Transcription
2015 International Symposium on Technology Management and Emerging Technologies (ISTMET), August 25 - 27, 2015,Langkawi, Kedah, MalaysiaAutomated Intrusion Detection and PreventionSystem over SPIT (AIDPoS)Amna SaadAhmad Roshidi AmranIzzat Norkhalimand Mohd Adib Mohd YusofUniKL City CampusMIITUniversiti Kuala LumpurBMI1016, Jalan Sultan Ismail50250 Kuala LumpurEmail: amna@unikl.edu.myBatu 8 3/4, Jalan SUngai Pusu53100 Gombak, Selangor, MalaysiaEmail: aroshidi@unikl.edu.myUniKL City CampusMIIT1016, Jalan Sultan Ismail50250 Kuala LumpurEmail: izzat3113@gmail.comand adib.gmi@gmail.comWe are interested to find a solution to detect and overcomeSPIT attacks. Pertaining to this, we have come out with theidea of Automated Intrusion Detection and Prevention Systemover SPIT (AIDPoS). AIDPoS is an Intrusion Detection andPrevention System that can detect and prevent the intrusion,i.e. SPIT, from the external network, to the VoIP service.This system is a complete Proof of Concept (PoC) system forIntrusion Detection System (IDS), Intrusion Prevention System(IPS) and Voice over Internet Protocol (VoIP). In addition,we also collect data through a packet sniffer. The data wouldbe analyzed, in order to identify and recognise any securitybreaches that may occur.The rest of this paper is organised as follows. In Section II,we look at the related works done by other researchers. SectionIII discusses the prototype of Automated Intrusion Detectionand Prevention System over SPIT (AIDPoS). Finally, SectionIV briefly discuss on the testing and results, followed by theconclusion and suggestion in Section V.Abstract—Systems employing the Internet and Voice overInternet Protocol (VoIP) are alternative to the legacy landlinetelephony system. The services offered by these systems allowusers to communicate with their family members, friends, banksand business partners whenever they are online. Particularly,the VoIP service is popular with the Internet users becausecharges are bound into usually fixed access costs making theprice of the long distance calls themselves appear economical andeven free. However, VoIP services have several disadvantages.One of the disadvantages of VoIP is, it is exposed to Internetsecurity vulnerabilities, threats and attacks. The attacks comein many forms. One of the methods to attack the VoIP service,is by sending a Spam over Internet Telephony (SPIT). SPITis normally executed by malicious parties initiating automated,unsolicited, and unwanted communications that used VoIP orvideo conferencing services, just like an email SPAM. Solutionsto mitigate SPIT are still lacking. To defense a VoIP system fromSPIT, we have come out with the idea of Automated IntrusionDetection and Prevention System over SPIT (AIDPoS) that candetect and prevent SPIT from external parties to enter theVoIP network. AIDPoS is a combination system of IntrusionDetection System (IDS) and Intrusion Prevention System (IPS)on Voice over IP (VoIP) server. This is an experimental researchto find a solution to combat SPIT if it happens in the future.Our result shows that an automated Intrusion detection andPrevention system over SPIT attack is feasible. Our work is onan open source VoIP network. Other vulnerabilities and threatsare important, but beyond our research scope and is not coveredin this paper.II. R ELATED W ORKSSecurity is one of the two major concerns for the VoIPcommunity. The other concern is related to the quality ofthe service. It is believed that increasing security mechanismwould result in poor performance of VoIP services due to theadditional processing of the security mechanism that wouldincrease the overall end-to-end delay [6]. On the other hand,without security mechanism in proper places, VoIP serviceswould be vulnerable and open to threats and attacks. Aneffective security mechanism is necessary for a secured VoIPenvironment. Hence, the security to be imposed on VoIPservices must not be a hindrance to the quality of service ofthe real-time applications further.I. I NTRODUCTIONVoIP is becoming increasingly popular, mainly due toits advantages in terms of communication and multimediaservices. This fact may also shift several problems from theInternet context to purely VoIP service, such as Spam to Spamover Internet Telephony (SPIT) [7]. High popularity of VoIPin the last few years leads to higher concerns of hackers. Nevertheless, in many VoIP services, security is the last features tobe considered. The top priority is to provide a functional VoIPservice. The IP network infrastructure provides other servicesas well, which are not related only to VoIP traffics. All thesefactors lead to a situation, where a VoIP service easily becomesa target of attacks.U.S. Government work not protected by U.S. copyrightA. VoIP AttacksIn the early days of VoIP, there was no big concern aboutsecurity issues related to its use. People were mostly concernedwith its cost, functionality and reliability. Now that VoIP isgaining wide acceptance and becoming one of the mainstreamcommunication technologies, security has become one of the58
