Having fun with RTP Who is speaking???

Similar documents
Voice over IP. What You Don t Know Can Hurt You. by Darren Bilby

LISTENING BY SPEAKING

SIP security and the great fun with Firewall / NAT Bernie Höneisen SURA / ViDe, , Atlanta, GA (USA)

VoIP Security Threat Analysis

13. Internet Applications 최양희서울대학교컴퓨터공학부

Lecture 14: Multimedia Communications

Configuring Hosted NAT Traversal for Session Border Controller

VPN-1 Power/UTM. Administration guide Version NGX R

Department of Computer Science. Burapha University 6 SIP (I)

A common issue that affects the QoS of packetized audio is jitter. Voice data requires a constant packet interarrival rate at receivers to convert

Internet Streaming Media. Reji Mathew NICTA & CSE UNSW COMP9519 Multimedia Systems S2 2006

VoIP Basics. 2005, NETSETRA Corporation Ltd. All rights reserved.

Outline. Goals of work Work since Atlanta Extensions Updates Made Open Issues Ad-hoc meeting & Next Teleconference Links

Security and Lawful Intercept In VoIP Networks. Manohar Mahavadi Centillium Communications Inc. Fremont, California

Encryption setup for gateways and trunks

Real-Time Communications for the Web. Presentation of paper by:cullen Jennings,Ted Hardie,Magnus Westerlund

Configuring Encryption for Gateways and Trunks

Service Provider PAT Port Allocation Enhancement for RTP and RTCP

CS519: Computer Networks. Lecture 9: May 03, 2004 Media over Internet

Medical Sensor Application Framework Based on IMS/SIP Platform

Provide a generic transport capabilities for real-time multimedia applications Supports both conversational and streaming applications

MySip.ch. SIP Network Address Translation (NAT) SIP Architecture with NAT Version 1.0 SIEMENS SCHWEIZ AKTIENGESELLSCHAFT

Ingate Firewall & SIParator Product Training. SIP Trunking Focused

4. The transport layer

Modern IP Communication bears risks

Alkit Reflex RTP reflector/mixer

Avaya Port Matrix: Avaya Communicator for Microsoft Lync 6.4. Avaya Proprietary Use pursuant to the terms of your signed agreement or Avaya policy.

Overview. Slide. Special Module on Media Processing and Communication


X-Communicator: Implementing an advanced adaptive SIP-based User Agent for Multimedia Communication

Internet Streaming Media. Reji Mathew NICTA & CSE UNSW COMP9519 Multimedia Systems S2 2007

Journal of Information, Control and Management Systems, Vol. X, (200X), No.X SIP OVER NAT. Pavel Segeč

RTP/RTCP protocols. Introduction: What are RTP and RTCP?

ABC SBC: Secure Peering. FRAFOS GmbH

Internet Streaming Media

Multimedia! 23/03/18. Part 3: Lecture 3! Content and multimedia! Internet traffic!

Part 3: Lecture 3! Content and multimedia!

Approaches to Deploying VoIP Technology Instead of PSTN Case Study: Libyan Telephone Company to Facilitate the Internal Work between the Branches

RTP: A Transport Protocol for Real-Time Applications

[MS-EUMSDP]: Exchange Unified Messaging Session Description Protocol Extension

Become a WebRTC School Qualified Integrator (WSQI ) supported by the Telecommunications Industry Association (TIA)

Sample Business Ready Branch Configuration Listings

Realtime Multimedia in Presence of Firewalls and Network Address Translation

Multimedia Protocols. Foreleser: Carsten Griwodz Mai INF-3190: Multimedia Protocols

Realtime Multimedia in Presence of Firewalls and Network Address Translation. Knut Omang Ifi/Oracle 9 Nov, 2015

Restrictions for DMVPN Dynamic Tunnels Between Spokes. Behind a NAT Device. Finding Feature Information

Secure Communications on VoIP Networks

Request for Comments: 3959 Category: Standards Track December 2004

ETSF10 Internet Protocols Transport Layer Protocols

Troubleshooting Voice Over IP with WireShark

Internet Control Message Protocol (ICMP)

Transporting Voice by Using IP

[MS-ICE2]: Interactive Connectivity Establishment (ICE) Extensions 2.0

Firewalls for Secure Unified Communications

A Review Paper on Voice over Internet Protocol (VoIP)

EarthLink Business SIP Trunking. ShoreTel 14.2 IP PBX Customer Configuration Guide

Peering Grandstream Camera & IP Multimedia Phone on door open. Configuration Guide

RTP. Prof. C. Noronha RTP. Real-Time Transport Protocol RFC 1889

Sipdex M200s IPPBX. Embedded. Support Any IP Phone. Softphone and SIP Client App

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Firewall Control Proxy

INSE 7110 Winter 2009 Value Added Services Engineering in Next Generation Networks Week #2. Roch H. Glitho- Ericsson/Concordia University

Popular protocols for serving media

Kommunikationssysteme [KS]

Information About NAT

RTP Profile for TCP Friendly Rate Control draft-ietf-avt-tfrc-profile-03.txt

INTERFACE SPECIFICATION SIP Trunking. 8x8 SIP Trunking. Interface Specification. Version 2.0

TSIN02 - Internetworking

TLS for SIP and RTP. OpenWest Conference May 9, Corey zmonkey.org. v Corey Edwards, CC-BY-SA

Network-Based Recording of Video Calls Using Cisco Unified Border Element

The Session Initiation Protocol

REACTION PAPER 01 TEL 500

VoIP. ALLPPT.com _ Free PowerPoint Templates, Diagrams and Charts

Voice over IP (VoIP)

Thomas Schmidt haw-hamburg.de. The RTP MIB. > Design of the RTP MIB > Application: Remote Multicast Monitoring

Computer Networks. Wenzhong Li. Nanjing University

Installation & Configuration Guide Version 4.0

ABC SBC: Securing the Enterprise. FRAFOS GmbH. Bismarckstr CHIC offices Berlin. Germany.

