denial of service attacks for H.225.0 call signalling using T CP and UDP transport

Andrew Draper WVdevmt-WS adraper at DEV.MADGE.COM
Fri May 1 06:44:33 EDT 1998 

Hal purdy wrote:
> With that background, our concern about a UDP based approach for
> handling H.225.0 messages is that a server (e.g. a Gateway or
> Gatekeeper) could be overwhelmed with H.225.0 Setup messages and thus be
> unable to serve legitimate connection requests.

I think there is a more important issue here.  A UDP setup message sent to
a H.323 endpoint will cause a (virtual) telephone to ring, or will leave
a message on the answering machine etc.  If SETUP messages can be carried
over UDP then I can do this with a single packet with a faked IP address.

>                                                  Applying to H.323 call
> signalling the knowledge gained in thwarting TCP SYN attacks, such
> attacks can be prevented or at least mitigated by a careful design of
> the portion of Q.931 state machine which deals with the initial H.225.0
> Setup message.

As far as I can tell the Q.931 state machine has to store state as a result
of a SETUP message.  It's possible to implement TCP so that it stores no
state as a result of a SYN message, instead using a one way function to
generate the initial sequence number.  An implementation doing this can
protect itself against an attack from thousands of faked packets per second.
I can see no easy way to do this using the current H.225.0 protocol.

Thus, I think the TCP three way handshake is necessary to protect against
spoofed source addresses.  Setup over UDP can only be made safe by requiring
strong authentication in the packets.  Of course most strong authentication
requires at least a three way handshake (to get the keys)...

And then Mike Moore wrote:
> most of us are installing firewalls that by definition block udp?

This is another good point.  Firewalls are not panaceas for everything but
are a good fix for keeping insecure protocols away from the Big Bad Internet
(tm).  If H.225.0 over UDP isn't securable (as I believe it isn't) then no
firewall or proxy will let the messages through and so all products will
use TCP connections first (removing the point of UDP setups).

  Andy

ps. SIP are thinking of putting an (optional) three way handshake into their
UDP setup-like-message.

--
Andrew Draper - Principal Development Engineer & Firewall Administrator
Madge Networks, Wexham Springs, Framewood Road, Wexham, Berks.
pgp fingerprint D6 ED 72 4F 96 BB CA 2D  68 74 4C E0 CB B9 0B 3F

More information about the sg16-avd mailing list