Sistema de control de evaporación de gases (EVAP)

A Denial of Service attack targets the availability of an endpoint, leaving it unusable or unavailable for an extended period of time. It is worth noting that the consequences of DoS attacks differ in severity between one environ- ment and the next. For example, a DoS attack on an NFS daemon may prevent end users from gathering files over the network; however, a DoS attack on a VoIP network might prevent a user from calling 911 in case of an emergency. While any type of DoS attack is undesirable, the severity of a DoS attack on VoIP networks can often be higher because of end users’ reliance on voice communication.

As with downgrade authentication attacks, predictable session information and a lack of integrity protection open the door for Denial of Service attacks against IAX endpoints. Without these two factors, an active attacker could not spoof the necessary control frames.

WARNING Be aware that using AES encryption to protect the voice traffic of a call does not prevent DoS attacks. These attacks are still possible, because session information is still sent in cleartext.

The following section discusses a few of the DoS attacks identified in the IAX protocol.

Registration Reject

The Registration Reject attack prevents an endpoint from registering to the Asterisk server (AS). An attacker monitors the network for an endpoint that is attempting to register with the AS using a registration request (REGREQ) packet. The attacker then parses out certain required values from the REGREQ packet, such as the Destination Call ID (DCID), Out- bound Sequence Number (oseq), Inbound Sequence Number (iseq), username length, and username. Once the information has been extracted, the attacker increases the iseq value by two (e.g., 161 is increased to 163). After the sequence information has been increased appropriately, the attacker injects a spoofed Registration Reject (REGREJ) packet from the AS to the endpoint. However, this attack works only if the attacker’s packet reaches the targeted endpoint before the server’s REGAUTH packet. Other- wise, the registration process continues normally. See Figure 5-11 for an example.

Figure 5-11 shows an endpoint attempting to register to an Asterisk server. During the authentication process, the attacker pulls the required session information from the REGREQ packet. Once the information has been obtained, the attacker injects a REGREJ packet, specifying that the authentication process has failed. When the endpoint receives the spoofed packet, it thinks that the registration process has failed and ignores the server’s MD5 challenge.

Sig n al in g an d Medi a: IA X Sec uri t y 107 Figure 5-11: Registration reject attack

Call Reject

The call reject attack prevents calls from being accepted. In this attack, the attacker monitors the network for indications, such as NEW, ACCEPT, or RINGING packets, that a call is coming in. The attacker then parses out the required information from one of these packets, such as Source Call ID (SCID), Destination Call ID (DCID), Inbound Sequence Number (iseq), and Outbound Sequence Number (oseq). Once the information has been parsed, the attacker manipulates the iseq and oseq values so that the sequence information will be valid for a spoofed REJECT packet. After assembling a packet based on these values, the IP and MAC addresses of the call recipient, and the IP and MAC addresses of the caller, the spoofed REJECT packet is sent to the caller. If the spoofed packet reaches the caller before the call recipient’s ANSWER packet, the caller will think the call has been rejected. Otherwise, the call will be established as intended and the spoofed packet will be ignored. See Figure 5-12 for an example.

Figure 5-12: Call reject attack

Asterisk Server IAX Endpoint

Attacker

Registration Request (REGREQ) Registration Reject ACK

Challenge: 214484840

Registration Reject (REGREJ)

IAX Endpoint A Attacker PING HANGUP ACK MEDIA HANGUP IAX Endpoint B MEDIA ACK

108 Ch ap te r 5

Figure 5-12 shows an attacker monitoring the network for a call setup packet, in this case RINGING, that indicates when an endpoint is attempting to place a call. The attacker then pulls the required session information from this packet, constructs a spoofed REJECT packet, and injects it into the net- work traffic. Upon receiving this packet, the endpoint believes the call has been rejected and ignores any further control packets for it.

HangUP

The HangUP attack disconnects calls that are in progress between two end- points. To initiate the attack, the attacker monitors the network for any traffic that indicates a call is in progress, such as an ANSWER packet, a PING or PONG packet, or a voice packet with audio. The attacker then parses out the following required values from one of these packets: the Source Call ID (SCID), Destination Call ID (DCID), Inbound Sequence Number (iseq), and Outbound Sequence Number (oseq). Once this is complete, the attacker must manipulate the sequence of iseq and oseq values to create a valid spoofed HANGUP packet. Finally, the attacker injects the spoofed HANGUP packet with the now correct information, causing the call to be dropped. See Figure 5-13 for an example.

