Exploiting SIP for botnet communication

Andreas Berger, Mohamed Hefeeda

Research output: Chapter in Book/Report/Conference proceedingConference contribution

7 Citations (Scopus)

Abstract

The Session Initiation Protocol (SIP) implements methods for generic service discovery and versatile messaging. It is, therefore, expected to be a key component in many telecommunication and Internet services. For example, the 3GPP IP Multimedia Subsystem relies heavily on SIP. Given its critical role, ensuring the security of SIP is clearly a crucial task. In this paper, we analyze the SIP protocol and show that it can easily be exploited to mount effective and large-scale botnets. We do this by scrutinizing the details of the SIP protocol and show how it offers a variety of ways to conceal botnet traffic within legitimate-looking SIP traffic. Using our analysis, we implement a SIP bot and present experimental results from a real testbed network. In addition, we employ traffic statistics collected from a large telecommunication provider and discuss the implications for both botnet design and detection. Finally, we present a software tool (called autosip) to generate synthetic traffic that resembles actual SIP traffic with different controllable characteristics. The proposed tool is quite useful for researchers working in the area who may not have access to traffic dumps from actual telecommunication providers.

Original languageEnglish
Title of host publication5th IEEE Workshop on Secure Network Protocols, NPSEC'09
Pages31-36
Number of pages6
DOIs
Publication statusPublished - 1 Dec 2009
Externally publishedYes
Event5th IEEE Workshop on Secure Network Protocols, NPSEC'09 - Princeton, NJ, United States
Duration: 13 Oct 200913 Oct 2009

Other

Other5th IEEE Workshop on Secure Network Protocols, NPSEC'09
CountryUnited States
CityPrinceton, NJ
Period13/10/0913/10/09

Fingerprint

Network protocols
Communication
Telecommunication
Telecommunication traffic
Botnet
Testbeds
Statistics
Internet

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Software
  • Electrical and Electronic Engineering

Cite this

Berger, A., & Hefeeda, M. (2009). Exploiting SIP for botnet communication. In 5th IEEE Workshop on Secure Network Protocols, NPSEC'09 (pp. 31-36). [5342244] https://doi.org/10.1109/NPSEC.2009.5342244

Exploiting SIP for botnet communication. / Berger, Andreas; Hefeeda, Mohamed.

5th IEEE Workshop on Secure Network Protocols, NPSEC'09. 2009. p. 31-36 5342244.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Berger, A & Hefeeda, M 2009, Exploiting SIP for botnet communication. in 5th IEEE Workshop on Secure Network Protocols, NPSEC'09., 5342244, pp. 31-36, 5th IEEE Workshop on Secure Network Protocols, NPSEC'09, Princeton, NJ, United States, 13/10/09. https://doi.org/10.1109/NPSEC.2009.5342244
Berger A, Hefeeda M. Exploiting SIP for botnet communication. In 5th IEEE Workshop on Secure Network Protocols, NPSEC'09. 2009. p. 31-36. 5342244 https://doi.org/10.1109/NPSEC.2009.5342244
Berger, Andreas ; Hefeeda, Mohamed. / Exploiting SIP for botnet communication. 5th IEEE Workshop on Secure Network Protocols, NPSEC'09. 2009. pp. 31-36
@inproceedings{7ad5abad68244438b0458456020c3002,
title = "Exploiting SIP for botnet communication",
abstract = "The Session Initiation Protocol (SIP) implements methods for generic service discovery and versatile messaging. It is, therefore, expected to be a key component in many telecommunication and Internet services. For example, the 3GPP IP Multimedia Subsystem relies heavily on SIP. Given its critical role, ensuring the security of SIP is clearly a crucial task. In this paper, we analyze the SIP protocol and show that it can easily be exploited to mount effective and large-scale botnets. We do this by scrutinizing the details of the SIP protocol and show how it offers a variety of ways to conceal botnet traffic within legitimate-looking SIP traffic. Using our analysis, we implement a SIP bot and present experimental results from a real testbed network. In addition, we employ traffic statistics collected from a large telecommunication provider and discuss the implications for both botnet design and detection. Finally, we present a software tool (called autosip) to generate synthetic traffic that resembles actual SIP traffic with different controllable characteristics. The proposed tool is quite useful for researchers working in the area who may not have access to traffic dumps from actual telecommunication providers.",
author = "Andreas Berger and Mohamed Hefeeda",
year = "2009",
month = "12",
day = "1",
doi = "10.1109/NPSEC.2009.5342244",
language = "English",
isbn = "9781424448654",
pages = "31--36",
booktitle = "5th IEEE Workshop on Secure Network Protocols, NPSEC'09",

}

TY - GEN

T1 - Exploiting SIP for botnet communication

AU - Berger, Andreas

AU - Hefeeda, Mohamed

PY - 2009/12/1

Y1 - 2009/12/1

N2 - The Session Initiation Protocol (SIP) implements methods for generic service discovery and versatile messaging. It is, therefore, expected to be a key component in many telecommunication and Internet services. For example, the 3GPP IP Multimedia Subsystem relies heavily on SIP. Given its critical role, ensuring the security of SIP is clearly a crucial task. In this paper, we analyze the SIP protocol and show that it can easily be exploited to mount effective and large-scale botnets. We do this by scrutinizing the details of the SIP protocol and show how it offers a variety of ways to conceal botnet traffic within legitimate-looking SIP traffic. Using our analysis, we implement a SIP bot and present experimental results from a real testbed network. In addition, we employ traffic statistics collected from a large telecommunication provider and discuss the implications for both botnet design and detection. Finally, we present a software tool (called autosip) to generate synthetic traffic that resembles actual SIP traffic with different controllable characteristics. The proposed tool is quite useful for researchers working in the area who may not have access to traffic dumps from actual telecommunication providers.

AB - The Session Initiation Protocol (SIP) implements methods for generic service discovery and versatile messaging. It is, therefore, expected to be a key component in many telecommunication and Internet services. For example, the 3GPP IP Multimedia Subsystem relies heavily on SIP. Given its critical role, ensuring the security of SIP is clearly a crucial task. In this paper, we analyze the SIP protocol and show that it can easily be exploited to mount effective and large-scale botnets. We do this by scrutinizing the details of the SIP protocol and show how it offers a variety of ways to conceal botnet traffic within legitimate-looking SIP traffic. Using our analysis, we implement a SIP bot and present experimental results from a real testbed network. In addition, we employ traffic statistics collected from a large telecommunication provider and discuss the implications for both botnet design and detection. Finally, we present a software tool (called autosip) to generate synthetic traffic that resembles actual SIP traffic with different controllable characteristics. The proposed tool is quite useful for researchers working in the area who may not have access to traffic dumps from actual telecommunication providers.

UR - http://www.scopus.com/inward/record.url?scp=74549211386&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=74549211386&partnerID=8YFLogxK

U2 - 10.1109/NPSEC.2009.5342244

DO - 10.1109/NPSEC.2009.5342244

M3 - Conference contribution

SN - 9781424448654

SP - 31

EP - 36

BT - 5th IEEE Workshop on Secure Network Protocols, NPSEC'09

ER -