[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sip] submission of a new I-D: "Dialog Event foR IdentityVErification"


On Nov 1, 2008, at 7:57 AM, Iñaki Baz Castillo wrote:


El Viernes, 31 de Octubre de 2008, Dean Willis escribió:


Now, from a security perspective: Who's done the analysis on whether
DERIVE introduces new attack opportunities?

For example, is there a DOS opportunity in using the home proxy as a
message-exploder for source-forged SUBSCRIBE requests? Seems like thre 
might be a problem there . . .


Do you mean something as:

 attacker              alice                 bob (victim)
 INVITE (From: bob) ----->
                       SUBSCRIBE ------------->
 INVITE (From: bob) ----->
                       SUBSCRIBE ------------->
 INVITE (From: bob) ----->
                       SUBSCRIBE ------------->
 INVITE (From: bob) ----->
                       SUBSCRIBE ------------->



Yeah.

And factoring in retransmission requests . . .

Alice is the target of the attack.

Evil Dave forges an INVITE with DERIVE-supported from Alice to Bob.
Bob then sends a SUBSCRIBE to Alice. Alice either 404s, or (if she doesn't support 4235) does something like ignore the request. Bob then retransmits through the NIT-retransmission cycle, thereby generating a factor-N attack multiplication with indirection.
Now, if Dave really hates Alice, Dave sends the same sort of forged INVITE to Carol and From sip-bounces at ietf.org Sat Nov 1 14:24:02 2008 
Return-Path: <sip-bounces at ietf.org>
X-Original-To: sip-web-archive at optimus.ietf.org
Delivered-To: ietfarch-sip-web-archive at core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 045423A6A57;
	Sat,  1 Nov 2008 14:24:02 -0700 (PDT)
X-Original-To: sip at core3.amsl.com
Delivered-To: sip at core3.amsl.com
Received: from localhost (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 701063A6A4C
	for <sip at core3.amsl.com>; Sat,  1 Nov 2008 14:24:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.428
X-Spam-Level:
X-Spam-Status: No, score=-2.428 tagged_above=-999 required=5
	tests=[AWL=-0.129, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32])
	by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 9-vjL3mpy1XJ for <sip at core3.amsl.com>;
	Sat,  1 Nov 2008 14:24:00 -0700 (PDT)
Received: from nylon.softarmor.com (nylon.softarmor.com [66.135.38.164])
	by core3.amsl.com (Postfix) with ESMTP id A7B733A69AD
	for <sip at ietf.org>; Sat,  1 Nov 2008 14:24:00 -0700 (PDT)
Received: from [192.168.2.102] (cpe-76-185-142-113.tx.res.rr.com
	[76.185.142.113]) (authenticated bits=0)
	by nylon.softarmor.com (8.13.8/8.13.8/Debian-3) with ESMTP id
	mA1LNrQE011949
	(version=TLSv1/SSLv3 cipher®S128-SHA bits8 verify=NOT);
	Sat, 1 Nov 2008 16:23:55 -0500
Message-Id: <5C834703-D061-437A-868F-5EC9E2CC099B at softarmor.com>
From: Dean Willis <dean.willis at softarmor.com>
To: =?ISO-8859-1?Q?Iñaki_Baz_Castillo?= <ibc at aliax.net>
In-Reply-To: <200811011357.55193.ibc at aliax.net>
Mime-Version: 1.0 (Apple Message framework v929.2)
Date: Sat, 1 Nov 2008 16:23:47 -0500
References: <618e24240810250809j664bf47ay2745cc9fbf7b0565 at mail.gmail.com>
	<cc1f582e0810310603w21a4cc7fga1d978c0fb4f5bd7 at mail.gmail.com>
	<701FB600-CBE9-4A66-BA0C-52F3B86F0A5B at softarmor.com>
	<200811011357.55193.ibc at aliax.net>
X-Mailer: Apple Mail (2.929.2)
Cc: sip at ietf.org
Subject: Re: [Sip] submission of a new I-D: "Dialog Event foR
	IdentityVErification"
X-BeenThere: sip at ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>,
	<mailto:sip-request at ietf.org?subject=unsubscribe>
List-Post: <mailto:sip at ietf.org>
List-Help: <mailto:sip-request at ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>,
	<mailto:sip-request at ietf.org?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"; DelSp="yes"
Sender: sip-bounces at ietf.org
Errors-To: sip-bounces at ietf.org


On Nov 1, 2008, at 7:57 AM, Iñaki Baz Castillo wrote:


El Viernes, 31 de Octubre de 2008, Dean Willis escribió:


Now, from a security perspective: Who's done the analysis on whether
DERIVE introduces new attack opportunities?

For example, is there a DOS opportunity in using the home proxy as a
message-exploder for source-forged SUBSCRIBE requests? Seems like thre 
might be a problem there . . .


Do you mean something as:

 attacker              alice                 bob (victim)
 INVITE (From: bob) ----->
                       SUBSCRIBE ------------->
 INVITE (From: bob) ----->
                       SUBSCRIBE ------------->
 INVITE (From: bob) ----->
                       SUBSCRIBE ------------->
 INVITE (From: bob) ----->
                       SUBSCRIBE ------------->



Yeah.

And factoring in retransmission requests . . .

Alice is the target of the attack.

Evil Dave forges an INVITE with DERIVE-supported from Alice to Bob.
Bob then sends a SUBSCRIBE to Alice. Alice either 404s, or (if she doesn't support 4235) does something like ignore the request. Bob then retransmits through the NIT-retransmission cycle, thereby generating a factor-N attack multiplication with indirection.
Now, if Dave really hates Alice, Dave sends the same sort of forged INVITE to CaEugene and Frank and everbody else.
Alice is the one being attacked, but she can't trace the source of the attack back to Dave's I P address without cooperation from Bob and the other relayers.
Is this any worse than the multiplier already built into SIP? It's probably not any worse than the "voice hammer" attack, although it's different in that it floods the signaling channel, not the media channel. So really, it's Alice's proxy that is the target of such an attack. 

--
Dean

_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip


rol and Eugene and Frank and everbody else.
Alice is the one being attacked, but she can't trace the source of the attack back to Dave's I P address without cooperation from Bob and the other relayers.
Is this any worse than the multiplier already built into SIP? It's probably not any worse than the "voice hammer" attack, although it's different in that it floods the signaling channel, not the media channel. So really, it's Alice's proxy that is the target of such an attack. 

--
Dean

_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip