DEGREE PROJECT IN ELECTRICAL ENGINEERING, SECOND CYCLE, 30 CREDITS STOCKHOLM, SWEDEN 2016 A reverse proxy for VoIP Or how to improve security in a ToIP network GUILLAUME DHAINAUT KTH ROYAL INSTITUTE OF TECHNOLOGY SCHOOL OF ELECTRICAL ENGINEERING KTH Royal Institute of Technology Master’s Programme in Network Services and Systems - ANSSI Guillaume Dhainaut 921006-5950 [email protected] A reverse proxy for VoIP Or how to improve security in a ToIP network Master’s Thesis Stockholm, February 24, 2016 Supervisors Pierre Lorinquer ANSSI Fabien Allard ANSSI Examiner Panagiotis Papadimitratos ([email protected]) KTH Abstract The need for security is crucial in Telephony over IP (ToIP). Secure protocols have been designed as well as specific devices to fulfill that need. This master thesis examines one of such devices called Session Border Controller (SBC), which can be compared to reverse proxies for ToIP. The idea is to apply message filters to increase security. This thesis presents the reasons of SBC existence, based on the security weaknesses a ToIP network can show. These reasons are then used to establish a list of features which can be expected from a SBC and discuss its ideal placement in a ToIP network architecture. A test methodology for SBCs is established and used on the free software Kamailio as an illustration. Following this test, improvements of this software, regarding threats prevention and attacks detection, are presented and implemented. Sammanfattning Behovet av säkerhet är av avgörande betydelse i telefoni över IP (ToIP). Säkerhet- sprotokoll har utformats samt särskilda enheter för att uppfylla detta behov. Detta examensarbete undersöker en av sådana enheter som kallas Session Border Controller (SBC), vilket kan jämföras med omvända proxyservrar för ToIP. Tanken är att tillämpa meddelandefilter för att öka säkerheten. Denna avhandling presenterar orsakerna till SBC existens, baserat på de säkerhets svagheter en ToIP nätverk kan visa. Dessa skäl används sedan för att upprätta en förteck- ning över egenskaper som kan förväntas av en SBC och diskutera dess ideal placering i en ToIP nätverksarkitektur . En testmetodik för SBC är etablerad och används på fri programvara Kamailio som en illustration. Efter detta test, förbättringar av denna pro- gramvara, om hot förebyggande och attacker upptäcka, presenteras och genomförs. i Acknowledgements This research was supported by ANSSI (French Network and Information Security Agency) in Paris. They offered me helps and materials. I owe my gratitude to Pierre Loriquer and Fabien Allard which were my ANSSI supervisors and helped me throughout this thesis by giving me advice and idea. I would also like to thank Colin Chaigneau and Valentin Houchouas, my colleagues at ANSSI, for their helps in areas of which they were experts. I am thankful to Panagiotis Papadimitratos, my supervisor at KTH, for his helpful advice about the report. Finally I thank Alice Tourtier for her help and support. ii Contents 1 Introduction1 1.1 Goal of the thesis................................1 1.2 Contribution...................................2 1.3 Outline......................................2 2 VoIP Technologies3 2.1 SIP........................................4 2.1.1 Messages.................................4 2.1.2 Elements of a SIP call establishment.................6 2.1.3 Exchange examples...........................8 2.1.4 Security Mechanisms..........................9 2.2 Media session protocols............................. 11 2.2.1 Codecs.................................. 11 2.2.2 RTP................................... 12 2.2.3 SRTP.................................. 13 2.2.4 RTCP.................................. 14 2.2.5 SDP................................... 15 2.3 Other protocols................................. 16 2.3.1 VoIP protocols............................. 16 2.3.2 Service protocols............................ 17 2.4 Unified Communications............................ 17 3 Security on a ToIP infrastructure 19 3.1 Security issues in ToIP............................. 19 3.1.1 Risks................................... 19 3.1.2 Common ToIP attacks......................... 21 3.1.3 How to make secure ToIP....................... 23 3.1.4 Limits.................................. 25 3.2 Session Border Controller........................... 27 3.2.1 Principle................................. 27 3.2.2 Differences with existing devices.................... 29 4 SBC features 30 4.1 Internetworking................................. 30 4.2 Media...................................... 30 4.3 QoS....................................... 31 4.4 Security..................................... 32 4.4.1 Upstream protection.......................... 32 4.4.2 Common attack protection....................... 