Real-World Attack Scenario (VoIP)

23.3
To demonstrate the possible nuisance attacks on subscribers and DDoS attack on network elements, we simulated real-world attack scenarios using IP phones from three different leading VoIP service providers, namely Vonage, AT&T Callvantage, and ViaTalk as shown in Figure 23.3. In the Internet, the SIP signaling messages exchanged between callers and callees are captured at two locations: (1) location A is in between callers and their outbound proxies; similarly, (2) location B is in between callees and their inbound proxies. At location A, we observe that in order to prevent replay attacks, the service providers challenge INVITE messages by sending 401 Unauthorized (in the case of AT&T) or 407 Proxy Authentication Required messages that include MD5 hash of user’s credential and a “nonce” value. This can only be defeated if we have the capability of modifying some header fields (that is not used in MD5 hash computation) and reconstructing the message at real time or by exploiting the implementation of some SIP proxy servers that may accept stale nonce values [6]. However, at location B, there is no such challenge/response messages leaving the subscribers exposed and vulnerable to abuse. In our example of attack scenarios, we exploit the vulnerable and mostly overlooked location B to launch many different types of attacks and some of the attacks are described in the following sections.