Study on Security Issue in Open Source SIP Server

,


Introduction
VoIP may be the fastest growing technology that includes routing voice conversations over IP-based network.The flexibleness of the VoIP system convergence of voice and data networks brings with it additional security requirements.SIP servers are vital network elements that endow SIP endpoints to switch messages, register user position, and faultlessly move between networks.SIP servers permit network operators to determine routing and security principles, authenticate clients and control user locations.SIP server applications might take many forms, however the SIP standard defines three general kinds of server functionality that applies to all or any proxy, redirect and registrar servers.SIP server submissions may take numerous forms, but the SIP benchmark defines three general kinds of server functionality that applies to all proxy, redirect and registrar servers.
One of the very most common attacks is denial of service (DoS).After a session has been established with SIP the particular media transfer is transmitted with the true time transport protocol (RTP).In transport layer SIP uses user datagram protocol (UDP).Today it becomes challenge to provide extreme level security for the VoIP server.To ensure security for SIP based asterisk server a system administrator has to follow some steps such as change the default user name (root) and port (22) for remote SSH login to the SIP server, use packet filtering rules for SSH port (22) usually transport control protocol (TCP) packets based on the IP address at Linux iptables, as some open source PBX software provide web based login known as graphical user interface so apply packet filtering rules for HTTPS & TCP packets with port 443, allow SIP user agents according to IP block by applying rules at iptables for the port 5060 with UDP packets.To prevent internet control message protocol (ICMP) flood attack administrator can allow IP addresses with subnet for ICMP echo ping and trace route request to the SIP sever and block rest of the IP address of the world.Monitoring the Linux kernel log files which usually at /var directory is very important because here administrator can see the all the remote Secure Shell (SSH) login, web based login to the SIP server with the host IP address list.Data log gives the list of registered and unregistered SIP peers with IP addresses and port number which is more important to see the unauthorized attack.Above things will discuss in details bellow with the network protocol analyzer Wireshark.Here Wireshark simulation will show the differences between before and after applying packet filtering rules to the Linux kernel.
Wireshark is a free and open-source packet analyzer.It has a rich and powerful feature set and runs on most es are unt of urces

UDP Flood Attack
In UDP inundate attack attacker drives large amount of UDP packets to a sufferer system, because of which there is dispersion of the network and the decrease of accessible bandwidth for justifiable service requests to the sufferer system.A UDP inundate attack is possible when an attacker sends a UDP packet to a arbitrary port on the sufferer system.When the sufferer system obtains a UDP packet, it will choose what application is waiting on the destination port.When it realizes there is no application that is waiting on the port, it will assemble an ICMP package of place visited unreachable to the false source address.If ample UDP packets are delivered to ports of the sufferer, the systems will proceed down.UDP inundate attacks might also fill the bandwidth of connections located around the sufferer system that depending on the network architecture and line-speed.This can occasionally cause systems connected to a network near a sufferer system to know-how problems with their connectivity.

ICMP Attacks
Internet Control Message Protocol (ICMP) is an error reporting and analytic utility and it is considered as part of internet Protocol (IP) suite.Whereas this protocol is extremely imperative for ensuring accurate data allocation, it may be exploited by malicious users for conducting different denial of service (DoS) attacks.ICMP inundate attacks, which enables users to drive an echo packet to the host to test check if it's living or not.Expressly throughout a DDoS ICMP inundate attack the agents drive huge volumes of ICMP_ECHO_REPLY packets (ping) to the sufferer.These packets request reply from the sufferer and this consequences in saturation of the bandwidth of the sufferer's network connection.Throughout an ICMP inundate attack the source IP address may be spoofed.

Memory Depletion Attacks
When a server acknowledges a SIP message, it has to shop little chunks of information.The time for which such information portions are retained depends on the server mode -stateful or stateless.While the transaction is being performed the data is kept in memory and it is deleted only one time the transaction is closed or timed out.
The most common attack is a TCP SYN inundates strike.The server is inundated with packets with the SYN flag set.The server assigns the essential resources and answers with packets with SYN+ACK flags.The attacker stays on sending new packets with SYN banners, and does not reply to packets dispatched by the server.The server rapidly depletes all memory resources for a new TCP connection and starts denying normal demands.Another case of this kind of attack would be to drive exceedingly fragmented packets with certain parts intentionally misplaced.The server endeavors to demand the missing parts and stores the obtained packets in memory.The futile information is then retained on the server until it is timed out.

CPU Depletion
An added way to competently limit the server's capability to method regular demands is central processing unit (CPU) depletion.A higher load might be the result of a higher amount of requests received or by receiving requests requiring extra complex calculations.The server can become inundated with ICMP packets but sending malformed REGISTER messages creates the similar effect with a considerably smaller amount of messages.This really is due to the undeniable fact that messages are studied following the server receives them.Even though the server has the capacity to process hundreds of regular messages, it may be simply forced to do different calculations using malformed messages with fake or invalid data or sent from nonexistent user accounts.Absurdly, enabled authentication on a server can punctual off more demanding procedures, which makes it simpler to decrease CPU resources.When a server uses certificate, the attacker may drive a note by having an invalid certificate.In the end, the server works out that this certificate is invalid nevertheless the processing of the message had already consumed much of server resources.The prospective is flooded with more messages than it may process at a given time.As SIP is a text-based protocol; it has to parse each incoming message.If SIP authentication info is supplied in the inundating message, it has to assess if the user is authorized to get access to the service (assimilate authentication).A specific case is once the target CPU will not extend its operation because it is awaiting input from other entities, such as for instance a database or the domain name system (DNS) service.

Bandwidth Depletion Attacks
This sort of attack does not consume resources of the physical server but alternatively the capability of the hyperlink connecting the server to the network.When the hyperlink is unable to transmit regular packets, they're unnecessary before they are able to arrive at the SIP server.For this reason it is not possible to differentiate between regular and malicious packets.Utilizing the UDP protocol to transmit SIP messages makes the The available targets or actions for policy in filter table chains are- • ACCEPT-This target is requested those packets that are reliable and can be accepted through the firewall.
• REJECT-This target rules is requested those packets that are to be fallen but an ICMP reply will be provided for the inventor for information on what occurring to the packet.
• DROP-This target is placed on those packets that are to be just fallen without dispatching any ICMP reply like it never reached firewall.
(iii) Firewall Rules Parameters Each rule recognizes explicit kind of network traffic.In alignment to permit this identification parameter for identification of specific network packets must be set for each direct.
Different types of parameters are: • IP addresses -It can be destination or source IP address also, is often as just one IP, network IP block or IP range.
• Ports -It can be destination or source port also, is often as just one port, port range or port array.
• Protocol -It can be submitted to TCP, UDP, and ICMP or all together.
• Interface -It can be incoming or outgoing interface.
• TTL (Time to Live) field residing in the IP headers.
• ToS (Type of Service) field residing in the IP headers.
• Length of packet.
• MAC source address.
• Syn flag -identification of new connection.

Basic Security for the Linux Server
Apply rules for remote Secure Shell (SSH) login to the Linux kernel such as changing the default username, password and port number.Do not use the default username root and port 22 as the SSH port.To ensure the primary level security, a system administrator should change these default user name and port number of SSH form the Linux kernel just following the bellow steps: root@l3ippbx ssh]# cd /etc/ssh "etc" is a essential directory of linux kernel which provides the host specific system configuration files and has to move to the SSH directory.Here administrator looking for a file which name is sshd_config, inside this file administrator can add the login permission of the new user here it is "morshed" and also can change the SSH port 10 instead of default port 22 by using the following command- Now SSH remote login default username root is disabled and Linux kernel allow only user "morshed" which is created earlier for the remote SSH login and port 10 will be used instead of 22 with the hostname or IP address of the asterisk server.Then the user "morshed" can login to the "root" via bellow command with root password: So this may help something administrator to provide multilevel password protection to his server and unauthorized remote sessions to his server from different hosts.To monitor the authorized sessions, administrator can check the log file of the Linux and asterisk regularly.From the log file we could see hundreds of failed register attempts from the several ip addresses in internet.This log may supply vital information to fight hackers because it shows the scale of the issue, the accounts they are attempting to crack, nature of attack and also attacker IP address.

Log Monitoring
The useful variable directory "var" which contains the entire log file of Linux kernel and also asterisk by using following command:

Preven
As some a IP or IP ad port numb

SIP Configuration Security
To make certain security for each static extension at sip.conf file of asterisk, administrator can set each extension parameter value safer like do not accept SIP authentication requests from all IP addresses.Utilize the "permit" and "deny" lines in sip.conf to only permit an acceptable subset of IP addresses to attain each listed extension/user.For instance parameter "permit=10.111.0.0/255.255.0.0" is only allowed this kind of subset of IP addresses for SIP register authentication to the asterisk server others IP or IP ranges is going to be blocked.Use strong passwords for SIP entities.To defend asterisk server from password estimating attacks, always ensure that all SIP client anecdotes have a strong password at smallest 6 characters with a blend of top and smaller case notes in addition to numeric digits and at least one non-standard feature such as for example $, !, #, *, etc.For instance secret=M0r$H3d!100 can be quite a powerful password.To ascertain the set of user anecdotes and passwords in asterisk, run the order "sip display users" at the asterisk CLI.
Always use "type=peer" and not ever "type=friend": When supplementing static SIP gazes or "SIP Trunks" in FreePBX/ Trixbox/ Elastix set the kind to "peer" and not ever set it to "friend".Utilizing "type=friend" will make asterisk server much more vulnerable because "type=friend" really determinants two objects to be conceived a SIP gaze and a SIP user.By far the poorest error that a manager could make when defining a static SIP peer would be to have both "type=friend" and "insecure=invite".In this status, a hacker could kick off calls from any isolated IP address without needing to authenticate with a password.They would only require to supposition one part of data the client name.

