ETD system

Electronic theses and dissertations repository


Tesi etd-11172006-174902

Thesis type
Tesi di laurea specialistica
Falomi, Marco
email address
Next Generation Network (NGN) Security: Preventing Attacks to VoIP Infrastructures
Corso di studi
Relatore Prof. Giordano, Stefano
Relatore Ing. Niccolini, Saverio
Relatore Dott. Garroppo, Rosario G.
Parole chiave
  • dos
  • prevention
  • spam
  • network
  • security
  • voip
  • sip
  • intrusion
  • simulator
  • spit
Data inizio appello
Data di rilascio
Riassunto analitico
Voice over Internet Protocol (VoIP) is the technology that allows users to make phone calls over the Internet instead of over the Public Switched Telephone Network (PSTN). Beyond the remarkable advantage of lower costs (the low cost of service delivery, and increased competition, have encouraged the decline of prices for VoIP services), this new kind of telephony offers the access to a large number of web-based services, like Presence informations, voice-video-text chat, messaging, or multiparty conferences, etc. The complete integrations of all this services under full user control represents the added value respect to the Plain Old Telephone Services (POTS) offered by the PSTN.

The use of VoIP technologies is more and more widespread today, since the broadband access to the Internet, which is required for this technology, is now available for a big part of the users. Based on VoIP research and broadband Internet penetration statistics, it has been estimated that, counting only in the United States, there are already approximately 6 million VoIP users. It is expected that this number will climb to 9 million users by the end of 2006 and 24 million by the end of 2008. The number of VoIP providers continues to grow, as does the number of segments serving the industry. Included in the "VoIP Report, 3rd Edition" are 55 carriers and 56 vendors that are helping to shape and define this industry through its explosive growth.

In the last years, SIP has emerged as the most used protocol to start and handle VoIP communications. It has been designed to be a modular and flexible component of the Internet architecture. Since it inherited many features form the protocols HTTP and SMTP, it can easily interoperate with all the other Internet protocols. It is designed also to be scalable, and it will be able to deal with all the new users that are joining the world of the Internet Telephony.
However the security features of SIP seem to be not enough to deal with the attacks of the new generation and, in a scenario in which Internet Telephony becomes usable by everybody, feeding a huge growing market, the security issue is fundamental.

Eavesdropping, Hijacking, Identity theft, Denial of Service, and many other threats plagued Internet users since the beginning of the time. Already now, some of this IP-based attacks have been directed also against VoIP services, alarming the experts. In particular, as any other communication system, Internet Telephony is sensible to SPAM attacks, and it’s easy to foresee that VoIP users will become soon easy targets of SPIT (SPam over Internet Telephony) attacks. Between the security features adopted by SIP, no one seems, at the moment, to be able to deal with this category of attacks. As with the e-mail SPAM, a great attention is paid now to the problem of SPIT, and, while recently the first episodes of SPIT have been observed, the first anti-SPIT innovative solutions are being realized, using all the experience collected with the email SPAM. Unfortunately, traces of real SPIT attacks are still not available in literature, so it is not possible to test the prevention methods with a real traffic. The only possibility to measure the effectiveness of a prevention system appears to be the use of a simulative approach.

This work represents my contribute to the research in this field and is the result of an eight-months internship at the Network Laboratories of NEC Heidelberg (Germany). During this internship I designed and implemented a new simulator, written in C, for testing voice SPAM identification and prevention methods, to be deployed in a SIP based environment. I implemented an Intrusion Prevention System that, coordinating the use of three modules (a call-rate filter, an identity checking algorithm and a statistical pattern recognition module), is intended to reveal SPAM calls. The IPS has been designed to run on a device where, like from a Session Border Controller (SBC), a big flow of calls can be monitored.
The simulator is composed by a traffic generator and an implementation of this IPS. The generated traffic flow is the mix of legal calls (for which different models for the normal VoIP traffic have been realized) and attacking calls. A detailed configuration file allows the generator to simulate a lot of different SPIT attacks (characterized by different intensity, number of attacking machines, statistics, etc.). So that the tests on the IPS can have the desired level of detail.
Looking at the results of the simulations, it was possible to distinguish and classify different scenarios of attack and then, evaluating the response of the single modules, their strengthens and weaknesses were studied for each scenario. In the end it was then possible to define an automated procedure to set the optimal parameters of the modules for the different scenario. This procedure to configure the IPS is adaptive so that in each scenario the main role is automatically assigned to the module that is more affective to identify the attacking calls. The effect is the optimization of the results in terms of low false positive end false negative percentages.

The work is organized in 6 chapters: In chapter 1 is described the Session Initiation Protocol (SIP) and are also shown the major components of its architecture and how they interact during a session. Chapter 2 is focused on the SBCs, and their importance as a defending point in the VoIP architecture is highlighted. Chapter 3 presents a taxonomy of the possible attacks to VoIP infrastructures, with a particular attention to SPAM attacks. A description of the current security methods adopted by SIP is also given. In chapter 4 the three prevention modules that I used are described, and the design of the architecture of the whole IPS is introduced. Chapter 5 describes the implementation of the simulator. It explains the parameters used to generate different kinds of traffic flows, and gives a detailed description of the realization of the prevention modules. Chapter 6 concludes the work with the study of the experimental results. In the beginning, the results of the single modules are used to create a taxonomy of the possible SPIT attacks. Then the whole IPS is tested on each scenario, and the results are collected. In the last section the obtained results and the future works are discussed. A detail description on how to use all the simulator code is given in Appendix C.