Exploiting SIP for botnet communication

The Session Initiation Protocol (SIP) implements methods for generic service discovery and versatile messaging. It is, therefore, expected to be a key component in many telecommunication and Internet services. For example, the 3GPP IP Multimedia Subsystem relies heavily on SIP. Given its critical role, ensuring the security of SIP is clearly a crucial task. In this paper, we analyze the SIP protocol and show that it can easily be exploited to mount effective and large-scale botnets. We do this by scrutinizing the details of the SIP protocol and show how it offers a variety of ways to conceal botnet traffic within legitimate-looking SIP traffic. Using our analysis, we implement a SIP bot and present experimental results from a real testbed network. In addition, we employ traffic statistics collected from a large telecommunication provider and discuss the implications for both botnet design and detection. Finally, we present a software tool (called autosip) to generate synthetic traffic that resembles actual SIP traffic with different controllable characteristics. The proposed tool is quite useful for researchers working in the area who may not have access to traffic dumps from actual telecommunication providers.

[1]  J. Rosenberg,et al.  Session Initiation Protocol , 2002 .

[2]  Felix C. Freiling,et al.  Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm , 2008, LEET.

[3]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[4]  Christian Huitema,et al.  Session Initiation Protocol (SIP) Extension for Instant Messaging , 2002, RFC.

[5]  W. Timothy Strayer,et al.  Botnet Detection Based on Network Behavior , 2008, Botnet Detection.

[6]  G. Boggia,et al.  Drop call probability in established cellular networks: from data analysis to modelling , 2005, 2005 IEEE 61st Vehicular Technology Conference.

[7]  Gonzalo Camarillo,et al.  The 3G IP Multimedia Subsystem : Merging the Internet and the Cellular Worlds , 2004 .

[8]  Jonathan D. Rosenberg A Presence Event Package for the Session Initiation Protocol (SIP) , 2004, RFC.

[9]  Yao Zhao,et al.  BotGraph: Large Scale Spamming Botnet Detection , 2009, NSDI.

[10]  Wenke Lee,et al.  Modeling Botnet Propagation Using Time Zones , 2006, NDSS.

[11]  Gonzalo Camarillo,et al.  The 3G IP Multimedia Subsystem (IMS): Merging the Internet and the Cellular Worlds, Second Edition , 2006 .

[12]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[13]  Daniel Stutzbach,et al.  Understanding churn in peer-to-peer networks , 2006, IMC '06.

[14]  David Mazières,et al.  Kademlia: A Peer-to-Peer Information System Based on the XOR Metric , 2002, IPTPS.