Exploiting SIP for botnet communication

2009 5th IEEE Workshop on Secure Network Protocols Pub Date : 2009-12-01 DOI:10.1109/NPSEC.2009.5342244

A. Berger, M. Hefeeda

{"title":"Exploiting SIP for botnet communication","authors":"A. Berger, M. Hefeeda","doi":"10.1109/NPSEC.2009.5342244","DOIUrl":null,"url":null,"abstract":"The Session Initiation Protocol (SIP) implements methods for generic service discovery and versatile messaging. It is, therefore, expected to be a key component in many telecommunication and Internet services. For example, the 3GPP IP Multimedia Subsystem relies heavily on SIP. Given its critical role, ensuring the security of SIP is clearly a crucial task. In this paper, we analyze the SIP protocol and show that it can easily be exploited to mount effective and large-scale botnets. We do this by scrutinizing the details of the SIP protocol and show how it offers a variety of ways to conceal botnet traffic within legitimate-looking SIP traffic. Using our analysis, we implement a SIP bot and present experimental results from a real testbed network. In addition, we employ traffic statistics collected from a large telecommunication provider and discuss the implications for both botnet design and detection. Finally, we present a software tool (called autosip) to generate synthetic traffic that resembles actual SIP traffic with different controllable characteristics. The proposed tool is quite useful for researchers working in the area who may not have access to traffic dumps from actual telecommunication providers.","PeriodicalId":307178,"journal":{"name":"2009 5th IEEE Workshop on Secure Network Protocols","volume":"23 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2009-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"12","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2009 5th IEEE Workshop on Secure Network Protocols","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/NPSEC.2009.5342244","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 12

Abstract

The Session Initiation Protocol (SIP) implements methods for generic service discovery and versatile messaging. It is, therefore, expected to be a key component in many telecommunication and Internet services. For example, the 3GPP IP Multimedia Subsystem relies heavily on SIP. Given its critical role, ensuring the security of SIP is clearly a crucial task. In this paper, we analyze the SIP protocol and show that it can easily be exploited to mount effective and large-scale botnets. We do this by scrutinizing the details of the SIP protocol and show how it offers a variety of ways to conceal botnet traffic within legitimate-looking SIP traffic. Using our analysis, we implement a SIP bot and present experimental results from a real testbed network. In addition, we employ traffic statistics collected from a large telecommunication provider and discuss the implications for both botnet design and detection. Finally, we present a software tool (called autosip) to generate synthetic traffic that resembles actual SIP traffic with different controllable characteristics. The proposed tool is quite useful for researchers working in the area who may not have access to traffic dumps from actual telecommunication providers.

查看原文本刊更多论文

利用SIP进行僵尸网络通信

会话发起协议(SIP)实现了通用服务发现和通用消息传递的方法。因此，预计它将成为许多电信和互联网服务的关键组成部分。例如，3GPP IP多媒体子系统严重依赖于SIP。鉴于SIP的关键作用，确保SIP的安全性显然是一项至关重要的任务。在本文中，我们分析了SIP协议，并表明它可以很容易地被利用来安装有效的大规模僵尸网络。我们通过仔细检查SIP协议的细节来做到这一点，并展示它如何提供各种方法来在合法的SIP流量中隐藏僵尸网络流量。在此基础上，我们实现了一个SIP机器人，并给出了在真实测试平台网络上的实验结果。此外，我们采用从大型电信提供商收集的流量统计数据，并讨论僵尸网络设计和检测的含义。最后，我们提出了一个软件工具(称为autosip)来生成与实际SIP流量相似的合成流量，具有不同的可控特性。该工具对于在该领域工作的研究人员来说非常有用，因为他们可能无法从实际的电信提供商那里获得流量转储。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2009 5th IEEE Workshop on Secure Network Protocols

自引率

0.00%

发文量