Secure Telephony Enabled Middle-box (STEM)

Media Path. Feature Information for Media Path

EDA095 Audio and Video Streaming

ICE-Lite Support on CUBE

RTCP Feedback for Congestion Control in Interactive Multimedia Conferences draft-ietf-rmcat-rtp-cc-feedback-03. Colin Perkins

UCM6102/6104/6108/6116 Configuration

Allstream NGNSIP Security Recommendations

CDCS: a New Case-Based Method for Transparent NAT Traversals of the SIP Protocol

Chapter 11: It s a Network. Introduction to Networking

ICE: the ultimate way of beating NAT in SIP

Real Time Protocols. Overview. Introduction. Tarik Cicic University of Oslo December IETF-suite of real-time protocols data transport:

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Chapter 28. Multimedia

Homework 3 Discussion

RTP implemented in Abacus

Unofficial IRONTON ITSP Setup Guide

FRAFOS ABC-SBC Generic SIP Trunk Integration Guide for ShoreTel 14.2

Mohammad Hossein Manshaei 1393

Reflections on Security Options for the Real-time Transport Protocol Framework. Colin Perkins

Multimedia in the Internet

Configuration manual. Grandstream Type: Analog Telephone Adapter. Configuration manual Grandstream Version 1.2

ARP Inspection and the MAC Address Table for Transparent Firewall Mode

Transcription:

27C3 Day 4, 17:15 Having fun with RTP Who is speaking??? kapejod@googlemail.com

Having fun with RTP Who is speaking??? Overview Short introduction to RTP RTP packet structure SIP and RTP with NAT Shortcomings of the RTP specification Finding RTP sessions Demonstration: finding all RTP session on an Asterisk server Possible exploitations Possible solutions to protect against exploitation System under test

Short introduction to RTP Realtime Transport Protocol RFC 1889 (1996), replaced by RFC 3550 (2003) Transport of multimedia streams over IP/UDP Reordering of packets Convey the timing of the sender to the receiver Used together with Voice over IP signalling protocols (H.323, SIP, MGCP) RTP and RTCP (Realtime Transport Conrol Protocol) usually referred to just by RTP RTP (usually) runs on an even numbered port, RTCP for that session on the higher odd port

RTP packet structure RTP header: Minimum length of 12 octets, (16kbit/s overhead with 20ms framesize) Sequence numer used for packet reordering Timestamp used for playback SSRC identifies the sender (32bit random value)

SIP and RTP with NAT A SIP user agent behind NAT will announce the private IP address in the SDP body, which cannot be reached from outside the local network. Typical reason for one-way audio. Can be worked around either with a SIPaware router that is proxying or redirecting the RTP to the local network OR by the remote server replying to the IP / port combination from where the received packets originated. The RTP specification does not enforce that the received packet will be coming from the same IP / port as the transmitted packets are sent to. (This special case is known as symetrical rtp ) But most RTP NAT-traversal solutions rely on this and assume that a random RTP port is good enough to protect the session against misdirected data.

Shortcomings of the RTP specification It is very difficult to validate that incoming packets are actually RTP or belong to the session (RTP header version, timestamp continuity, sequence number continuity). The only complete validation would be to wait for the first RTCP receiver report (which might take 5-10+ seconds) and many RTP devices do not implement RTCP at all. Basically anybody can send you RTP packets and you cannot find out which of the RTP streams is the correct one. (IF THEY KNOW THE PORT).

Finding RTP sessions Example: Asterisk (also works with other software, like RTPproxy) NAT-traversal support for RTP is implemented quite simple to assure that there will be no one-way-audio issues if possible. Every received packet on a RTP port overwrites the return IP / port combination, so the next packet will be transmitted to this peer. Sending several packets to the same port with a varying delay (between 2 and 10 ms) will make sure that the probability of overwriting the return address increases (the correct RTP peer will send one packet every 20 ms usually). A simple loop accross the RTP port range of the server (or the complete port range) does not take very long. For every port involved in an RTP conversation the attacker will receive a reply (with actual RTP data from the other side). By also stealing RTCP packets the attacker can find out which RTP session is connected to which other RTP session

Demonstration: finding all RTP session on an Asterisk server Demo system: Asterisk 1.6.2.16-rc1 running on an embedded system. 2 SNOM phones connected to a local network Attacker connected via the internet NO local network attack (arp cache poisoning is for children)...

Possible exploitations Denial of service Call redirection (by sending DTMFs), toll fraud... Man in the middle attacks (requires a very good timing), your homework!

Possible solutions to protect against exploitation Asterisk 1.6+ has the global option strictrtp=yes in rtp.conf (disabled by default, why?) Only accept a new packet source at the beginning of a session (first few packets), can cause problems with music on hold servers and other media sources. SIPaware firewall in front of the Asterisk server which opens the RTP port only to the IP/port combinations advertised in the SIP SDP body. (some firewalls, e.g. C*SC*, do not recognize the termination of a session reliably and leave the port open). Do not use NAT. Use a VPN instead (like the openvpn firmware for the SNOM phones) Do not accept a new media source while there are still packets being received from the original source (requires a bit of effort). SRTP? (Asterisk 1.8.0 dropped the call after receiving one single packet)

Systems under test Asterisk 1.2, 1.4, 1.6, 1.8 RTPproxy 1.2.1 SNOM phones (300, 360, 820) various firmwares Linksys 2FXS ATA Got anything to test???

Questions??? Thanks for your patience...

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback