1 Feb
2005
1 Feb
'05
3:18 p.m.
Hi all.
I have a "security" question regarding "trusted IP's". Is it
possible
for someone to SUCCESSFULLY spoof an IP and actually make working calls?
For example, '10.10.10.10' sends calls to SER (or any other proxy
server) at 20.20.20.20, but actually spoofs the IP by sending an IP
address of 30.30.30.30, which happens to be trusted by the SER at
20.20.20.20.
I ask because I'm having a discussion with a vendor who is trying to
tell me that using trusted IP's for SIP validation is insecure and
easily hacked. I don't think it is because when SER gets an INVITE from
30.30.30.30, it is going to send it's progress messages to 30.30.30.30,
regardless of the contents of the SIP messages....so the spoofer at
10.10.10.10 won't get any of the progress messages, and more importantly
won't be able to establish a talk path. I suspect he may still cause
SER to initiate some brief outbound calls, but they should fail when the
SIP protocol falls apart.
Does anyone have any thoughts on this?
Tom
1 Feb
1 Feb
6:41 p.m.
Tom Lowe wrote:
Hi all.
I have a "security" question regarding "trusted IP's". Is it
possible
for someone to SUCCESSFULLY spoof an IP and actually make working calls?
For example, '10.10.10.10' sends calls to SER (or any other proxy
server) at 20.20.20.20, but actually spoofs the IP by sending an IP
address of 30.30.30.30, which happens to be trusted by the SER at
20.20.20.20.
It is possible to successfully spoof an IP using ARP poisoning by
someone with access to the local network. This could not be detected
from SER because responses would actually be routed to the attacker.
ARP poisoning hijacks an IP address at the link layer. Here are two
articles that describe it and how to detect it and to protect against it:
http://www.watchguard.com/infocenter/editorial/135324.asp
http://www.sans.org/rr/whitepapers/threats/474.php
Non-local attackers could get SER to deliver SIP messages for them by
sending UDP/SIP packets with forged source IP addresses, but the
attacker would not receive the responses and so should not be able to
complete the INVITE/OK/ACK transaction unless they can predict the
connection and header values that would be provided by the callee. If
the trusted IP addresses are local, these SIP messages could be detected
and dropped by an ingress filter that packets entering the network do
not have source IP addresses within the network.
Hope this helps,
Jamey
2 Feb
2 Feb
3:48 a.m.
Hi,
If the attacker can get his hands on a router between the proxy and the
user agent then he can make the proxy believe he *IS* the trusted
endpoint.
And let's not forget a DOS attack, which can be achieved by simply sending
spoofed packets and use up the resources of the proxy ...
Regards
Kiss Karoly
On Tue, 1 Feb 2005, Tom Lowe wrote:
Date: Tue, 1 Feb 2005 15:18:10 -0500
From: Tom Lowe <tom(a)comprotech.com>
To: serusers(a)lists.iptel.org
Subject: [Serusers] Trusted IP and security.
Hi all.
I have a "security" question regarding "trusted IP's". Is it
possible
for someone to SUCCESSFULLY spoof an IP and actually make working calls?
For example, '10.10.10.10' sends calls to SER (or any other proxy
server) at 20.20.20.20, but actually spoofs the IP by sending an IP
address of 30.30.30.30, which happens to be trusted by the SER at
20.20.20.20.
I ask because I'm having a discussion with a vendor who is trying to
tell me that using trusted IP's for SIP validation is insecure and
easily hacked. I don't think it is because when SER gets an INVITE from
30.30.30.30, it is going to send it's progress messages to 30.30.30.30,
regardless of the contents of the SIP messages....so the spoofer at
10.10.10.10 won't get any of the progress messages, and more importantly
won't be able to establish a talk path. I suspect he may still cause
SER to initiate some brief outbound calls, but they should fail when the
SIP protocol falls apart.
Does anyone have any thoughts on this?
Tom
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
6 Feb
6 Feb
5:15 p.m.
I wouldn't do that with UDP - although the spoofer can not receive your
responses, it can send an INVITE which will setup a call (which might
cost $$$$).
using TCP is safer as for setting up the handshake also sequence number
guessing is necessary.
regards
klaus
Tom Lowe wrote:
Hi all.
I have a "security" question regarding "trusted IP's". Is it
possible
for someone to SUCCESSFULLY spoof an IP and actually make working calls?
For example, '10.10.10.10' sends calls to SER (or any other proxy
server) at 20.20.20.20, but actually spoofs the IP by sending an IP
address of 30.30.30.30, which happens to be trusted by the SER at
20.20.20.20.
I ask because I'm having a discussion with a vendor who is trying to
tell me that using trusted IP's for SIP validation is insecure and
easily hacked. I don't think it is because when SER gets an INVITE from
30.30.30.30, it is going to send it's progress messages to 30.30.30.30,
regardless of the contents of the SIP messages....so the spoofer at
10.10.10.10 won't get any of the progress messages, and more importantly
won't be able to establish a talk path. I suspect he may still cause
SER to initiate some brief outbound calls, but they should fail when the
SIP protocol falls apart.
Does anyone have any thoughts on this?
Tom
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
8:09 p.m.
but as mitnick showed us, sequence numbers can also be guessed :-)...or
should I say calculated, especially on some OS whos randomness is pretty
poor.
As for using trusted IP, well not a good idea, look at IP packet if you
change the route path, you could get the return message to be routed via
your untrusted IP address, hence in theory u could listen: get the RTP
stream, lookup source routing in IP packets,
Iqbal
Klaus Darilion wrote:
I wouldn't do that with UDP - although the spoofer
can not receive your
responses, it can send an INVITE which will setup a call (which might
cost $$$$).
using TCP is safer as for setting up the handshake also sequence number
guessing is necessary.
regards
klaus
Tom Lowe wrote:
Hi all.
I have a "security" question regarding "trusted IP's". Is it
possible
for someone to SUCCESSFULLY spoof an IP and actually make working calls?
For example, '10.10.10.10' sends calls to SER (or any other proxy
server) at 20.20.20.20, but actually spoofs the IP by sending an IP
address of 30.30.30.30, which happens to be trusted by the SER at
20.20.20.20.
I ask because I'm having a discussion with a vendor who is trying to
tell me that using trusted IP's for SIP validation is insecure and
easily hacked. I don't think it is because when SER gets an INVITE from
30.30.30.30, it is going to send it's progress messages to 30.30.30.30,
regardless of the contents of the SIP messages....so the spoofer at
10.10.10.10 won't get any of the progress messages, and more importantly
won't be able to establish a talk path. I suspect he may still cause
SER to initiate some brief outbound calls, but they should fail when the
SIP protocol falls apart.
Does anyone have any thoughts on this?
Tom
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
.
7079
days inactive
7085
days old
4 comments
5 participants
participants (5)
-
Iqbal Gandham -
Jamey Hicks -
Kiss Karoly -
Klaus Darilion -
Tom Lowe