IP spoofing¶
The general description of this attack is located here: IP spoofing
In the context of VoIP, this attack is used as follows.
Attacker founds ISP, which doesn't check that source IP address belongs to host which actually generates packet.
This gives an attacker a chance to generate an IP packet to the network with an arbitrary source IP address.
An attacker tries to use well-known addresses of VoIP companies.
As far as there are many interconnections between VoIP companies with IP address authentication only, attacker manager to guess such IP address, which you can recognize as your partner.
These calls are authenticated on your Softswitch as your real partner calls and are routed to terminators.
As far as return packets are delivered to the real owner of the IP address, and not to the attacker with a spoofed IP address, your real partner will see strange picture - inbound 183 Progress, 180 Ringing, and 200 OK as responses to calls which he never sent to you.
Actually, this way we noticed this attack several times - by notification from a partner about the strange activity.
Most likely, your real partner will not respond to these packets, and Smartswitch will try to repeatedly deliver 200 OK using Retransmit mechanism.
In the end, this call will be hanged up by Retransmit timeouts by Smartswitch, because he won't be able to deliver 200 OK to your real partner, but precious seconds of a call could become answered and get into an invoice, which terminator will send to you and which you will send to your customer.
In his turn, your partner might decline to pay for it, saying he had never sent these calls to you.
And he will be right, although inside your CDR you will see the IP address of your partner.
Due to attack specifics, only SIP over UDP is prone to it while using only IP address authentication.
And unfortunately, this is the most widely used interconnection method nowadays.
Switching to SIP over TCP, SIP over TLS, H323 or IAX2 terminates this threat, because these protocols use the two-way connection (via TCP or emulated via UDP) and attackers won't be able to connect.
SIP over TLS is the most secured method because connection involves SSL certificate exchange and check.
For SIP over UDP adding a password will help.
For SIP over UDP Smartswitch uses Fail2Ban to minimize losses from this type of attack.
Fail2Ban uses next logic - block IP addresses, for which we see many Retransmit timeouts, with suspect of IP spoofing.
Please pay attention, that in the moment of blocking we won't accept calls from the real originator as well, because there is no way we can distinguish calls that have been originated by a real partner from calls that have been generated by an attacker - we see them coming from the same IP address.
And also we will block peers in a case when Retransmission timeouts happened due to a bad network connection - we don't know how to distinguish that case as well.