major concerns. For example, VoIP functionality has beenintegrated into many instant messaging tools such as ICQ orGoogle Talk [2].Network Administrators do not want to block genuinecalls, however, they can only do this if they can identifyand classify the genuine calls over SPIT attacks.While enterprise VoIP offers many intangible benefits suchas cost efficiency and productivity benefits, it also opens thedoor to external threats. That is because VoIP, at its heart, isa voice data network, making it a prime target for hackers,data thieves and other types of online troublemakers. Thereare many types of VoIP Security and Privacy Threats as listedin the Voice over IP Security Alliance Public Release 1.0.24,October 2005 including physical intrusion, social threats andintentional service intruption [17]. We highlighted a fewimportant threats and attacks below:B. Intrusion Detection and Prevention SystemIntrusion Detection System (IDS) is a system that helpsInformation systems prepare for, and deal with attacks. Theyaccomplish this by collecting information from a variety ofsystems and network sources, and then analyzing the information for possible security problems [14]. The intrusiondetection system detects unauthorized use of or attacks on asystem or on a network. An IDS is designed and used to detectand then to deflect or deter such attacks from unauthorized useof systems, networks, and related resources [15].On the other hand, Intrusion Prevention System (IPS) is anadvanced version of IDS. By definition, IPS is any hardwareor software that has the ability to detect attacks, both knownand unknown, and prevent the attack from being successful.Basically an IPS is a firewall which can detect an anomaly inthe regular routine of network traffic and then stop the possiblemalicious activity [8].The main different between an IDS and an IPS is on howthey treat the packets once the packets were suspected of beingmalicious. The IDS would allow the packets to go through anddeal with it off-line. On the other hand, the IPS will do thefiltering and deflect the packets on-line. The IPS would requirea large amount of system resources to perform well.1) Denial of Service (DoS) AttackThe VoIP Security Alliance categorizes denial of servicesinto VoIP specific DoS, network services DoS, DoS attackon operating system or firmware and Distributed Denialof Service (DDoS) [17]. These attacks can disrupt theInternet system which affects all related Internet services,unlike social threats, eavesdropping, interception andmodification attacks. Worse yet, the ability to dial in andout of VoIP overlays allow the control of applications viaa voice network, making it nearly impossible to trace anattack’s source. Additionally, proprietary protocols, usedby a number of VoIP applications, inhibit the ability ofISPs to track DoS activity [3].2) Spam over Internet Telephony (SPIT)SPIT is defined as a bulk of unsolicited set of session initiation attempts, attempting to establish a voice or videocommunications session. If a user answers the call, thespammer proceeds to relay their message over the realtime media. This is the classic telemarketer spam, appliedto VoIP Initiation protocol, such as Session InitiationProtocol (SIP). For the record, PSTN-call spam alreadyexisted in the form of telemarketer calls. Although thesecalls are annoying, they do not arrive in the same kindof volume as email spam [10].According to C. Jennings, the main reason for SPIT tobecome popular is that it is cost-effective for spammers[12]. The spam could be in the form of malicious application like a botnet [4]. The spammers only need to programone botnet to make multiple calls. Another reason SPITis getting popular is its effectiveness, compared to emailspams. For email spams, a user may already realize thathe has been spammed. As