1 / 25

VoIP Defender The Future of VoIP Protection

VoIP Defender The Future of VoIP Protection. Fraunhofer FOKUS Institute, Germany. VoIP-Defender – Why ?. Steadily increasing number of Customers makes VoIP a first class target for attackers. Aimed at The Service itself (E.g. DDos, Spoofing) The Customer (SPIT, Fraud, Call-Hijacking)

chavez
Télécharger la présentation

VoIP Defender The Future of VoIP Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. VoIP DefenderThe Future of VoIP Protection Fraunhofer FOKUS Institute, Germany Fraunhofer FOKUS 2007

  2. VoIP-Defender – Why ? Steadily increasing number of Customers makes VoIP a first class target for attackers. Aimed at The Service itself (E.g. DDos, Spoofing) The Customer (SPIT, Fraud, Call-Hijacking) The Service Provider (E.g. SQL-Injection) Already observed REGISTER / INVITE flooding Multi-Source flooding Unresolvable DNS Names Unintentional misbehavior / misconfiguration (Not an attack) What will we see tomorrow ??? Fraunhofer FOKUS 2007

  3. VoIP-Defender – What is it ? VoIP-Defender is a Framework for Detection Algorithms. Highly Scalable Cope with high bandwidth attacks, especially DoS. Multiple scalability levels plus parallel processing. Invisible placing Attackers cannot see the presence of the VoIP-Defender. Autonomously working No support from proxy needed, thus proxy agnostic. Traffic pass-through by default. Intelligent monitoring and defence Especially designed for SIP networks Includes SIP/IMS parser, SIP state machine, SIP properties See actual ongoing SIP network traffic Monitoring and defence algorithms dynamically en- / disabled Already multiple monitoring and detection algorithms User Control Interface – Terminal, GUI Fraunhofer FOKUS 2007

  4. Legal Users VoIP-Defender – Where Is It ? VoIP-Defender Services VoIP-Defender is placed between the Service provisioning Platform and the Customers. Classical Firewall Position. Multi-Link Monitoring & Protection possible. Attacker Fraunhofer FOKUS 2007

  5. Alg1 Alg2 Decider plane VoIP-Defender – Architecture Overview Algorithmic knowledge Alg1 Alg2 Alg1 Alg2 Analyzer 1 Analyzer 2 Reconstructed Messages Rules Transport Level Load Balancers (TLLB) Filter/Scanner Nodes (FSN) Analyzers (Algorithm’s parallel Part) Deciders (Algorithm’s sequential Part) FSN Service Internet Traffic TLLB TLLB FSN Fraunhofer FOKUS 2007

  6. Incoming VoIP-Defender – Architecture Transport Level Load Balancing FSN1 Outgoing Ports FSN2 Clients Mappings TLLB FSN3 MAC Layer Transparent Simple Load balancing by Information from up to the Transport Layer. Incoming packets from the same source IP address are sent out via the same Port (mapping). Outgoing packets to unassociated IP addresses also create a mapping. Internet Side TLLB Fraunhofer FOKUS 2007

  7. Incoming VoIP-Defender – Architecture Transport Level Load Balancing Outgoing FSN1 Ports Mappings Service FSN2 TLLB FSN3 Outgoing packets to the same source IP address are sent out via the same Port (mapping). Incoming packets from unassociated IP addresses also create a mapping. Service Side TLLB Fraunhofer FOKUS 2007

  8. Analyzer Decider SIP + Meta User Space Message Inspection Filter Rule Control VoIP-Defender – Architecture Filter & Scanner Node User Space Kernel Space Analyzer selection SIP extractor Rule Processing UDP TCP IP defrag Verdict Frames Frame Cache Incoming Bridge Outgoing Fraunhofer FOKUS 2007

  9. Analyzer Decider SIP + Meta User Space Message Inspection Filter Rule Control VoIP-Defender – Architecture Filter & Scanner Node User Space Kernel Space Analyzer selection SIP extractor Rule Processing UDP TCP A UDP Packet arrives IP defrag Frame Cache Incoming Bridge Fraunhofer FOKUS 2007

  10. Analyzer Decider SIP + Meta User Space Message Inspection Filter Rule Control VoIP-Defender – Architecture Filter & Scanner Node User Space Kernel Space Analyzer selection SIP extractor Rule Processing UDP TCP The Frame is forked. One copy for the Frame Cache, another one for Analysis IP defrag Frames Frame Cache Bridge Fraunhofer FOKUS 2007

  11. Analyzer Decider SIP + Meta User Space Message Inspection Filter Rule Control VoIP-Defender – Architecture Filter & Scanner Node User Space Kernel Space Analyzer selection SIP extractor Rule Processing UDP TCP The Packet is inspected for completeness in terms of IP, UDP and SIP IP defrag Frame Cache Bridge Fraunhofer FOKUS 2007

  12. Analyzer Decider SIP + Meta User Space Message Inspection Filter Rule Control VoIP-Defender – Architecture Filter & Scanner Node User Space Kernel Space Analyzer selection SIP extractor Rule Processing UDP TCP Potentially many packets be necessary to assemble to a complete SIP message. This one is incomplete. IP defrag Frame Cache Bridge Fraunhofer FOKUS 2007

