via Cookies
draft-zourzouvillys-via-cookie-02
IETF 74 theo@voip.co.uk
Via Cookies draft-zourzouvillys-via-cookie-02 IETF 74 - - PowerPoint PPT Presentation
Via Cookies draft-zourzouvillys-via-cookie-02 IETF 74 - - PowerPoint PPT Presentation
Via Cookies draft-zourzouvillys-via-cookie-02 IETF 74 theo@voip.co.uk The Problem Amplicifaction of 1:11 No tracability Victim does not need to be a SIP element Bang bang bang INVITE sip:invalid.domain IP src: 192.0.2.200 IP dst:
SLIDE 2
SLIDE 3
The Problem
Amplicifaction of 1:11 No tracability Victim does not need to be a SIP element
SLIDE 4
Bang bang bang
INVITE sip:invalid.domain IP src: 192.0.2.200 IP dst: 192.0.2.1 Atlanta 192.0.2.1 192.0.2.200 404 Not Found IP src: 192.0.2.1 IP dst: 192.0.2.200
SLIDE 5
SLIDE 6
How bad is it in the real world?
SLIDE 7
bad
SLIDE 8
How bad is it?
last week there were 8.4 million publicly accessible SIP elements on port 5060 UDP. 96% of them sent a 4xx response to an INVITE statefully almost all even for stuff that doesn't need to, like malformed SDP
- nly 2% are sending non-2xx responses statelessly
Many hosting companies and DSL providers still don't uRPF will give (real)cookies to anyone who adds, but need slap first still leaves SIDR style problems Can walk e164.arpa to find URIs which may return 2xx Voicemail and IVR servers are particularly attractive
SLIDE 9
- m nom nom
SLIDE 10
The (hop by hop) Solution
Client Server INVITE sip:xxx 4xx cookie required INVITE sip:xxx IST
SLIDE 11
Other Solutions
Deprecate UDP Anonymous authentication (or even better, null-auth with a nonce addition) Walled gardens only Pack up and go home (i've always wanted run a farm)
SLIDE 12
Downsides
Stateless proxies will need to round-trip them Only affects Outbound stateless proxies with next-hop
- ver UDP
SLIDE 13
Other Related Problems
In-Dialog Targeting Voice Hammer attack, see draft-rosenberg-mmusic- rtp-denialofservice-00
SLIDE 14
Outstanding Issues
None?
SLIDE 15