a precaution he is in controlto switch on or off a spam filter for his email account. Inaddition, it would not effect much on the email servicebecause the email is not received in real-time. However,SPIT is difficult to control since VoIP calls happen inreal-time. The best way to combat SPIT is to block thecalls before they reach the end users. This can create aheadache to a Network Administrator. The issue is todetermine whether each call is from a genuine calleror generated by a malicious application over a device.III. SYSTEM PROTOTYPING ANDINSTRUMENTATIONThe system prototype consists of the hardware and softwareparts that are required for the experiment, refer to Fig. 1.There are two servers that act as the IDS/IPS security systemand a VoIP communication server. The first server is installedwith Snort and Wireshark. Snort is a free and open sourcenetwork intrusion prevention system (NIPS) and networkintrusion detection system (NIDS) created by Martin Roesch in1998. Snort supports several different LINUX such as Fedora,Centos, FreeBSD and Windows operating systems [16]. We arerunning Snort on Fedora operating system. On the other handWireshark is normally used as a packet sniffer and analyser[13]. In Fig. 1 the Snort server is facing the Interceptor. Weinstalled Asterisk in the VoIP communication server. Asterisksupport Session Initiation Protocol (SIP) [1]. SIP is a protocolstandard under the IETF for establishing and teardown calls’session [11]. The main purpose of SIP is to initiate, modifyand terminate sessions between two (or more) Internet endentities. Other network devices required for the prototype area switch, a wireless access point and softphones. The wirelessaccess point allowed us to connect the prototype system to theUniKL MIIT laboratory subnet. The private IPv4 addressesare used in the prototype. In this prototype we are using twodifferent physical servers, hence we connect the two serversusing port bridge. A network bridging, i.e. a Link Layer devicecan be set in the Interceptor which is connected to the IDS/IPSserver. It is important to set bridging at the IDS/IPS because59
Fig. 1. AIDPoS network topologythe bridging will help the server become transparent and theattacker will not know the existence of the Interceptor in thesystem. It is a good way to deviate the attacker from attackingthe Interceptor. Alternatively, a software bridge can be usedwithin a Linux host in order to emulate a hardware bridge, forexample in virtualization applications, i.e. for sharing a NICwith one or more virtual NICs.Fig. 2 shows the step- by-step progression of the wholesystem in order to distinguish genuine calls and SPIT attacks.The system started with a VoIP user makes either a genuinecall or execute a SPIT attack. Both calls are then sent to Snortfor packet detection and prevention to avoid illegal packetsto intrude the system. If Snort detects illegal packets, Snortwill block the call. The call will be terminated and the useris forbidden from accessing the system again based on thesource IP address that was captured during the time the attackwas launched.However, if there is no illegal packet, Snort will pass thepacket to Asterisk. Asterisk will allow the caller to make adirect call. On the other side, a user that recieved the call (i.e.a receiver) would hear that the phone is ringing. The receiverpicks up the phone, resulting in the call establishment.We believe that the proposed system comprises all thenecessary component of a VoIP system, IDS and IPS systemto identify and block SPIT. This system is executed in the realtime and it simulated the actual VoIP system with enhancedsecurity system in place.IV. TESTING AND RESULTSFig. 3 shows the schematic diagram of the overall prototype.It shows how the system is divided into two phases. The firstphase is to detect calls and classify their types and the secondphase is to block any unsolicited calls from reaching the enduser while allowing genuine packets to pass through.In the first phase, the user will make a genuine call whilethe attacker will try to attack the system by using SPIT.Fig. 2. AIDPoS flow diagram60