  13. Analyzer Decider SIP + Meta User Space Message Inspection Filter Rule Control VoIP-Defender – Architecture Filter & Scanner Node User Space Kernel Space Analyzer selection SIP extractor Rule Processing UDP TCP The rest of the SIP message arrives IP defrag Frame Cache Incoming Bridge Fraunhofer FOKUS 2007

  14. Analyzer Decider SIP + Meta User Space Message Inspection Filter Rule Control VoIP-Defender – Architecture Filter & Scanner Node User Space Kernel Space Analyzer selection SIP extractor Rule Processing UDP TCP Also duplicated, one for the Intelligence, one for the Frame Cache IP defrag Frames Frame Cache Bridge Fraunhofer FOKUS 2007

  15. Analyzer Decider SIP + Meta User Space Message Inspection Filter Rule Control VoIP-Defender – Architecture Filter & Scanner Node User Space Kernel Space Analyzer selection SIP extractor Rule Processing UDP TCP Again checked for completeness. IP defrag Frame Cache Bridge Fraunhofer FOKUS 2007

  16. Analyzer Decider SIP + Meta User Space Message Inspection Filter Rule Control VoIP-Defender – Architecture Filter & Scanner Node User Space Kernel Space Analyzer selection SIP extractor Rule Processing UDP TCP As soon as the SIP message is complete, An Analyzer is selected by determining a session ID, and the SIP message is sent to it along with meta information about the involved transport. The SIP message is examined by the currently active rule set. IP defrag Frame Cache Bridge Fraunhofer FOKUS 2007

  17. Analyzer Decider SIP + Meta User Space Message Inspection Filter Rule Control VoIP-Defender – Architecture Filter & Scanner Node User Space Kernel Space Analyzer selection SIP extractor Rule Processing UDP TCP Here, the message has been found to be OK, so all its Frames (2) are allowed to be sent out. IP defrag Verdict: OK Frame Cache Bridge Fraunhofer FOKUS 2007

  18. VoIP-Defender – Architecture Rules Rules are based on any Protocol Information. Regular Expressions enable filtering by Content. Scripting Rules allow even more complex Operations (Requires User Space Filtering Support on the FSNs) OK: The frames are sent out in the correct order DROP: UDP: Frames are simply dropped. TCP: Connection is interrupted by injecting RST frames. Fraunhofer FOKUS 2007

  19. Parsing Parsing Parsing Parsing INVITE ? INVITE ? Analyzer INVITE ? INVITE ? Extract SRC Extract SRC Extract SRC Extract SRC increase counter for this SRC increase counter for this SRC increase counter for this SRC Decider Trigger Alarm Trigger Alarm Trigger Alarm VoIP-Defender – Architecture Analyzer & Decider Example: INVITE flooding from single source. Detection Algorithms are split into a scalable part and an non-scalable part. The scalable part is realized in the Analyzers. The non-scalable part is realized in the Decider. Fraunhofer FOKUS 2007

  20. VoIP-Defender – Architecture Analyzer Analyzers implement the scalable part of detection Algorithms in VoIP-Defender. It is granted, that every SIP message, that belongs to the same session is processed by the same Analyzer. APIs for algorithm programmers, offering Effective SIP parsing Access to Transport Information Protocol Fragments Transmission time and duration SRC/DST IP-Address Port Numbers Network Communication with the Decider Fraunhofer FOKUS 2007

  21. Analyzer Component (Algorithm 3) Analyzer Component (Algorithm 2) Analyzer Component (Algorithm 1) State State State FSN connections stores Result Client (send individual result information to decider layer) Report Server (listens for incoming messages & reports from FSNs) Incoming Msg Buffer Decider connection VoIP-Defender – Architecture Analyzer access SIP Parser (pre-parses incoming SIP messages ) Parsed SIP Msg Meta Data provides Results / Status Algorithm Dispatcher (Calls each analyzer in order with the current parsed SIP message) Control Interface (GUI interaction) Fraunhofer FOKUS 2007 GUI connection

  22. VoIP-Defender – Architecture Decider The Decider implements the non-scalable (common knowledge) part of detection Algorithms in VoIP-Defender. It receives algorithm specific reports from the Analyzers and dispatches them to the specific Decider Modules. APIs for algorithm programmers, offering Rule Management Inter-Algorithm Communication Network Communication with Analyzers and FSNs Fraunhofer FOKUS 2007

  23. Decider Component (Algorithm 1) Decider Component (Algorithm 4) Decider Component (Algorithm 3) Decider Component (Algorithm 2) State State State State Incoming result Result Server (listens for incoming result reports from analyzer layer) Rule Cache (keeps current rules locally) Timers Control Interface VoIP-Defender – Architecture Decider Rule Control (send control commands to FSN) Analyzer connections Results Event Manager (dispatches events send to and by algorithms) FSN connections Create rules Fraunhofer FOKUS 2007

  24. VoIP-Defender – Next Steps Develop and implement more detection Algorithms. Real-World Deployment at a professional VoIP Provider. Architectural Refinements. Dedicated IMS Support. Fraunhofer FOKUS 2007

  25. VoIP-Defender Thanks – Questions ? Fraunhofer FOKUS 2007

More Related