Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: SIP based attacks??

from [Jeremiah Cornelius] Network Security [Permanent Link]
Subject: RE: SIP based attacks??
Date: Fri, 3 Dec 2004 11:30:02 -0800 
      Last I saw, the Session Initiation Protocol (SIP) was 
being championed exclusively by Microsoft and everyone else 
was using the IETF standard XMPP. 


This is a Joke, right?  I am unsure how a comment so lacking in accuracy
or even informational content passed moderation!  Nothing is actually
contributed to the requestor's interest in _known_attacks_ on a
widely-deployed, standard technology.

SIP, Session Initiation Protocol, is described as an IETF RFC 3261.
Draft participants include Avaya, Ericsson and AT&T - not Microsoft!
http://www.ietf.org/rfc/rfc3261.txt

SIP is an Internet-style plain-text protocol, described as analogous to
SMTP and HTTP.  The IETF charter for the SIP Working Group, with links
to all relevant RFCs, is here for review:
http://www.ietf.org/html.charters/sip-charter.html

Products incorporating the SIP protocol are extensively catalogued -
vendors include: 
AT&T, Lucent, Cisco, Ericsson, Nortel.  MS is not even represented in
this inventory:
http://www.pulver.com/products/sip/

Until very recently, Microsoft was a backer of an earlier, inferior
rival to SIP- the H.323 protocol.  This is evidenced in the NetMeeting
software, which MS is currently deprecating in favor of SIP-enabling MS
Messenger and Live Communications Server.

--
Jeremiah Cornelius
CISSP CCNA MCSE+Sec


-----Original Message-----
From: Jay D. Dyson [mailto:jdyson@treachery.net] 
Sent: Friday, December 03, 2004 10:14 AM
To: Incidents List
Subject: Re: SIP based attacks??

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 3 Dec 2004, Mark Teicher wrote:


Has anyone observed SIP network based exploits such as:

Malformed SIP Message attacks
SIP register flooding attacks
Injection of unauthorized RTP session attacks DDOS into 

existing RTP 

Flow attacks RTP session hijacking attacks

in a live production network not just simulation?


      Last I saw, the Session Initiation Protocol (SIP) was 
being championed exclusively by Microsoft and everyone else 
was using the IETF standard XMPP.  Moreover, most of the 
Microsoft SIP products were -- last time I looked -- hardly 
what you'd call ready for prime-time.

      Heck, 99.9% of the literature I've seen on SIP is 
little but a valentine that Microsoft wrote to itself.  And 
I'm being nice here.

      The most recent news on the subject that I've seen 
indicated that Microsoft planned a release on December 1st 
for the latest version of its server software which (and I 
quote) "aims to give companies more secure instant messaging 
and other corporate communications tools."

      *ahem*  Microsoft offering a "secure" service?  That'll 
be a refreshing change from the usual MS-malware fare.

- -Jay

    (    (                                                    
    _______
    ))   ))   .-"There's always time for a good cup of 
coffee"-.   >====<--.
  C|~~|C|~~| (>----- Jay D. Dyson -- jdyson@treachery.net 
-----<) |    = |-'
   `--' `--'  `---- Doves fly in flocks.  Eagles fly solo. 
----'  `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQFBsKzsBYoRACwSF0cRAjXcAJ91bMTy1Vfy8zECuHmP6Rb3usQ7YwCgqQGv
082LrVqg6wdkCuMqLWa8OCk=
=ftmn
-----END PGP SIGNATURE-----
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: SIP based attacks??, Jay D. Dyson
Next by Date:  Re: PHP injection attempt from 200.222.244.154, Jez Hancock
Previous by Thread:  Re: SIP based attacks??, Jay D. Dyson
Next by Thread:  Re: PHP injection attempt from 200.222.244.154, Jez Hancock
Indexes:  [Date] [Thread] [Top] [All Lists]