INVITE of Death

tony — Mon, 16 Mar 2009 00:51:00 GMT

Pretty cool name, huh? If you're going to create a new VoIP or unified communications attack, you want to have one with panache and it is hard to get a name with more impact than the 'INVITE of Death'.

That said, the attack itself is not nearly as impressive as the name. SIP is one of the prevalent protocols for VoIP and unified communications. The INVITE request is a function of SIP (Session Initiation Protocol). When a call is placed, the INVITE request is sent to the device being contacted. The receiving device can respond that it is TRYING, or that it is RINGING, or with OK and establish the communications session as a few examples.

The INVITE of Death attack is simply a denial-of-service (DoS) attack and it only works against one particular open source product- OpenSBC. Directing a malformed INVITE request to a vulnerable OpenSBC server will cause the OpenSBC server to crash.

In this case, simply stripping out erroneous characters- specifically leading or trailing colons- solves the problem and protects the OpenSBC server from the INVITE of Death DoS attack. The INVITE of Death won't be bringing VoIP to its knees, but it does demonstrate the similarities between SIP and HTTP and illustrates that SIP can be vulnerable to the same types of malformed packet attacks that have plagued standard network data and Web servers for years.

Follow me on Twitter

UC Security Threats: Call Redirection

tony — Wed, 28 Jan 2009 13:05:00 GMT

When initiating VoIP communications with SIP, the first part of establishing a call is that the sending or initiating system sends a SIP INVITE request. The receiving or called system then sends a SIP response. The response could be that the phone is ringing, or that the call is being forwarded, or a variety of other options. One set of response codes tell the initiating SIP device that the call should be redirected. Here are some examples of SIP Redirection responses:

301 - Move Permanently
302 - Moved Temporarily
305 - Use Proxy
380 - Alternative Service

If an attacker is able to monitor or intercept the SIP INVITE requests (by executing a MitM attack for example), they can then spoof the INVITE response and get the initiating SIP device to reroute or redirect the call. These attacks are possible from the external Internet, particularly when using SIP trunking to connect with the VoIP provider directly, but are more likely to occur successfully from attackers who already have access to the internal network. A Call Redirection attack could be used to do any of the following:

Denial-of-Service: redirect calls to a non-existent destination
Disrupt Communications: redirect calls to some other random destination
Intercept Calls: redirect calls to a rogue device and spoof the intended call recipient

Tony's Blog : INVITE

INVITE of Death

UC Security Threats: Call Redirection