Fig. 3. AIDPoS Schematic LayoutBoth calls will be sent to the Interceptor which consist ofSnort as IDS/IPS and Wireshark as a packet sniffer. TheIDS/IPS will detect the illegal packets and the attacker will beautomatically blocked by the system and cannot be connectedanymore. The genuine caller will be connected through theVoIP communication server which executes the call in thesecond phase. During this phase, the Asterisk as a VoIPcommunication server will allow the caller to make a directcall.In the second phase, the attacker will make a voice call bysetting up the ’bulk’ call using a SIPp, a free Open Source testtool or traffic generator for the SIP protocol [5]. On the otherhand, the genuine call is made using a soft phone. Both typeof calls will be identified and detected by the Snort IDS/IPSsystem. The unwanted calls will be blocked while the genuinecalls will be forwarded to the Asterisk Server to establish theconnection. Snort then logs the IP address of the attacker sothat the attacker cannot be connected to the system again.The process of Snort activities is described in the subsectionsbelow.Fig. 4. Sample of Snort rulesFig. 5. Sample of Snort logA. Attack Detection by SnortSnort detects and blocks the attack based on the rules setin its database table. All rules must be set before Snort startsthe detection process. Snort listen through the interface thatthe Network Administrator has set, i.e. eth0, refer to Fig.1. If a packet matches any Snort rules, as depicted in Fig.4, Snort would take action according to that rule and wouldgenerate alerts. However, Snort might require other plugin toperform other task. In this example, the protocol-voip-ruleswould require a Snort plugin, i.e. Snortsam, to automaticallyblock any unauthorised IP addresses that were logged inLinux IPtables [9]. Other than that Snortsam can also blockunsolicited packets at any border devices such as: Checkpoint Firewall-1 Cisco PIX Firewall Cisco Routers Netscreen firewall IP Filter (ipf)Unix-based OS firewall Linux ipchains Linux iptablesWatchguard firewallAlerts may be generated in different forms. Alerts can beseen with the basic setup logged in /var/log/snort/alerts file.Fig. 5 shows the detection of attack named Inviteflood andalert that have been logged. We can also obtain the SnortSummary as provided in Fig. 6.B. Packet Sniffing by WiresharkIn AIDPoS, Wireshark acts as a packet sniffer that wouldcapture all incoming packets. Wireshark would capture allpackets including any genuine calls and unsolicited calls.However, in this system Wireshark was set to filter in andcapture the protocols related to VoIP, for example, the protocols that are related to VoIP are UDP, RTP and SIP. Thesample of captured packets that have been filtered is shown inFig. 7.61
Fig. 8. Snortsam blocks attackC. Attack Prevention by SnortsamAs Snort can only detect the attacker and act as the IDS inthis system, Snortsam has been compiled to block the attackerand act as IPS. Snortsam can be configured and set the timeto block the attacker in rule files. In this system, the rule hasbeen set for Snortsam to block the attacker in the protocolVoIP-rules which are located in /etc/snort/rules directory.Fig. 8 shows how Snortsam blocks the incoming illegalpackets. In the beginning, Snortsam receives and accepts theconnection from the attacker before it blocks the IP addressand drops the unwanted packets for ten seconds. Snortsam alsonotifies the date and time of the blocking of the attacker IPaddress.Fig. 6. Sample of Snort summary of a genuine callerD. Asterisk as VoIP Communication ServerAsterisk works as the Communication Server for the VoIPclients. It also supports a large variety of commands which canbe used for testing, configuration and monitoring. A NetworkAdministrator will monitor the caller and know who made acall. He can also analyze the pattern of attacks to differentiategenuine callers and the attackers.Fig. 9 shows a sample of the notification that has been madeby Asterisk. In this case, Asterisk tells the end-user that thecall he made, has been rejected and the connection cannot beestablished. This is how Asterisk notifies the user when a SPITattack made through the VoIP system is detected and blockedby an IDS.V. CONCLUSIONS AND SUGGESTIONSA. Future EnhancementsThis is an experimental research, nevertheless the systemnot only produces the usual detection of the existence of unsolicited calls but also the features that can prevent for furtherattack by blocking the IP address of the attacker automatically.However, there are still rooms for improvement to produce abetter system to secure a VoIP network. For example, AIDPoSFig. 7. VoIP protocols captured62
