SPAM Over IP Telephony

SPAM over IP Telephony

Group Number: ______

Member Names:______

Date Assigned:

Date Due:

Last Edited:

Authored By: Manoj Deshpande and Felipe Santos

Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions and be sure you turn in ALL materials listed in the Turn-in Checklist ON or BEFORE the Date Due.

Goal

This lab will introduce you to the concept of Spam over IP telephony (SPIT). VoIP runs over the IP protocol, and has the same vulnerabilities as that of traditional IP networks. This lab will demonstrate how Spam over IP network can be tackled. We begin with a brief definition of SPIT, and we go on discuss several SPIT prevention techniques. Then we demonstrate how a SPAM call can be prerecorded and played back, thereby automating the spammer. Then on we propose what we think is a simple algorithm to identify SPIT. There are six simple exercises in the lab. Students will learn usage of a SJPhone, MiniSip and SIPp user clients.

Equipment and Setup

For this lab, students will need two machines on which MiniSip and SJPhone is installed. The TA will setup the two machines (VOIP1 and VOIP2)for all students to use. The students need to install SIPp user agent on their RH4.0 machines. The two machines provided by the TA’s are to be used to record the SPAM call. The student then uses his/her RH4.0 machine to automate SPIT to one of VOIP1 or VOIP2.

Background and Theory

Spam over IP telephony refers to annoying business calls made to your phone without your permission. These calls could be telemarketing calls, home mortgage calls, or any other calls aimed at profiteering. SPIT is touted as the next biggest threat after mail spam. Content filtering for VoIP is not advanced yet, also unlike email spam, the threat of SPIT is real time. Most researchers predict SPIT will reach annoying proportions in the next couple of years.

SPIT Defense Techniques

Any SPIT prevention technique must aim to do the following.

It must minimize the probability of blocking legitimate calls.
It must maximize the probability of blocking SPIT calls.
It should minimize the interaction required to the callee to determine whether a call is SPIT.
It should limit the inconvenience caused to the caller that tries to place a legitimate call.
It should be general enough to apply to different types of environments (e.g. office, home etc.), different cultures, and languages and so on.

There is no single approach as of today which achieves all of the above. Hence SPIT is still an unsolved research problem. Some of the techniques suggested by researchers are

Usage of White lists and Black Lists

The possibility of IP spoofing will defeat black listing. Hence a mechanism to ensure dynamic update of the lists will be needed.

Trust Establishment

There is significant research at Georgia Tech on these grounds. The duration of a call is used to decide the trustworthiness of a caller. Based on the duration circles of trust are built and calls from only those trusted are allowed.

Pattern Anomaly Detection using statistical and deterministic rules

This could be built with state machines for protocols which define VoIP, for example SIP and RTP state machines.

Grey Listing

This is a technique to built blacklists with intelligence. Each caller is assigned a level, and any caller which crosses the threshold will be barred from making any further calls.

Computational Puzzle

The way a human and a computer can be differentiated is by asking sthe caller a computational puzzle.

Turing Test

Audio CAPTCHAS are still in nascent stages, and efforts to make audio CAPTCHAS with least false positives are on.

Consent Based Communication

Refers to ensuring authorization for all calls made. This could be with usage of certificates, or with shared key authentication.

Content Filtering

Although there has been significant work to map voice to text, content based filtering on voice calls has not been in place yet. The difficulty lies in more fundamental problem of voice recognition.

An alternative strategy could be the following: When the caller makes a call, the callee answers the call and plays back a ring tone. For a normal caller, this will appear as though his/her call has not been received yet, and will continue to wait. If the caller is an automated spammer, the calling program will immediately start playing a spam message. Based on what the callee hears upon receiving the call, an identification of whether caller is a spammer or not can be done. This is attempted in section 4 of the lab.

Pre Lab Scenario:

Ensure that MiniSIP and SjPhone are both setup on VOIP1 and VOIP2 machines. Please consult your manual for lab 3 in case of any problems with MiniSIP. If SjPhone is not installed, use the precompiled binaries on the NAS server.

Section 1: VoIP Authentication

In this section we use MiniSIP to make VoIP calls using shared key authentication. Both the caller and callee share a secret key for authentication.

On VOIP1 and VOIP2

Inspect the setting for your default account.

Go to File->Preferences.

Select Security Tab.

Check ‘Use secured outgoing calls if possible’

Select ‘Pre Shared Key’ from the drop down menu in ‘Preferred KA’

Check ‘Enable Pre-Shared Key agreement’

Type in ‘GroupNumber:ECE4112’

Press OK.

Now on one of the machines , change the pre shared key, leaving the key on the other machine as before .Try calling the other machine.

Question1

Take a screenshot of what you observe.

Question2

Is there a way to beat this authentication mechanism?