Extensions Security Using Fail2ban in SIP Server
Fail2ban operates by monitoring log files (e.g./var/log/pwdfail, /var/log/auth.log,etc.) for selected entries and running scripts based on them.Most commonly this is used to block selected IP addresses that may belong to hosts that are trying to breach the system's security.It can ban any host IP that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator.Fail2ban is typically set up to unban a blocked host within a certain period, so as to not "lock out" any genuine connections that may have been temporarily misconfigured.However, an unban time of several minutes is usually enough to stop a network connection being flooded by malicious connections, as well as reducing the likelihood of a successful dictionary attack.Fail2ban can perform multiple actions whenever an abusive IP is detected: update iptables or PF firewall rules, TCP Wrapper's hosts.denytable, to reject an abuser's IP address; email notifications; or any user-defined action that can be carried out by a Python script.
It works by scanning log files and then taking action based on the entries in those logs.Fail2ban implemented with a configuration to be able to prevent SIP brute force attacks against our Asterisk PBXs.The following describes how to setup fail2ban to protect an Asterisk PBX from SIP brute force attempts and scans utilizing the iptables firewall.After install fail2band in SIP server, we need to create a configuration for Fail2Ban so that it can understand attacks against Asterisk.If having issues with system not banning properly when the "Registration from" section in your log file contains a quotation mark (") as in the Figure 17.

Conclusion
In this paper, authors focused on capability of iptables rules is explored to protect from this attack.To verify if the network traffic is legitimate or not, associate degree iptables depends on a set of rules it has which can be predefined by way of a network or system administrator.Major concentration of the paper has been on apprehending the live traffic mistreatment the network protocol analyzer Wireshark and on the premise of study scripts mistreatment iptables are developed to allow/deny the network traffic relying upon the traffic rate of any IP address of the computer inducing the packets.Authors have analyzed how Linux iptables rule work with wireshark simulation showing the difference of filtering packets before and after applying rules.Here authors ensured security for port number and some useful protocols such as SIP, SSH, ICMP, HTTPS by filtering TCP and UDP packets with allowing a particular IP addresses with subnet mask and disallowing rest of the addresses of the world to prevent unauthorized attack to the VoIP server.Linux log files which situated at /var directory is more useful to monitor the SIP server.This paper also shows how to choose strong password pattern that ensured more security to the SIP server.
Add a New Username and Password: To add and give a strong password for a new user has to give the command: [root@l3ippbx ~]# adduser morshed [root@l3ippbx ~]# passwd morshed Changing password for user morshed.New UNIX password: ******** Retype new UNIX password: ******* passwd: all authentication tokens updated successfully.Now to ensure more security for a sever change the default SSH port 22.To do this administrator has to change the directory of the linux as given bellow:

Figure
Figure 3. Ho Figu Figure 10. Figure Figure 14 Figure 17 Mangle table-This table is employed to change packet fields and is also used to mark packets for later filtering.
net.org/mas even worst.Fo f the server's li d of malicious ed Solutions u

Table h
IPtables rules for allowing and disallowing IP addresses for Session Initiation Protocol (SIP) Register request through the default port 5060.Session Initiation Protocol (SIP), an application-layer control (signaling) protocol for creating, modifying, and terminating sessions with a number of applicants.This session integrated internet telephone calls, multimedia conferences, instant messaging, voice, video, interactive games, and virtual reality etc.A SIP message includes a header by having an elective body.These messages are either requests or responses.SIP entity received request and it performs the corresponding action and sends back an answer to the originator of the request.Responses are three digit status codes.Without applying the rules at Linux iptables for SIP default port 5060, it is seen that a user agent with IP address 203.76.99.103 provides 2 register packet requests to the SIP server 123.200.0.36 according to the Figures4 and 5at wireshark then the SIP server 123.200.0.36 provides the OPTIONS and successful response code 200 OK as an acknowledgement message to the user agent 203.76.99.103 as given as bellow Figures 7, 8 at wireshark.
Administrator can delete existing rules at Iptables through following steps as given below.User has to give the command to see the iptables rules with the line number.