Figure 5-13: Call hangup attack

Figure 5-13 shows an existing call between two endpoints, with media flowing in both directions. During a phone call, a control frame is sent across the network (a PING in Figure 5-13) that contains the session information needed to complete this attack. From that information, a spoofed HANGUP packet is created and sent to endpoint A. Once endpoint A receives the information, the existing phone call is dropped. At that time, endpoint B is unaware of the HANGUP and continues sending data, but endpoint A will no longer process those incoming packets. Zane Lackey, co-author of this chapter, has created a tool in Python named IAXHangup.py that automates this attack. The tool can be downloaded from http://www.isecpartners.com/ tools.html. IAX Endpoint A Attacker PING QUELCH ACK MEDIA QUELCH IAX Endpoint B MEDIA ACK

Sig n al in g an d Medi a: IA X Sec uri t y 109

IAXHangup is a tool that disconnects IAX calls. It first monitors the net- work in order to determine if a call is taking place. Once a call has been identified and a control frame containing session information has been observed, IAXHangup injects a HANGUP control frame into the call to force an endpoint to drop it. The tool has two modes of operation, which are described below:

Targeted attack

To run IAXHangup in targeted mode, interrupting a call between two specific endpoints, use the following syntax:

iaxhangup.py -i eth0 -a 1.1.1.1 -b 2.2.2.2

In this example, the tool listens on the eth0 interface for control frames indicating that a call is taking place between hosts 1.1.1.1 and 2.2.2.2. IAXHangup.py then injects a HANGUP command to disconnect the call.

Wildcard attack

To run IAXHangup in wildcard mode, where it will look for calls between any hosts, use the following syntax:

iaxhangup.py -i eth0 -e

Here, the syntax instructs IAXHangup to listen on the eth0 inter- face for a call between any hosts on the network and disrupt them with HANGUP control frames accordingly.

Hold (QUELCH)

The Hold attack is aimed at disrupting communication between two end- points, rather than forcibly disconnecting their call. To achieve this, the Hold attack leverages the QUELCH command in IAX, which is used to halt audio transmission. This attack may be used instead of HangUP if an attacker wants to trick a caller into thinking that a call is still connected, despite the fact that the caller cannot be heard by the user on the other side of the call. The attack occurs by placing one side on hold while not notifying the other side. For this attack, the attacker again monitors the network for any signs that a call is in progress, such as an ANSWER packet, a PING or PONG packet, or a Mini voice packet. The attacker extracts the Source Call ID (SCID), Destination Call ID (DCID), Inbound Sequence Number (iseq), and Outbound Sequence Number (oseq) as before and manipulates the iseq and oseq values so they will be valid for a spoofed Hold (QUELCH) packet. Finally, the attacker injects the spoofed QUELCH packet, causing one side of the conversation to be placed on hold without either of the users’ knowledge. See Figure 5-14 for an example.

Figure 5-14 shows an existing call between two endpoints, with media flowing in both directions. During a phone call, control frames are sent across the network (here, a PING) that contain important session information that

110 Ch ap te r 5

an attacker needs in order to build a valid spoofed packet. With this infor- mation, the attacker can spoof a QUELCH packet and send it to endpoint A. From this point forward, the connection is still live but strictly one-sided. Endpoint A will no longer send media (audio) to endpoint B.

Figure 5-14: Call reject attack

Summary

IAX has the potential to be a very popular protocol for VoIP architectures because of the growing popularity of the Asterisk PBX system. Its simple nature, friendliness with network firewalls, reliance on a single UDP port, unified signaling and media transfer protocol, and relatively few network components (no media proxies, gateways, gatekeepers, or STUN servers) make it very attractive. Despite the many operational and functional advan- tages over SIP or H.323, though, it does not fare much better in terms of security. In fact, the authentication weaknesses of SIP and H.323 are mirrored, and are in some cases worse, in IAX. Furthermore, the lack of use and/or support for encryption in media transfers is very similar between IAX and RTP. Factor in the susceptibility to Denial of Service attacks and IAX, SIP, and H.323 all share a similar vulnerability profile.

However, the possible security benefits of IAX, as listed in its RFC, can be achieved once support for proper authentication and encryption appears on IAX endpoints and servers. For example, IAX support for RSA public and private keys would greatly strengthen its authentication model against passive and active network attacks. Additionally, AES encryption based on a sufficiently secure, pre-set shared secret can encrypt media communication. This would prevent passive attackers from eavesdropping on or injecting audio into telephone conversations (as long as the key is not sent over cleartext). However, while proper encryption would prevent eavesdropping and audio injection, IAX will still be susceptible to Denial of Service attacks as long as session information remains in cleartext. Even if encryption is used with IAX, it must continue to guard against design flaws that allow authentication down- grade attacks. IAX Endpoint A Attacker ACK REJECT ACK ANSWER REJECT IAX Endpoint B RINGING

PART II