RE: SIP based attacks??

From: Jeremiah Cornelius (jeremiah_at_nur.net)
Date: 12/03/04

  • Next message: Jez Han***: "Re: PHP injection attempt from 200.222.244.154" 
    Date: Fri, 3 Dec 2004 11:30:02 -0800
To: "Jay D. Dyson" <jdyson@treachery.net>, "Incidents List" <incidents@securityfocus.com>

    > Last I saw, the Session Initiation Protocol (SIP) was
    > being championed exclusively by Microsoft and everyone else
    > was using the IETF standard XMPP.

    This is a Joke, right? I am unsure how a comment so lacking in accuracy
    or even informational content passed moderation! Nothing is actually
    contributed to the requestor's interest in _known_attacks_ on a
    widely-deployed, standard technology.

    SIP, Session Initiation Protocol, is described as an IETF RFC 3261.
    Draft participants include Avaya, Ericsson and AT&T - not Microsoft!
    http://www.ietf.org/rfc/rfc3261.txt

    SIP is an Internet-style plain-text protocol, described as analogous to
    SMTP and HTTP. The IETF charter for the SIP Working Group, with links
    to all relevant RFCs, is here for review:
    http://www.ietf.org/html.charters/sip-charter.html

    Products incorporating the SIP protocol are extensively catalogued -
    vendors include:
    AT&T, Lucent, Cisco, Ericsson, Nortel. MS is not even represented in
    this inventory:
    http://www.pulver.com/products/sip/

    Until very recently, Microsoft was a backer of an earlier, inferior
    rival to SIP- the H.323 protocol. This is evidenced in the NetMeeting
    software, which MS is currently deprecating in favor of SIP-enabling MS
    Messenger and Live Communications Server. 

    --
Jeremiah Cornelius
CISSP CCNA MCSE+Sec
> -----Original Message-----
> From: Jay D. Dyson [mailto:jdyson@treachery.net] 
> Sent: Friday, December 03, 2004 10:14 AM
> To: Incidents List
> Subject: Re: SIP based attacks??
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Fri, 3 Dec 2004, Mark Teicher wrote:
> 
> > Has anyone observed SIP network based exploits such as:
> >
> > Malformed SIP Message attacks
> > SIP register flooding attacks
> > Injection of unauthorized RTP session attacks DDOS into 
> existing RTP 
> > Flow attacks RTP session hijacking attacks
> >
> > in a live production network not just simulation?
> 
>  	Last I saw, the Session Initiation Protocol (SIP) was 
> being championed exclusively by Microsoft and everyone else 
> was using the IETF standard XMPP.  Moreover, most of the 
> Microsoft SIP products were -- last time I looked -- hardly 
> what you'd call ready for prime-time.
> 
>  	Heck, 99.9% of the literature I've seen on SIP is 
> little but a valentine that Microsoft wrote to itself.  And 
> I'm being nice here.
> 
>  	The most recent news on the subject that I've seen 
> indicated that Microsoft planned a release on December 1st 
> for the latest version of its server software which (and I 
> quote) "aims to give companies more secure instant messaging 
> and other corporate communications tools."
> 
>  	*ahem*  Microsoft offering a "secure" service?  That'll 
> be a refreshing change from the usual MS-malware fare.
> 
> - -Jay
> 
>     (    (                                                    
>     _______
>     ))   ))   .-"There's always time for a good cup of 
> coffee"-.   >====<--.
>   C|~~|C|~~| (>----- Jay D. Dyson -- jdyson@treachery.net 
> -----<) |    = |-'
>    `--' `--'  `---- Doves fly in flocks.  Eagles fly solo. 
> ----'  `------'
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (TreacherOS)
> Comment: See http://www.treachery.net/~jdyson/ for current keys.
> 
> iD8DBQFBsKzsBYoRACwSF0cRAjXcAJ91bMTy1Vfy8zECuHmP6Rb3usQ7YwCgqQGv
> 082LrVqg6wdkCuMqLWa8OCk=
> =ftmn
> -----END PGP SIGNATURE-----
> 
>
  • Next message: Jez Han***: "Re: PHP injection attempt from 200.222.244.154"
    • Quantcast