Survey of security vulnerabilities in session initiation protocol

IEEE Communications Surveys and Tutorials

Volumn 8, Issue 3, 2006, Pages 68-81

  Geneiatakis, Dimitris ^a   Dagiuklas, Tasos ^a   Kambourakis, Georgios ^a   Lambrinoudakis, Costas ^a   Gritzalis, Stefanos ^a   Ehlert, Sven ^b   Sisalem, Dorgham ^b  

^a UNIVERSITY OF THE AEGEAN   (Greece)

^b FRAUNHOFER FOKUS   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

INSTANT MESSAGING; OPEN ARCHITECTURE; QUALITATIVE ANALYSIS; SECURITY MECHANISM; SECURITY PROBLEMS; SECURITY VULNERABILITIES; SESSION INITIATION PROTOCOL; SESSION INITIATION PROTOCOLS;

COMPUTER ARCHITECTURE; INTERNET; INTERNET TELEPHONY; TELECOMMUNICATION TRAFFIC;

NETWORK SECURITY;

EID: 84881472647     PISSN: None     EISSN: 1553877X     Source Type: Journal    
DOI: 10.1109/COMST.2006.253270     Document Type: Review

References (49)

1. H. Schulzrinne, "Converging on Internet Telephony," IEEE Internet Computing, 1999.
2. U. Varshney et al., "Voice Over IP," Commun. ACM, vol. 45, no. 1, 2002
3. J. Rosenberg et al., "Sip: Session Initiation Protocol," RFC 3261, June 2002
4. M. Garcia-Martin, "Input 3rd-Generation Partnership Project (3GPP) Release 5 Requirements on the Session Initiation Protocol (SIP)," May 2005, RFC 4083.
5. R. Fielding et al., "Hypertext Transfer Protocol - HTTP/1.1," RFC 2616, June 1999.
6. J. Franks et al., "HTTP Authentication: Basic and Digest Access Authentication," Internet Engineering Task Force, RFC 2617, June 1999.
7. M. de Vivo et al., ACM SIGCOMM Comp. Commun. Review, vol. 29, no. 1, Jan. 1999.
8. J. S. Tiller, A Technical Guide to IPSec Virtual Private Networks, New York: Auerbach Publications, 2000
9. E. Rescorla, SSL and TLS: Designing and Building Secure Systems, Boston: Addison Wesley, 2001.
10. KPhone, a voice over internet phone, http://www.wirlab.net/kphone/
11. Minisip, http://www.minisip.org/index.html
12. Snom VoIP phones, http://www.snom.com/
13. M. Saito and S. Fujimoto, "Requirements for IPsec Negotiation in SIP," Internet Draft, Oct. 2005.
14. C. Rigney et al., "Remote Authentication Dial in User Service (RADIUS)," RFC 2138, Apr. 1997.
15. P. Calhoun et al., "Diameter Base Protocol," RFC 3588, Sept. 2003.
16. B. Sterman, "Digest Authentication in SIP using RADIUS," Internet Draft, Feb. 2001.
17. M. Belinchon et al., "Diameter Session Initiation Protocol (SIP) Application," Internet-Draft, Oct. 2005.
18. J. Loughney and G. Camarillo, "Authentication, Authorization, and Accounting Requirements for the Session Initiation Protocol (SIP)," RFC 3702, Feb. 2004.
19. B. Ramsdell, "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification," IETF RFC 3851, July 2004.
20. C.-C. Chang et al., "Design and Implementation of SIP Security," Lecture Notes in Computer Science, v 3391, Information Networking Convergence in Broadband and Mobile Networking-International Conf., ICOIN 2005, 2005, pp. 669-78.
21. C.-C. Yanga, R.-C. Wangb, and W.-T. Liuc, "Secure Authentication Scheme for Session Initiation Protocol," Computers & Security (2005), vol. 24, pp. 381-86.
22. J. Peterson, "Enhancements for Authenticated Identity Management in the Session Initiation Protocol," Internet-Draft, Feb. 2003
23. S. Salsano, L. Veltri, and D. Papalilo, "SIP Security Issues: The SIP Authentication Procedure and Its Processing Load," IEEE Network, vol. 16, Nov. 2002.
24. J. Peterson, "A Privacy Mechanism for the Session Initiation Protocol (SIP)," RFC 3323, Nov. 2002
25. J. Polk, "Requirements for Assured End-to-End Signaling Security within the Session Initiation Protocol," Internet Draft, July 2005.
26. K. Ono and S. Tachimoto, "Requirements for End-to-Middle Security for the Session Initiation Protocol (SIP)," RFC 4189, Oct. 2005.
27. M. Handley and V. Jacobson, "SDP: Session Description Protocol," RFC 2327, Apr. 1998.
28. H. Schulzrinne et al., "RTP: A Transport Protocol for Real-time Applications," RFC 3550, July 2003.
29. J. Bilien, E. Eliasson, and J.-O. Vatn, "Secure VoIP: Call Establishment and Media Protection," 2nd Wksp. Securing Voice over IP, Washington DC, June 2005.
30. Gibson, "Distributed Reflection Denial of Service," on-line tutorial, http://grc.com/dos/drdos.htm
31. Houle, Waver: "Trends in Denial of Service Attack Technology," CERT report, Oct. 2001, http://www.cert.org/archive/pdf/DoS-trends.pdf
32. R. Sparks, "The Session Initiation Protocol (SIP) Refer Method," RFC 3515, Apr. 2003.
33. R. Sparks, "The Session Initiation Protocol (SIP) Referred-By Mechanism," RFC 3892, Sept. 2004.
34. J. Rosenberg, "The Session Initiation Protocol (SIP) UPDATE Method," RFC 3311, Sept. 2002.
35. A. Vemuri and J. Peterson, "Session Initiation Protocol for Telephones (SIP-T): Context and Architectures," RFC 3372, Sept. 2002.
36. S. Donovan, "The SIP INFO Method," RFC 2976, Oct. 2000.
37. "MySQL open source database," http://www.mysql.com
38. "Postgress database," http://www.postgreSQL.org
39. "Oracle database," http://www.oracle.com
40. "SIP Express Router," http://www.iptel.org/ser
41. "Your Source for Open Source Communication," http://www.vovida.org/
42. C. Anley, "Advanced SQL Injection In SQL Server Applications," An NGSSoftware Insight Security Research (NISR) Publication, 2002.
43. K. Spett, "Blind SQL Injection," 2003, http://www.spidynamics. com/whitepapers/Blind-SQLInjection.pd
44. P. Finnigan, "SQL Injection and Oracle, Part One," Nov. 2002, http://www.securityfocus.com/infocus/1644
45. D. Sisalem, J. Kuthan, and G. Schäfer, "DoS Attacks on SIP Infrastructures," Voice over IP: Challenges and Solutions, GlobeCom 2004, Dallas, TX, Dec. 2004.
46. G. D. Kambourakis et al., "A Framework for Detecting Malformed Messages in SIP Networks," Proc. 14th IEEE Wksp. Local and Metropolitan Area Networks (LANMAN), