[SIPForum-discussion] Về: SIP Security
Nguyen Duc Hoang
sizer86 at yahoo.com
Tue Nov 10 08:06:04 UTC 2009
Hi Sriam
1) I don't have the message's details. So i can't confirm what kind of authentication method is used in that case.
2) The Call Flow is in a document publiced by Ruishan Zhang, Xinyuan Wang,
Xiaohui Yang, Xuxian Jiang from GeorgeMason University and the direction of INVITE is from SubA to Proxy.
3) In that document, that was a real INVITE Relay Billing Attack in AT&T network.That's what i read.
4) MITM captures all messages from SubA then uses its credentials to take unauthorized calls to Proxy. That means attacker don't have to pay anything for his calls and the billing.
The important point is that i don't know how an attacker become MITM? How can he fool the SubA to sent INVITE message to him but not to Proxy Server?
If the authentication here is TLS, IP Sec and HTTP Digest, how can an attacker fool network's elements to sent message to his devices.
Another problem is when an attacker became MITM, which fields of message from SubA he will use to take an authorized calls?
Best regard
Hoang ND
________________________________
Từ: Sriram Subramanian <sriram.ngn at gmail.com>
Đến: Nguyen Duc Hoang <sizer86 at yahoo.com>
Cc: discussion at sipforum.org
Gửi ngày: Thứ Ba, 10 tháng 11, 2009 12:27:27
Chủ đề: Re: [SIPForum-discussion] SIP Security
Hi,
The problem seems to be a bit strange and need further inputs from you .
1)Can you tell me what is the authentication mechanism?? is it HTTP-Digest MD5 ??
2)I see in the call flow below an Invite with credentails sent by the Proxy.I dont think it is possible in the scenario explained below ,that too with a normal Proxy,was it a mistake in the call flow arrow diagram??
3)The "week "duration has nothing to do with the call as far as i know ,can you confirm that calls succeed only after a week??.
4)How did u confirm it is an MITM attack??.Do you mean to say that the Subscriber A was down and not alive during the MITM call
Regards,
Sriram
On Mon, Nov 9, 2009 at 4:02 PM, Nguyen Duc Hoang <sizer86 at yahoo.com> wrote:
Hi,everybody!
>
>When Subscriber A calls a SIP call to Subscriber B.
>A MiM Proxy
>---------------------INVITE---------------------->
><----------------------401-------------------------
>>-------------------------ACK--------------------->
><--------------------INVITE(credentials)----------
> one week later ---INVITE(credentials)-->
> <-----100trying-----------
>> <-------180 ringing-------
> <-------200OK----------
> --------ACK------------->
>
>A MITM captures all messages from A then uses its parameter to take an unauthorized call. I don't know how he can captures all messages (In real conditions - because i read that threat in a document about AT&T network). I also don't know what fields does he have to take information, why must to be that fields and why the attacker can be accepted by the proxy after 1 week?
>
>Can you explain it for me?
>
>________________________________
Bạn sẽ làm gì khi cuộc đời không cho bạn cơ hội?
>Câu trả lời từ những người đã trải qua những thăng trầm trong cuộc sống.
>_______________________________________________
>This is the SIP Forum discussion mailing list
>TO UNSUBSCRIBE, or edit your delivery options, please visit http://sipforum.org/mailman/listinfo/discussion
>>Post to the list at discussion at sipforum.org
>
>
Cảm giác an toàn hơn khi online. Nâng cấp lên Internet Explorer 8 mới, an toàn hơn,tối ưu hóa cho Yahoo!. Hoàn toàn miễn phí. Tải IE8 tại đây!
http://downloads.yahoo.com/vn/internetexplorer/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sipforum.org/pipermail/discussion/attachments/20091110/383191a5/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: --static--liam_crowdsurfer_bottom.gif
Type: image/gif
Size: 21362 bytes
Desc: not available
URL: <http://sipforum.org/pipermail/discussion/attachments/20091110/383191a5/attachment-0002.gif>
More information about the discussion
mailing list