Re: denial of service attacks for H.225.0 call signalling using T CP and UDP transport
Hal purdy wrote:
With that background, our concern about a UDP based approach for handling H.225.0 messages is that a server (e.g. a Gateway or Gatekeeper) could be overwhelmed with H.225.0 Setup messages and thus be unable to serve legitimate connection requests.
I think there is a more important issue here. A UDP setup message sent to a H.323 endpoint will cause a (virtual) telephone to ring, or will leave a message on the answering machine etc. If SETUP messages can be carried over UDP then I can do this with a single packet with a faked IP address.
Applying to H.323 callsignalling the knowledge gained in thwarting TCP SYN attacks, such attacks can be prevented or at least mitigated by a careful design of the portion of Q.931 state machine which deals with the initial H.225.0 Setup message.
As far as I can tell the Q.931 state machine has to store state as a result of a SETUP message. It's possible to implement TCP so that it stores no state as a result of a SYN message, instead using a one way function to generate the initial sequence number. An implementation doing this can protect itself against an attack from thousands of faked packets per second. I can see no easy way to do this using the current H.225.0 protocol.
Thus, I think the TCP three way handshake is necessary to protect against spoofed source addresses. Setup over UDP can only be made safe by requiring strong authentication in the packets. Of course most strong authentication requires at least a three way handshake (to get the keys)...
And then Mike Moore wrote:
most of us are installing firewalls that by definition block udp?
This is another good point. Firewalls are not panaceas for everything but are a good fix for keeping insecure protocols away from the Big Bad Internet (tm). If H.225.0 over UDP isn't securable (as I believe it isn't) then no firewall or proxy will let the messages through and so all products will use TCP connections first (removing the point of UDP setups).
Andy
ps. SIP are thinking of putting an (optional) three way handshake into their UDP setup-like-message.
-- Andrew Draper - Principal Development Engineer & Firewall Administrator Madge Networks, Wexham Springs, Framewood Road, Wexham, Berks. pgp fingerprint D6 ED 72 4F 96 BB CA 2D 68 74 4C E0 CB B9 0B 3F
At 11:44 AM 5/1/98 +0100, Andrew Draper WVdevmt-WS wrote:
I think there is a more important issue here. A UDP setup message sent to a H.323 endpoint will cause a (virtual) telephone to ring, or will leave a message on the answering machine etc. If SETUP messages can be carried over UDP then I can do this with a single packet with a faked IP address.
If you are concerned about faking IP addresses, you should use read RFC 1826.
Matt Holdrege http://www.ascend.com matt@ascend.com
participants (2)
-
Andrew Draper WVdevmt-WS -
Matt Holdrege