Skip to main content

VoIP DDoS, the OpenSIPS security audit and more

Published on Oct 20, 2021

Welcome to the first RTCSEC newsletter! Please do reply and tell me what you think - this will help us make future editions better.

In this edition, we cover:

  • The OpenSIPS security audit
  • The DDoS attacks on VoIP providers
  • My upcoming talk at ClueCon 2021
  • Fred Posner’s talk from Kamailio World 2021
  • Two presentations of interest from OpenSIPS Summit 2021
  • Short news and commentary

RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.

What is RTC security anyway? Real-time communications security is what determines if you can communicate in real time in a safe way - whether it be with other humans or, often, machines.

You may sign up to receive the RTCSec newsletter here. Do:

  • forward this to that person who may find this newsletter particularly fruitful.
  • let me know if we should include or cover any RTC security news.

To view past issues, please visit our website at https://www.enablesecurity.com/newsletter/.

Our news

The OpenSIPS security audit

Following fundraising by the OpenSIPS community, we are right now busy with the security audit on OpenSIPS. We did discover various security issues already but are not yet done. Some fixes are already in the codebase and we look forward to publishing the findings when the time is right.

Further reading:

The fund raising of this project was overfunded. The best comment we saw about this implied that someone discovered an integer overflow in the payment system.

DDoS attacks on VoIP providers in relationship to pentesting

I wrote about the distributed denial of service attacks happening on VoIP providers and how this relates to what we see during our DDoS simulation tests. The first post spoke about VoIP.ms and the UK providers and how the attacks appeared to be primarily volumetric. Then I highlighted how application-level DDoS is also a huge problem for SIP servers and explained how we test for this and possible mitigation.

The second post focused on the volumetric nature of the attacks and how during application DDoS testing, we often hit bandwidth limits. I tried to explain how this vulnerability is really widespread and the importance that providers give it the attention that it deserves.

The two posts can be read in their entirety here:

DDoS simulation (advert)

As part of our security audit and pentest services, we simulate DDoS attacks on RTC applications and infrastructure. Ask us to learn more or reply to this email.

ClueCon: Killing bugs … one vulnerability report at a time

On Thursday, October 28th, Sandro Gauci will give a talk (virtually) at the ClueCon conference. The conference is happening virtually and online. The talk is called Killing bugs … one vulnerability report at a time with the following synopsis:

Sandro tells the story of how he and his security team came across vulnerabilities in FreeSWITCH, verified the security issues in lab environment, reported them upstream and finally worked with the FreeSWITCH developers to get them fixed. We will explore where security testing has value, how software can greatly benefit from this process of vulnerability reporting, fixing, etc., and also talk a bit about the process, and help you to better understand the impact of such vulnerabilities.

Kamailio World and OpenSIPS Summit 2021

SIP Attack Handling by Fred Posner

Fred gave a great presentation about SIP based attacks and how to handle them with Kamailio.

His recommendations:

  • use the Pike module
  • use the secfilter module, which is a relatively new module
  • a combination of other modules, e.g. htable, dmq and various others

The talk is practical and has useful examples of how to configure Kamailio to protect against various common attacks that any SIP server on the Internet will be facing.

Also, Fred picks on fail2ban - which earns him extra marks in my book. Instead, he recommends a new project of his called iptables-api together with APIBAN.

References:

Two presentations at OpenSIPS Summit 2021 that cover some security topics

  • OpenSIPS summit 2021 - Alan Quayle - Key Notes - Open Source Telecom Survey 2021 Results & Discussion
    • https://www.youtube.com/watch?v=JZ1hFDWlcFs&t=330s
    • Alan’s survey covers a large number of topics, but most interestingly for us is the coverage of security vis a vis RTC developers and providers. Some insightful results there, mainly indicating that more effort is needed in this area. It is clear that we have a lot to do.
  • OpenSIPS summit 2021 - Maksym Sobolyev - OpenSIPIt - Bringing InterOp Testing to the Heart of the Community
    • https://www.youtube.com/watch?v=kyu_wDcO0S4&t=300s
    • This is a presentation about OpenSIPIt which is an interop testing event. We have participated at this event and helped test implementations of new features such as STIR/SHAKEN and RFC8760. Thanks to OpenSIPIt, we discovered vulnerabilities in some open-source implementations of these new features before they could make it to production.

RTC security consultancy (advert)

We have been doing RTC security consultancy for years, but it took rebranding to put a page advertising the fact that yes, indeed we do consultancy. It’s mostly in the area of security testing which is where we excel, as well as advice when it comes to security architecture. We think that many developers and security officers would benefit from getting a second opinion when making critical security decisions. If that sounds useful, let me know.

Check out our consultancy page here: https://www.enablesecurity.com/consultancy/, or get in touch by replying.

Short news and commentary

This newsletter was prepared by Sandro Gauci and the Enable Security team for the RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please do share.

To subscribe: here