sipvicious rtp flood

Summary

Floods the target with RTP packets

What it does

Send a large number of RTP packets in a short time which may cause DoS conditions. This is especially useful when attacking call recording systems that take RTP streams as input. By default, sets up a call using the SIP protocol but may also accept calls or just skip the session initiation and start the RTP flood attack. Since the target of the attack is the RTP handling, the tool only sets up one session at a time but may send more than one RTP stream per session.

Tool functionality

The rtp flood tool sends a large number of RTP packets, typically at high rates, to the target to flood systems that process those RTP packets. This includes voice or call recording systems and debugging tools that process RTP data.

The RTP stream that is used for the attack consists of valid RTP packets with correct sequence numbers, and also valid data. This exploits the fact that some recording systems will assume that the packet rate of each individual RTP stream is not excessive. When this assumption is violated, some systems fail to handle the incoming RTP packets. Disk spaces may fill up and CPU usage may spike thus leading to denial of service.

By default, the tool sets up a call using the SIP protocol and attacks the RTP address advertised in the SDP body. Further details about the different modes can be found in the mode flag documentation.

The following is an example logging of the tool when run with the default settings:

INFO[0001] Sending INVITE to 192.168.99.2:5060 for sip:someone@example.org
INFO[0002] Call picked up by sip:else@example.org
INFO[0003] Starting RTP flood attack, using music.raw
INFO[0004] Received BYE, terminating call

Command format

sipvicious rtp flood <target1 [target2 [target3 ...]]> [flags]

Flags

      --codec strings        Specify the codec that should be used for the RTP stream (default [opus,alaw,ulaw,opus,gsm,g723,lpc,g722,g728,g729,h261,h263])
  -c, --conn-count int       Number of RTP streams to use (per target) (default 1)
  -u, --credentials string   set the username and password in the following format: username:password (e.g. 1000:test123)
  -D, --domain string        override domain name for the SIP address
      --duration duration    set maximum duration to keep the test going
  -e, --extension string     specify a target extension or SIP URI to call; if not specified, a random numeric extension is used
  -f, --from string          specify the from header address; if not specified, the from address is constructed from the credentials, otherwise a random numeric extension is used
  -m, --mode string          set mode (valid modes are sip-callee, sip-caller and rtp-stream) (default "sip-caller")
      --rate string          Specify how many packets to send for each period of time; format: packets/duration; e.g. 100/30ms
      --register             register with the specified target
      --rtp-payload string   specify the RTP payload for the audio (e.g. music.wav or 2600hz.raw) (default "music.wav")
      --templates string     Directory to search for sip template overrides (default ".")

Flags inherited from parent commands

  -C, --config string    configuration file to use (may be JSON, TOML or YAML)
      --debug            set log level to debug
      --logfile string   specify a log filename
      --srtp string      specify if either none, dtls or sdes to enforce SRTP for calls; format: method or method:parameters; see full documentation for details (default "none")

Examples

sipvicious rtp flood udp://target:5060 -e 1234 -f 2345
sipvicious rtp flood tcp://target:5060 --mode sip-callee --register -u user:pass
sipvicious rtp flood udp://0.0.0.0:5060 --mode sip-callee
sipvicious rtp flood udp://target:8000 --mode rtp-stream --rate 1/5ms --rtp-payload 2600hz.raw

Advanced examples

# register with given credentials with target and flood as the sip callee, upon an incoming call
sipvicious rtp flood udp://demo.sipvicious.pro:5060 --mode sip-callee -u 1000:1500 --register

# use a specific codec as well as a specific rtp payload, while using rtp-stream mode to flood the target
sipvicious rtp flood udp://demo.sipvicious.pro:8000 --codec alaw --rtp-payload music.wav --mode rtp-stream

# specify the opus codec using a specific rate and channels and enable debug mode
sipvicious rtp flood udp://demo.sipvicious.pro:5060 --codec opus/48000/2 --mode sip-caller --debug

# target extension 2000 from extension 1000 and rate limiting the attack
sipvicious rtp flood udp://demo.sipvicious.pro:5060 -e 2000 --from 1100 --rate 1/4ms

# specify a duration for the attack with 10 rtp streams while over-riding domain
sipvicious rtp flood udp://demo.sipvicious.pro:5060 --duration 100s -D siteonsip.tld --conn-count 10 -e 1100

# Specify multiple targets with extensions with 50 rtp streams per target
sipvicious rtp flood udp://demo.sipvicious.pro:5060 tcp://demo.sipvicious.pro:5060 -e 2000 -c 50

Exit codes

The tool returns exit code 4, i.e. network connectivity problems when the connection fails before the attack is started.