34 4.4.3 Downstream protection......................... 36 5 SBC Architecture integration 39 5.1 At the border of ToIP architecture...................... 39 5.1.1 Presentation............................... 39 5.1.2 Limits.................................. 40 5.2 At the Center of ToIP architecture...................... 40 iii 5.2.1 Presentation............................... 40 5.2.2 Limits.................................. 40 5.3 Combination................................... 41 6 SBC Security Test 42 6.1 Methodology.................................. 42 6.1.1 Test environment............................ 42 6.1.2 Features announced........................... 42 6.1.3 Fuzzing................................. 43 6.1.4 Dos/Flood................................ 43 6.1.5 TLS quality............................... 44 6.1.6 Common SIP attacks.......................... 44 6.2 Test of Kamailio................................ 45 6.2.1 Test environment............................ 45 6.2.2 Results.................................. 47 6.2.3 Conclusion................................ 51 7 Improvements 52 7.1 Permissions module............................... 52 7.1.1 Logic................................... 52 7.1.2 Implementation............................. 53 7.2 CDR analysis.................................. 53 7.2.1 Logic................................... 53 7.2.2 Implementation............................. 56 7.2.3 Tests................................... 56 8 Conclusion and future work 60 8.1 Accomplished work............................... 60 8.2 SBC conception................................. 60 8.3 Future work................................... 61 A Loop amplification Attack 66 B Kamailio configuration files 67 C Asterisk configuration files 70 iv List of Figures 1 ITU-T protocol set...............................3 2 VoIP IETF protocol set............................4 3 Example of a SIP INVITE message......................5 4 SIP Registration process............................8 5 SIP Call process.................................9 6 SIP Digest authentication example...................... 10 7 RTP header as defined in RFC 3550 [1].................... 13 8 Example of a SDP description......................... 15 9 Example of DoS attack with INVITE messages............... 22 10 Security measures at the network level.................... 25 11 Example of SBC placement.......................... 28 12 Use of a B2BUA to transcode audio flow................... 28 13 SBC action to allow high frequency registration............... 33 14 Internal architecture with a SBC at the border of the ToIP network.... 39 15 VoIP flows with a SBC at the center..................... 40 16 Internal architecture with two SBCs at the border and at the center of the ToIP network.................................. 41 17 Test environment of Kamailio......................... 47 18 CPU and RAM usages versus message intensity during DoS attacks.... 49 19 Learning period in time............................ 55 20 Example of a user profile............................ 57 21 Call hour distribution for a user........................ 58 22 Receiver Operating Characteristic for the call classifier........... 59 23 REGISTER messages of a loop amplification attack............. 66 24 Example of the flow of a SIP amplification attack from RFC 5393 [2]... 66 v List of Tables 1 Main SIP request methods...........................5 2 Main SIP response codes............................5 3 Main audio codecs............................... 12 4 Codecs understood by some SIP systems................... 31 5 Overview of the security features....................... 43 6 Security features implemented in Kamailio.................. 48 7 Kamailio DoS results.............................. 49 8 FPR and TPR results............................. 58 vi Abbreviations and Acronyms ANSSI French Network and Information Security Agency B2BUA Back-to-Back User Agent CA Certificate Authority CAC Call Admission Control CDR Call Detail Record CoS Class of Service CPE Customer Premises Equipment CPU Central Processing Unit CVE Common Vulnerabilities and Exposures DHCP Dynamic Host Configuration Protocol DNS Domain Name System DoS Denial of Service DDoS Distributed DoS DTLS Datagram Transport Layer Security DTMF Dual-Tone Multi-Frequency ERP Enterprise Resource Planning FPR False Positive Ratio FTP File Transfert Protocol HTTP Hypertext Transfer Protocol HTTPS HTTP Secure IAX Inter-Asterisk eXchange ICE Interactive Connectivity Establishment IETF Internet Engineering Task Force IP Internet Protocol IPBX Internet PBX IPsec Internet Protocol Security ISDN Integrated Services Digital Network ISUP Integrated Services Digital Network User Part ITU International Telecommunication Union ITU-T ITU Telecommunication Standardization