VI. ACKNOWLEDGMENTSOur gratitude to Universiti Kuala Lumpur and to our sponsorand parent company the Majlis Amanah Rakyat (MARA).R EFERENCES[1] Digium, Inc. Asteriks. http://www.asterisk.org/, Last visited December2013.[2] R. Baumann, S. Cavin, and S. Schmid. Voice over ip-security and spit.Swiss Army, FU Br, 41:1–34, 2006.[3] W. Conner and K. Nahrstedt. Protecting SIP proxy servers from ringingbased denial-of-service attacks. In Multimedia, 2008. ISM 2008. TenthIEEE International Symposium, page 340347, 2008.[4] A. Dainotti, A. King, K. Claffy, F. Papale, and A. Pescap. Analysisof a ”/0” Stealth Scan from a Botnet. IEEE/ACM Transactions onNetworking, 2014.[5] R. Day.Sipp.http://sipp.sourceforge.net/, Last visited January2014.by Richard GAYRAUD [Initial code], Olivier JACQUES[code/documentation], Many contributors.[6] D.R. Kuhn, T.J. Walsh, and S. Fries. Security Considerations for VoiceOver IP Systems. The National Institute of Standards and Technology(NIST), Special publication 800-58, 2005.[7] Eyeball Networks. VoIP, VVoIP & IM Products-AntiSPIT Server.http://www.eyeball.com/voipproducts/ anti-spam-server.htm, Last visitedSeptember 2012.[8] N. Ierace, C. Urrutia, and R. Bassett. Intrusion Prevention Systems.Ubiquity, 2005(June):2–2, July 2005.[9] F. Knobbe.Snortsam - A Firewall Blocking Agent for Snort.http://www.snortsam.net/, Last visited January 2014.[10] P. Park. Voice over IP Security: Networking Technology: IP Communications. Cisco Press, 1 edition, 2008.[11] J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson,R. Sparks, M. Handley, E. Schooler, et al. Sip: session initiation protocol.Technical report, RFC 3261, Internet Engineering Task Force, 2002.[12] Rosenberg, J. and Jennings, C. The Session Initiation Protocol andSpam. IETF RFC 5039, 2008.[13] C. Sanders. Practical packet analysis. No Starch Press, 2011.[14] SANS Institute.Understanding Intrusion Detection Systems./detection/http://www.sans.org/reading room/whitepapersunderstanding-intrusion -detectionsystems 337, Last visited September2013.[15] R. J. Shimonski.Why You Need to Know About IntrusionDetection Systems. trusion detection/What You Need toKnow About Intrusion Detection Systems.html, Last visited on15th Ferbruary 2013.[16] Snort Team. SNORT. https://www.snort.org/, Last visited May 2014.[17] VoIPSA. VoIP Security and Privacy Threat Taxonomy. Public release1.0 VoIP Security Alliance, October 2005.Fig. 9. Ingenuine calls rectification and notificationfeatures can be enhanced by using a manageable switch toavoid ARP poisoning, setting different VLAN for Interceptor,combine AIDPoS, firewall, and Network Monitoring System(NMS) to have an improved system, and include other softwarelike Metaspoilt to counter attack the attacker by shutting downthe attackers’ device to reduce their urged to launch furtherattack. In addition, we shall study into the issues concerningthe false positive and false negative network attacks that mayaffect performance of AIDPoS in mitigating SPIT.B. ConclusionAIDPoS can detect and prevent unsolicited calls like SPITfrom attacking a VoIP system. This system detects attackerswho attempt to attack the system by sending SPIT over adevice. The system blocks any unsolicited calls and allowgenuine calls to be forwarded to the VoIP server. We believe that the combination of Snort, Wireshark and a VoIPCommunication Server in one system can avoid voice callattacks specifically SPIT. We also believe that the system likeAIDPoS needs powerful hardware and software to increase theperformance of the system to detect and to block attacks.A similar system like AIDPoS can support enterprise toprotect their business deal conversations and private conversation over VoIP from intruders. This is especially true whenan enterprise lacks knowledge on how to secure its networkfrom SPIT attack.Last but not least, the system can be used for educationalpurposes for students who learn network security, data communication and voice over internet protocol. Their lecturer canteach these students on how to set a test bed that can detect andblock VoIP attacks and in future the students can also applytheir knowledge and experience into their future employers’enterprise networks.63
B. Intrusion Detection and Prevention System Intrusion Detection System (IDS) is a system that helps Information systems prepare for, and deal with attacks. They accomplish this by collecting information from a variety of systems and network sources, and then analyzing the infor-mation for possible security problems [14]. The intrusion
