How to Protect Against SIP Password Guessing Attack

Dictionary-based attacks against SIP accounts can compromise user credentials at an alarming speed: 40 attempts per second try out all Oxford Advanced Learner’s Dictionary entries in less than 40 minutes. Compromised accounts are often used to make expensive calls and/or access someone else’s voicemail. It is therefore advisable to place a Session Border Controller (SBC) in front of VoIP infrastructure to stop such attempts before it is too late. We show how to configure an ABC-SBC to use auto-blocking if there are too many failing authentication attempts.

In this use case, a dictionary attack on an SBC will be mounted during the cloud formation process. You will be able to observe it in the Monitor and introduce address auto-blocking in the SBC. Once auto-blocking is turned on, the attacks will be blocked which can be seen in the Monitor again.

How to Use It

To start the cloud formation process visit the following link:

Once the cloud formation process completes, wait few more minutes to see how a simulated attack develops. In the Cloud Formation Outputs, there is a link to the Monitor and SBC. If you open the Monitor link, you will find a series of failing authentication attempts in the Security Dashboard, one event every second.

In the next step, you will enable auto-blacklisting for the offending Call Agent’s IP address. To do so, open the Outputs link to the SBC administrative interface in Cloud Formation template, log in using the password in Outputs, and in the menu “Realms” click the “SIP_INBOUND” Call Agent under “Public” realm. In the “Firewall Blacklisting” tab, turn on the “Auth” Checkbox.

After you commit your configuration change, the effect should be seen in the Monitor almost immediately. The series of failing authentication attempts will be interrupted by a blacklisting event. The event shows that the the source address which was repeatedly failing to authenticate is now being blocked. If you keep watching the Security Dashboard longer, you will find that the IP address ban times out after a period of time and as long as the offending traffic source continues sending its traffic, it will be banned again.

What Is Orchestrated

There are four machines running: a Session Border Controller (m3.medium), a machine simulating a dictionary attack (t2.micro), a Monitor to display the
network situation (t2.medium), and a machine representing the protected infrastructure (t2.micro). The protected machine is a kamailio server that sends a 401 authentication challenge to all requests. The attacking machine is implemented using sipsak CLI and tries out a dictionary to find a password at the speed of one guess per second.

What Else You Should Know

You may be surprised that auto-blacklisting is by default turned off for failing authentication attempts. However think of the following case: at a home behind a NAT a SIP account is using wrong password. If this home’s IP address is blocked, all other SIP accounts behind this NAT will be locked. Therefore it really comes down to the specific scenario and intended policy strength when you choose your security configuration. A complex policy of course needs to be resilient against more than a specific attack. The SBC must therefore also provide protection against attacks with unknown patterns. That’s for example what the ABC-SBC feature “greylisting” does. Contact Frafos profession services should you be devising more complex VoIP security policies.