SECTION 2: Create own SPAM call

In this section, you are required to create your own annoying spam call. For this you use SJPhone user agent. The VoIP traffic is caught on ethereal and a pcap file is saved.

On both VOIP1 and VOIP2

Go to the directory where SJPhone is Installed.

Type ./sjphone

Go to Phone->Preferences->User Information

Type in VOIP1 if you are on VOIP1 machine, type in VOIP2 if you are on VOIP2 machine.

Start Ethereal , and start capturing the packets.

Type in IP of the other machine on SJphone, and make a call.

Speak in to the microphone an annoying message!

Hang up and stop ethereal.

On Ethereal, go to File->SaveAs. Specify a name for your SPAM message. Lets call it SPIT.pcap

You have now created a SPAM call. This packet dump will be used to automate SPIT.

On VOIP1 machine

Put the user on do not disturb mode.

Go to Phone. Check Do Not Disturb.

Now try calling VOIP1 from VOIP2

Question 3

Take a screenshot of what you observe on VOIP2.

Hint: You may have to be quick to observe a message and take a screenshot.

SECTION3: VoIP Traffic Generator

SIPp is a SIP traffic generator. The tool is highly flexible and easy to use. It is ideal to be used to create SIP calls at a predefined rate and with user defined scenarios. SIPp can operate as a server or client. In either case, the default behavior is defined by the xml files, and the xml files contain definition of what is termed as a scenario. A user can define how he/she wants SIPp to behave by simply creating his/her own xml file and specifying the file as an option under SIPp.

Students are encouraged to play around with this tool. There are many interesting features to exploited in SIPp.

On RH4.0 Machine:

Get the SIPp installation file from NAS server.

Untar the file

Goto sip_packages directory, type

rpm -i sip-pcapplay-ossl-2.0.1-linux-2.6-intel.rpm

SIPp is now installed on your machine. Type ‘sipp’ at the prompt, a complete ur

On RH4.0 Machine

Start SIPp in client mode and Server mode in two separate terminals. A typical client mode should appear as below.

Question 4:

What is the command to ensure client makes 1 call every 10 seconds.

Question 5:

What is the command to ensure client does not specify ‘local host’, but instead host IP address in ‘from’ address of the call?

Question 6:

What is the command to ensure uac_pcap.xml scenario is used ?

Question 7:

Suppose you want to use SIPP client with a non SIPP server. How would you ensure interoperability? Hint: Not all user agents follow the same sequence of messages of the SIP protocol. Exploit the SIPp capabilities.

There are three xml files provided on NAS for this section. They are uac.xml,uac_pcap.xml (both are for a client) and uas.xml (for server). Each of these describe a scenario, change the scenarios and observe how the behavior changes.

Open the uac_pcap.xml file and observe the exact message sequence of messags sent to the server. Also note how we can alter what message we want to receive after a particular SIP protocol message.

On RH4.0 machine

Familiarize yourself with the uac_pcap xml file, edit it to ensure SPIT.pcap message will be played back upon connection .SPIT.pcap was created in the previous section.

Question 8:

What changes did you make in the xml file?

On VOIP1 machine

Start SJPhone, and make sure it is not on do not disturb mode. Also disable pre-shared secret sharing.

On RH4.0 machine

Type a command to connect to SJPhone on VOIP1 machine. Accept the call on SJPhone , and you should be able to hear your SPIT message you created !

Have your TA check you of for the VoIP conversation accomplished.

TA CHECKOFF: ______

Question 9:

What was the command you gave so you can hear you own SPIT message?

SECTION4: Spoofing in VoIP

As we mentioned earlier, caller ID spoofing is very easy in VoIP. Using SIPp we make a call to VOIP1 machine. Although the call comes from your RH4.0, we can make it appear to come from a forged user.

On RH4.0

Change the xml file, to ensure the source of your calls is ‘Forged User@ Forged IP’.

Make a call using the xml to VOIP1 machine.

On VOIP1 machine

Start Ethereal.

Start SJPhone.

The incoming call must look like this

And ethereal capture must appear as below

Question 10:

What were the changes made to the XML File ?

GREYLISTING TO DETECT SPAM

Grey Listing is a technique to identify spammers. A threshold level is defined, and callers which cross the threshold are marked as spammers and added to the blacklist. The threshold can be based upon several factors like call duration, previous caller history or simply the number of calls made in the last few minutes.

Here we present an approach where the number of calls made in the last M minutes is used to track the spammer. Each caller starts with his level being zero. Every call made within last M minutes, will cause his grey level to go up. Also his grey level keeps going down by value N, every minute elapsed between two of his calls. There is counter to track the number of calls made in the last M minutes. Each call comes with a timestamp, and timestamp is checked to alter counter value.

The pseudocode will appear like this :

For every call

Check timestamp on the call. Check timestamp on the last call.

