This article is about Cheating VoIP Security by Flooding the SIP.
Introduction Cheating VoIP Security by Flooding the SIP:
VoIP uses the same Internet infrastructure and also uses TCP, UDP, and other common protocols; makes VoIP vulnerable to common type of attacks such as DDOS and password cracking. An attacker performs footprinting to gather information about the VoIP network, once they get that information, they attack. VoIP flooding or denial of service attack is one of the dangerous attacks and the aim of this attack is to make resources unavailable to legitimate users.
The target of a flood attack can vary; sometimes the attacker wants to crash the system or sometimes the goal is to introduce jitter, lag and other quality issues. In both cases, the VoIP environment is compromised, indicating a lack of security. The objectives of the flood attack are:
- Compromise network resources (network availability)
- Introduce latency and jitter (disrupt quality of service)
Quality of Service (QoS) is always a high priority, VoIP is famous for its quality, if users do not get quality there is no reason to have a VoIP network. Before we attack the environment, let’s discuss the quality factors:
Latency is delay. The time it takes for the voice to leave the speaker and reach the listener’s ears. Latency measures the time delay of packets traversing network resources from sender to receiver. The maximum delay that a VoIP network tolerates is 150 ms. There can be several reasons for the delay, such as incorrect network configuration, number of intermediate devices, and physical distance.
Jitter is variation in packet delivery or delayed conversation. Jitter occurs when the sender keeps sending packets while the receiver receives them at a variable rate. This delay can be caused by route changes, queuing, time offsets, and serialization. A common reason is the lack of bandwidth management; the permissible jitter time is 40 ms. VoIP applications use the jitter buffer technique to store some packets before normal received packets.
A large number of packets traveling on the network and the network is unable to handle the traffic; may cause some packets to be lost. In a VoIP environment, resending a lost packet is not possible due to real-time communication. The default G.729 codec requires much less than 1 percent packet loss to avoid audible errors. Ideally, there should be no packet loss with VoIP.
A flooding attack is a part of a DOS attack, the aim of which is to load network resources so that a legitimate user cannot connect and use the service offered to him. It occurs when an attacker consumes all resources (bandwidth, TCP/IP connections, etc.). Flooding is the most common DOS attack because the tools to launch these attacks are available everywhere on the Internet. Flooding can be further divided into the following types:
- SYN flood attack
- UDP Flood Attack
- ICMP smurf flood attack
A SYN or TCP SYN flooding attack uses a 3-way handshaking process. TCP is a connection-oriented protocol; in a connection-oriented protocol, two hosts should establish a connection before transferring data. Connections between hosts are established using a three-way handshaking process.
The initiator (client) tells the server (listener) that it wants to establish a connection by sending a SYN packet. The SYN+ACK packet is sent by the server as a response to the SYN packet, after receiving the green signal the client sends the final ACK packet and the connection is established. This is the general process of establishing a connection to a TCP environment. However, the attacker abuses the process by not completing the process.
In a TCP SYN flood attack, the attacker sends SYN packets using a fake IP (source IP); the attacker does not use his own system IP or the IP address of any live machine. The source IP should not be alive to respond to an incoming SYN+ACK machine, if the source IP responds then the connection is established instead of being overwhelmed.
The receiver (server) receives the SYN message and replies back to the non-existent source because there was no source machine in the first place. In this case, the last ACK message was never sent to the victim, the target is left to wait until it receives an ACK packet from the sender. The victim’s connection table is full and all resources are being consumed by the illegitimate request. In this situation, the machine, router and other devices will not be able to distinguish between fake SYN messages and legitimate SYN messages.
Let’s use a common tool that helps launch a SYN flood attack.
hping3 -i u1 -S –flood -V target_IP
Here the destination_IP address can be the IP of the VoIP client or the IP of the server; it depends on your goal. The above command runs a very basic flood attack and uses the attacker’s IP; therefore this is not the right way to do it.
Sniff the packets with Wireshark to analyze the attack. Wireshark → capture → interface (select interface eth0 for wired connection and wlan0 for wifi) → start
The incoming and outgoing packets can be seen, TCP is a protocol and a large number of packets traveling between two machines, thousands of packets have been transferred in a few seconds, which will eventually crash the system. However, in the above scenario, the attacker’s machine is also affected. Have the source IP spoofed:
hping3 -p 80 -S -a Spoofed_IPtarget_IP –flood
Here spoofed_IP should be random and offline machine, -S means SYN packet.
The source IP is not live at the moment:
It’s disturbing the network and consuming the bandwidth by making the VoIP server busy.
hping -c 20000 -d 100 -S -w 64 -p 21 –flood –rand-source target
–rand-source means select the source randomly. -p 21 to attack this port number.
To disturb the SIP service, target the SIP ports (5060, 5061) instead of 21.
UDP Flood Attack
UDP flood attack is the most common attack faced by VoIP network because most SIP devices use user datagram protocol, therefore attackers use UDP flood attack.
Download UDP flooder from packet storm, it is written in Perl.
The small packets were sent to UDP port 5060, which is a SIP (VoIP service), not to allow a legitimate user to make a call.
It can be clearly seen that the source IP continuously sends packets to the server IP in the SIP service.
Smurfs flood attack
A Smurf flood attack uses the concept of DDOS, where a large number of packets from multiple sources are sent to the target computer. In a smurf flood attack ICMP (Internet control message protocol) packets are sent from spoofed sources to the target computer, this flood attack works on broadcast, the spoofed sources not only send the packets but also broadcast them. The target computer responds to received ICMP packets because there are a large number of senders, the target cannot process the request for so long and eventually crashes.
Smurf6 preinstalled on Kali Linux can handle it.
interface smurf6 target_ip
Make sure you are using the network interface (wlan0 for WiFi and eth0 for wired). Wireshark shows that a large number of packets travel through the network as broadcast packets.
The network administrator should design a strategy for continuous monitoring of network traffic to measure VoIP QoS (Quality of Service). Many vendors provide monitoring solutions to track performance and act on reports. Follow a standard model like DiffServ to create/manage your network. It is a quality of service protocol that controls the allocation of resources (bandwidth, priority). For example, on a network, RTP streams will be prioritized over P2P or email.