[Serusers] Trusted IP and security.
Jamey Hicks
jamey.hicks at hp.com
Wed Feb 2 00:41:34 CET 2005
Tom Lowe wrote:
>Hi all.
>
>I have a "security" question regarding "trusted IP's". Is it possible
>for someone to SUCCESSFULLY spoof an IP and actually make working calls?
>
>For example, '10.10.10.10' sends calls to SER (or any other proxy
>server) at 20.20.20.20, but actually spoofs the IP by sending an IP
>address of 30.30.30.30, which happens to be trusted by the SER at
>20.20.20.20.
>
>
>
It is possible to successfully spoof an IP using ARP poisoning by
someone with access to the local network. This could not be detected
from SER because responses would actually be routed to the attacker.
ARP poisoning hijacks an IP address at the link layer. Here are two
articles that describe it and how to detect it and to protect against it:
http://www.watchguard.com/infocenter/editorial/135324.asp
http://www.sans.org/rr/whitepapers/threats/474.php
Non-local attackers could get SER to deliver SIP messages for them by
sending UDP/SIP packets with forged source IP addresses, but the
attacker would not receive the responses and so should not be able to
complete the INVITE/OK/ACK transaction unless they can predict the
connection and header values that would be provided by the callee. If
the trusted IP addresses are local, these SIP messages could be detected
and dropped by an ingress filter that packets entering the network do
not have source IP addresses within the network.
Hope this helps,
Jamey
More information about the sr-users
mailing list