Transcript 2. VoIP Network Architecture

Towards a Scalable and Secure VoIP Infrastructure
Lab for Advanced Networking Systems
Director: David K . Y. Yau
Algorithm of Detection
1. Security Challenges:
Case 2. Low-rate DoS Attack on TCP Flow
Traditional telephone network
Sample recent instantaneous throughput at a constant rate
Sample
Each time of detection consists of a sequence of instantaneous
the traffic
Highly reliable, voice specific, closed and
physically secure system
throughput
Avg BW=
lR/T
Normalization is necessary
Normalized _ Throughput 
VoIP network
Filter the
Unpredictable/open transport, data/voice
convergent, publicly connected (intelligent but
untrusted/malicious systems)
Security should not be an afterthought
Media, signaling, infrastructure attacks
The background noise of samples need to be filtered
Background noise
(UDP flows and other TCP flows that less sensitive to attack)
For simplicity, a threshold filter can be used.
noise
Sufficiently large attack burst
Packet loss at congested router
TCP time out & retransmit after RTO
Attack period = RTO of TCP flow,
TCP continually incurs loss & achieves zero or
very low throughput.
Instantaneous _ throughput
Maximum _ link _ bandwidth
Extract the
signature
Autocorrelation is adopted to extract the periodic signature of input
signal.
periodic input => special pattern of its autocorrelation.
(Autocorrelation can also mask the difference of time shift S)
Unbiased normalization
2. VoIP Network Architecture
Pattern
Protocol Stack
SIP flood and spoofing / theft-ofservice / authentication attack
M: length of input sequence
m: index of autocorrelation
match
1 M m 1
Ax ( m ) 
X mn  X n

M  m n 0
Mobile VoIP
phone
DNS server
Robustness of Detection
Similarity between the template and input
User registration
should be calculated.
Proxy / redirect server
SIP signaling / TLS / TCP
We use the Dynamic Time Warping
(DTW).
DTW (Template, Input )  min(
Wireless attack, jamming, RTS /
CTS attack
K
w
k 1
Session Initiation Protocol (SIP)
IP network
VoIP phone
Probability distribution of DTW values
k
)
(The detail algorithm of DTW is provided
in our research work)
The smaller the DTW value, the more
Media: RTP/RTCP/UDP
similar they are.
INVITE sip:[email protected]
Media eavesdropping,
UDP / RTP flood,
encryption attack,
faked ToS (theft-of-service)
Media gateway
Device Threats
Virus, misconfiguration, compromise (phone)
TLS flood, authentication / encryption (proxy)
RTP port starvation (media gateway)
POTS
INVITE
sip:[email protected]
180 Ringing
180 Ringing
200 OK
200 OK
Attack flows V.S.
legitimate flows
DTW values will be clustered;
threshold can be set to distinguish them.
Expect a
separation between
them.
threshold
ACK
Media
Stream
BYE
Legacy phone
200 OK
Case 1. Flooding Attack
3. SIP: Security Issues
•SIP requires:
(1) DDoS attack
(2) Low-Rate TCP attack
(3) Jamming attack
 Common Jamming
 Low-rate attack on the control plane
 Exploiting the protocol :RTS-CTS
Server
•If not handled carefully, VoIP won’t fly.
Example Max-min Rates (L=18, H=22)
18.23
6.25
0.22
0.22
15.51
59.9
Server
6.25
17.73
20.53
6.25
0.61
Solution: Router Throttle
Securely
installed by S
Aggressive flow
14.1
17.73
0.61
defer
time
4. Conclusion
 Security solutions
Throttle
for S
To S
Throttle
for S’
To S’
Seek experimental evaluation
0.95
0.95
B
Initial focus will be on denial-of-service, considering security protocols like
SRTP, TLS, S/MIME, SSL, etc
Protocol design and analysis (solutions must be scalable despite
encryption, authentication, etc)
0.01
1.40
AP
RTS-CTS Jamming
6.65
24.88
A
•Wireless VoIP using 802.11
•Wi-Fi Security problems:
Proxy server, Redirection Server, Firewall
…etc
•These servers can be subjected to
Case 3. Wi-Fi Jamming
Deployment router
Realistic testbed network
Hope to evolve into international scope: Bell Labs (NJ), Purdue (IN),
Chinese University (Hong Kong), …