If ( Current_call_timestamp – Last_call_timestamp > M)

Allow call to go through, set counter = 1

If (Current_call_timestamp – Last_call_timestamp < M)

Increment counter by 1.

Computer grey level G for the call.

If G < Threshold(T), allow call

Else deny

Note that grey level for a call is decrementing by N every minute for a caller. Hence there is incentive for not calling repeatedly.

Computation of Grey Level

We want the grey level to depend on

The number of calls made in last M minutes
The previous value of grey level.

Hence the equation for Grey Level Computation could be:

Grey Level = PrevGrey Level + W. ( Counter / M ).

W is the weight assigned to count of calls. Threshold can be computed for a maximum number of calls which a user is willing to tolerate, user configures this value.

Hence mathematically, the relation between the terms will be as follows.

T = 0 + W. (Max Count) / M .

Therefore M.T = W.MaxCount.

Typically, say a user allows 2 calls in 10 minutes. Threshold T = W(2)/10 = 0.2W

Weight W can be computed when the experiment is setup.

The above algorithm is not hard to implement. Although due to lack of time we have skipped this part, students can attempt to implement this algorithm. The NEC paper talks of maintaining two grey levels, one for short term and long term. Any Java based SIP softphone will contain methods for call control. The call handler can be changed to include the above algorithm.

CONCLUSIONS

In this laboratory we studied simple techniques to prevent VoIP Spam. The exercise created is meant to introduce the students to this evolving field. VoIP Spam will become a major issue in the coming years. We should expect a significant number of papers in this research area. Although there is no dedicated tool for SPIT, we should see one very soon.

REFERENCES

Prevention of Spam over IP Telephony: Juergen QUITTEK, Saverio NICCOLINI, Sandra TARTARELLI, Roman SCHLEGEL.
Voice Spam Control with Gray Leveling:Dongwook Shin and Choon Shim

How long did it take you to complete this lab? Was it an appropriate length lab?

What corrections and or improvements do you suggest for this lab? Please be very specific and if you add new material give the exact wording and instructions you would give to future students in the new lab handout. You may cross out and edit the text of the lab on previous pages to make minor corrections/suggestions. General suggestions like add tool xyz to do more capable scanning will not be awarded extras points even if the statement is totally true. Specific text that could be cut and pasted into this lab, completed exercises, and completed solutions may be awarded additional credit. Thus if tool xyx adds a capability or additional or better learning experience for future students here is what you need to do. You should add that tool to the lab by writing new detailed lab instructions on where to get the tool, how to install it, how to run it, what exactly to do with it in our lab, example outputs, etc. You must prove with what you turn in that you actually did the lab improvement yourself. Screen shots and output hardcopy are a good way to demonstrate that you actually completed your suggested enhancements. The lab addition section must start with the form “laboratory Additions Cover Sheet” which may be found on the class web site.

Turn-in Checklist

Answers to all questions

TA Checkoff

2 screen shots

ACKNOWLEDGEMENT

We would like to thank the TA’s for their splendid support in setting up the MiniSIP experiment. This lab taught us the intricacies of VoIP and gave a good introduction to the problems with VoIP. There are several enhancements that students can perform for this emerging topic of SPIT. Finally we would like to thank Professor Dr.Owen for his support right through the semester.

TA INSTRUCTIONS

Students will need two machines VOIP1 and VOIP2 for this exercise. We had several issues to setup MiniSIP, and if students are attempting to setup MiniSIP on their own, please advise them not to spend time resolving the dependencies on the linux machine. On each of the machines, TA should setup SJPhone. The setup file for the same will be provided by us in the CD. The sound cards on each of the machines should be checked, TA’s can check this by setting up SJPhone on each machine and checking if the call goes through.

ANSWER KEY

2. There could be dictionary attacks on this scheme. The same weaknesses of shared key authentication still apply to this scheme, dictionary or brute force attacks will be correct answers.

4. sipp –r 1 –rp 10000

5. sipp -i57.35.6.X ( if 57.35.6.X is the IP address of the students IP address )

6. sipp –sf /root/uac_pcap.xml

7. The scenario file has to be edited. Typically clients have their own sequence of messages in the SIP protocol. The students can run ethereal and capture the exact sequence of messages sent by non SIPp client (MiniSIP for example). Then the on SIPp machine, they can edit the xml file to include or exclude messges. ( For example, MiniSIP does not send the 100 message which the SIPp client expects by default).

8. Edit the location of the pcap dump in the xml file.

9.Sipp –I 57.35.6.x –mi 57.35.6.x –s voip1 –r 1 –rp 10000 –sf /root/uac_pcap.xml 57.35.6.6:5060 ( if 57.35.6.6 is the IP of the VOIP1 machine setup).

10. Look for local IP and Local port specification in the xml file, the username can be changed, so can be the IP address which does into the packet of SIP.