Re: [rtcweb] Strawman for how to prevent voice-hammer without ICE

[Hadriel Kaplan <HKaplan@acmepacket.com>]

On Jul 28, 2011, at 4:49 PM, Harald Alvestrand wrote:

> I think this approach is not paranoid enough.
> 
> The attacker will negotiate a channel claiming that you can reach him on 
> 10.0.0.2 (your server that he wants to voice-hammer), and then send you 
> the five or so RTP packets you expect with a fake source address of 
> 10.0.0.2.
> 
> Then you, having seen exactly the packets that "authorize" sending 
> traffic to 10.0.0.2, will be performing the voice-hammer attack against 
> the server that the attacker otherwise couldn't reach.

Yes, that was the weakness of the model as I described in my original email: that the malicious web-server can spoof the RTP from the device being attacked.
And I proposed that instead of it being a single "authorization" phase at the beginning of the call, it could even be continuous/periodic.  Of course the web-server could continuously send spoofed RTP to the browser, but at that point it might as well do the attack directly spoofing the browser. (in other words, the malicious website isn't gaining a very useful botnet of attackers, since I assume that's the concern)


> (This doesn't work with ICE, because the ICE handshake involves the 
> recipient replying to your packet with some parameters that can only be 
> found in the request, not in the negotiation).

Yes I know ICE solves this, but since ICE doesn't exist for legacy VoIP and PSTN, a non-existent solution isn't very useful.

-hadriel