Flag: codec

Specify the codec to be supported for the SDP and also in the RTP stream. Currently supported are alaw, ulaw, opus, gsm, g723, lpc, g722, g728, g729, h261 and h263. You may pass multiple codecs by delimiting using a comma, as follows: ulaw,alaw,opus.

When rates and channels need to be passed, they can be provided after the codec name, separated by a slash. For example: opus/48000/2.

Flag: config

Specify a configuration file which may be a JSON, TOML and YAML config format. To get the default settings and figure out which settings are available, one may run the sipvicious utils dump config command. This is typically used to create a template configuration that can then be edited as need be.

These settings may be overwritten when the corresponding flag is explicitly set, if one is present.

Flag: conn-count

Specify the number of RTP streams to be started for the attack. By default, this is set to 1 but setting more than that may increase the load on the target system.

Flag: credentials

Specify valid credentials so that the registration can be done authenticated. The following format is used username:password (e.g. 1000:test123).

Flag: debug

Tells the logger to print out debug messages.

Flag: domain

A domain name can be specified so that the SIP URI contains that particular domain rather than the one specified as the target. This is useful for targets that expect a particular domain name.

Flag: duration

Specify the maximum duration of the attack so that it stops after a certain time.

Flag: extension

This flag allows users to call a particular extension, overriding the default behaviour of calling a random extension. The value can be either just the SIP extension/username (e.g. 1234) or a SIP URI (e.g. sip:user@example.org).

When the mode is set to sip-callee, this flag has no meaning.

Flag: from

This flag allows users to set the From address, overriding the default behaviour of setting a random extension or the username in the credentials when one is provided. The value can be either just the SIP extension/username (e.g. 1234) or a SIP URI (e.g. sip:user@example.org).

Flag: logfile

When the logfile flag is specified, a log file is created in the location specified and logs are generated in this file instead of being sent to standard output. If the filename ends with a .json file extension, then the output format is in JSON, otherwise it defaults to text format.

Flag: mode

The tool currently supports three modes. The default mode is to start a call with the target using the SIP protocol. If the call is picked up by the callee, the RTP flood attack is started on the RTP address advertised in the SDP body. Incoming RTP packets are received but discarded.

When the mode is set to sip-callee, the tool behaves much like the sip utils callee tool. If no register flag is passed, the tool will listen on the specified target address and wait for incoming calls. Whenever an incoming call is received, the call is accepted and the RTP flood attack is started on the RTP address advertised in the SDP body.

When the mode is set to rtp-stream, the tool simply sends RTP packets to the target address.

Flag: rate

Rate allows one to limit the probing phase below a certain rate. If the value is 100/30ms, that means that 100 packets should be spread out evenly across 30 milliseconds across all the connections per target.

Flag: register

Register may use credentials to be passed so that a REGISTER message is sent to authenticate with a registrar server before starting the call or waiting for a call to be received. The registration is maintained as per SIP standards, so that authentication does not time out.

Flag: rtp-payload

The rtp-payload parameter allows the setting of a file that is used for the RTP stream. The following file types are supported:

  • .raw, for raw audio to be passed to the RTP stream without any transcoding
  • .wav, for wave files to be transcoded for the RTP stream

Flag: srtp

The srtp flag when specified, allows users to set the SRTP mode. By default, outgoing calls do not make use of SRTP, while incoming calls automatically handle SRTP depending on the SDP body of the incoming INVITE message. When the srtp flag is set to none, incoming calls do not make use of SRTP, regardless of the SDP body in an incoming INVITE. The srtp mode can also be either dtls or sdes. In both dtls and sdes modes, the parameters are not required and will be generated randomly as need be.

Options for both dtls and sdes mode may be passed after a colon. For example:

  • TODO: --srtp dtls:cert.crt:cert.key[:ca.crt] where the first argument after the mode (dtls) is the public certificate cert.crt, then the private key cert.key and finally, the optional certificate authority file ca.crt
  • --srtp sdes:d0RmdmcmVCspeEc3QGZiNWpVLFJhQX1cfHAwJSoj where the argument is the base64 encoded cryptographic master key appended with the master salt.

Note that in the case of sdes key, the master key needs to be a valid length, which is 30 octets, for the default crypto-suite AES_CM_128_HMAC_SHA1_80.

Flag: templates

Allows one to set the template directory which is used to load (or save) the SIP templates.

To get the default SIP templates, make use of the sipvicious sip utils dump templates command.

Future enhancements

More modes

Additional modes may allow for certain flexibility especially regarding custom WebSocket protocols. External tools may be used to start a call. Such tools would need to return the actual target address to be used for the RTP stream.

Other protocols may be also natively supported, depending on specific requirements.

Detect the security issue

This tool returns exit code 3, i.e. security issue is detected when it detects SIP-level errors, such as when the call is terminated with a 5xx error, or when it detects UDP-level issues when the port appears to be closed.