Title of the deliverable: Towards a Secure and Reliable VoIP Infrastructure

This document provides an overview of state of the art in intrusion and denial of service detection as well as reliability approaches for VoIP infrastructures. In this context we provide a brief overview of a general architecture of VoIP infrastructures and possible attack scenarios on the different components of such an infrastructure. Here we consider attack scenarios on VoIP servers utilizing the SIP signalling protocols, attacks on DNS and ENUM which are used for address resolution and STUN which is used for NAT traversal. Further, we present various approaches for securing service components in the Internet and discuss their suitability for VoIP services.

[1]  Jon Peterson,et al.  Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP) , 2006, RFC.

[2]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[3]  Rudolf Brandner,et al.  IANA Registration for Enumservice 'web' and 'ft' , 2005, RFC.

[4]  T. Dagiuklas,et al.  SIP Security Mechanisms : A state-ofthe-art review , 2005 .

[5]  Ajith Abraham,et al.  Evolution of Intrusion Detection Systems , 2005 .

[6]  Derek Atkins,et al.  Threat Analysis of the Domain Name System (DNS) , 2004, RFC.

[7]  Saurabh Bagchi,et al.  SCIDIVE: a stateful and cross protocol intrusion detection architecture for voice-over-IP environments , 2004, International Conference on Dependable Systems and Networks, 2004.

[8]  Patrik Fältström,et al.  The E.164 to Uniform Resource Identifiers (URI) Dynamic Delegation Discovery System (DDDS) Application (ENUM) , 2004, RFC.

[9]  J. Rosenberg,et al.  Best Current Practices for Third Party Call Control (3pcc) in the Session Initiation Protocol (SIP) , 2004, RFC.

[10]  SQL Injection Signatures Evasion , 2004 .

[11]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[12]  John W. Lockwood,et al.  Deep packet inspection using parallel bloom filters , 2004, IEEE Micro.

[13]  Best Current Practices for Third Party Call , 2004 .

[14]  Victor Fajardo,et al.  Diameter Base Protocol , 2003, RFC.

[15]  John Morris Privacy and Security Considerations in ENUM , 2003 .

[16]  Jonathan Rosenberg The Real Time Transport Protocol (RTP) Denial of Service (Dos) Attack and its Prevention( , 2003 .

[17]  Christian Huitema,et al.  STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs) , 2003, RFC.

[18]  Wenyu Jiang,et al.  Assessment of VoIP Service Availability in the Current Internet , 2003 .

[19]  Henning Schulzrinne,et al.  Security testing of SIP implementations , 2003 .

[20]  Richard Sharp,et al.  Developing Secure Web Applications , 2002, IEEE Internet Comput..

[21]  Luca Veltri,et al.  SIP security issues: the SIP authentication procedure and its processing load , 2002, IEEE Netw..

[22]  Jonathan D. Rosenberg The Session Initiation Protocol (SIP) UPDATE Method , 2002, RFC.

[23]  Jon Peterson,et al.  Session Initiation Protocol for Telephones (SIP-T): Context and Architectures , 2002, RFC.

[24]  Jonathan D. Rosenberg,et al.  Middlebox communication architecture and framework , 2002, RFC.

[25]  Henning Schulzrinne,et al.  Session Initiation Protocol (SIP): Locating SIP Servers , 2002, RFC.

[26]  Adam Roach,et al.  Session Initiation Protocol (SIP)-Specific Event Notification , 2002, RFC.

[27]  Richard Sharp,et al.  Abstracting application-level web security , 2002, WWW.

[28]  Christian Huitema,et al.  STUN - Simple Traversal of UDP Through NATs , 2002 .

[29]  Ofir Arkin The Trivial Cisco IP Phones Compromise Security analysis of the implications of deploying Cisco Systems' SIP-based IP Phones model 7960 , 2002 .

[30]  Chris Anley,et al.  Advanced SQL Injection In SQL Server Applications , 2002 .

[31]  Brett Wilson,et al.  Autonomic Response to Distributed Denial of Service Attacks , 2001, Recent Advances in Intrusion Detection.

[32]  Eric Y. Chen AEGIS: An Active-Network-Powered Defense Mechanism against DDoS Attacks , 2001, IWAN.

[33]  Adam Stubblefield,et al.  Using Client Puzzles to Protect TLS , 2001, USENIX Security Symposium.

[34]  Kevin J. Houle,et al.  Trends in Denial of Service Attack Technology , 2001 .

[35]  Technical Specification Group Services and System Aspects ; 3 G Security ; Specification of the MILENAGE Algorithm Set : An example algorithm set for the 3 GPP authentication and key generation functions , 2001 .

[36]  Andrew S. Tanenbaum,et al.  Distributed systems: Principles and Paradigms , 2001 .

[37]  Henning Schulzrinne,et al.  Common Gateway Interface for SIP , 2001, RFC.

[38]  James S. Tiller A technical guide to IPSec virtual private networks , 2000 .

[39]  Eric Rescorla,et al.  SSL and TLS: Designing and Building Secure Systems , 2000 .

[40]  Ron Daniel,et al.  The Naming Authority Pointer (NAPTR) DNS Resource Record , 2000, RFC.

[41]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[42]  Pekka Nikander,et al.  Towards Network Denial of Service Resistant Protocols , 2000, SEC.

[43]  Leon Gommans,et al.  Generic AAA Architecture , 2000, RFC.

[44]  Bill Marshall SIP Extensions for supporting Distributed Call State , 2000 .

[45]  Jussi Kangasharju,et al.  A replicated architecture for the Domain Name System , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[46]  Evan Marcus,et al.  Blueprints for high availability: designing resilient distributed systems , 2000 .

[47]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[48]  Matt Holdrege,et al.  IP Network Address Translator (NAT) Terminology and Considerations , 1999, RFC.

[49]  Catherine A. Meadows,et al.  A formal framework and evaluation method for network denial of service , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[50]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[51]  William Allen Simpson,et al.  Photuris: Session-Key Management Protocol , 1999, RFC.

[52]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[53]  John G. Brainard,et al.  Client Puzzles: A Cryptographic Countermeasure Against Connection Depletion Attacks , 1999, NDSS.

[54]  Acee Lindem,et al.  Virtual Router Redundancy Protocol , 1998, RFC.

[55]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[56]  Pekka Nikander,et al.  Stateless connections , 1997, ICICS.

[57]  Moti Yung,et al.  Scalability and flexibility in authentication services: the KryptoKnight approach , 1997, Proceedings of INFOCOM '97.

[58]  Allan C. Rubens,et al.  Remote Authentication Dial In User Service (RADIUS) , 1997, RFC.

[59]  Paul Vixie,et al.  A DNS RR for specifying the location of services (DNS SRV) , 1996, RFC.

[60]  John D. Howard,et al.  An analysis of security incidents on the Internet 1989-1995 , 1998 .

[61]  Yakov Rekhter,et al.  Address Allocation for Private Internets , 1994, RFC.

[62]  Craig Partridge,et al.  Host Anycasting Service , 1993, RFC.

[63]  Moni Naor,et al.  Pricing via Processing or Combatting Junk Mail , 1992, CRYPTO.

[64]  Henri E. Bal,et al.  Replication techniques for speeding up parallel applications on distributed systems , 1992, Concurr. Pract. Exp..