RE: [Serusers] Trusted IP and security. - sr-users

2 Feb 2005


      Hi Jamey, and Kiss, who answered in another message.
Thanks for the feedback.  I'm not worried about someone on the networks
local to the proxy server, so that won't be an issue.
As far as getting into a router between the user agent and proxy, I
believe it would have to be positioned such that they can redirect
packets destined for the "spoofed" IP, and I don't that's too
likely....though definitely something to look at.
Sending the invite with a spoofed IP would certainly be a potential DOS
type of attack, and one I'm concerned about
But what I am looking to prevent is someone making 'successful' phone
calls that are billed to another customer based on IP address, so I
believe both of you have basically confirmed my thinking...that someone
can't easily spoof IP's from outside the local network and make
successful usable calls.
I'll check out the articles Jamey recommended.
If anyone else has comments, I'd love to hear them!
Thanks again!
Tom
-----Original Message-----
From: Jamey Hicks [mailto:jamey.hicks@hp.com] 
Sent: Tuesday, February 01, 2005 6:42 PM
To: Tom Lowe
Cc: serusers@lists.iptel.org
Subject: Re: [Serusers] Trusted IP and security.
Tom Lowe wrote:
...
Hi all.
I have a "security" question regarding "trusted IP's".   Is it possible
for someone to SUCCESSFULLY spoof an IP and actually make working 
calls?
For example, '10.10.10.10' sends calls to SER (or any other proxy
server) at 20.20.20.20, but actually spoofs the IP by sending an IP 
address of 30.30.30.30, which happens to be trusted by the SER at 
20.20.20.20.
It is possible to successfully spoof an IP using ARP poisoning by 
someone with access to the local network.  This could not be detected 
from SER because responses would actually be routed to the attacker.  
ARP poisoning hijacks an IP address at the link layer.  Here are two 
articles that describe it and how to detect it and to protect against
it:
http://www.watchguard.com/infocenter/editorial/135324.asp
http://www.sans.org/rr/whitepapers/threats/474.php
Non-local attackers could get SER to deliver SIP messages for them by 
sending UDP/SIP packets with forged source IP addresses, but the 
attacker would not receive the responses and so should not be able to 
complete the INVITE/OK/ACK transaction unless they can predict the 
connection and header values that would be provided by the callee.  If 
the trusted IP addresses are local, these SIP messages could be detected
and dropped by an ingress filter that packets entering the network do 
not have source IP addresses within the network.
Hope this helps,
Jamey