Re: [Sip] draft-state-sip-relay-attack-00

[Hadriel Kaplan <HKaplan@acmepacket.com>]

> -----Original Message-----
> From: Victor Pascual Ávila [mailto:victor.pascual.avila@gmail.com]
> Sent: Saturday, March 07, 2009 4:15 PM
>
> As an example: what would proxy.com check upon receipt of Bob's
> spoofed INVITE over UDP (forging packet source ip and port)?

Well that is a trade secret, and specific to the proxy/SBC vendor being used, and probably its configuration. :)

But anyway if Bob could guess Alice's source UDP IP and port (which by the way is not always trivial to do), then it changes the form and scope of the attack.  The interesting characteristics of a relay-attack, baiting-attack, etc., are that they do not require IP-layer spoofing.

Typically, though, spoofing enough to get through would be less useful for Bob to do unless he's actually a true MitM, because the SIP responses for the call will go to Alice, so Bob won't be able to pass along the challenge and won't be able to establish a call.  And even if Alice's UA is broken enough to answer a challenge for a request it didn't send, Bob would not get the SIP responses to setup the call fully, nor send or receive media for it.  Bob could try to mount a resource-exhaustion attack on the provider, but that too is throttled (and besides Bob won't be able to get Alice to challenge-response fast enough for each INVITE).  Bob could try to perform an annoyance attack by making phones ring, if he figures out how to avoid getting Alice blocked automatically, but there are even countermeasures for that available.  Bob could try an attack for the purpose of getting Alice blocked from getting service for a period of time, but if Bob knows Alice's UDP source info he can do that directly on Alice anyway, and the best the provider can do is stop it from affecting others.

-hadriel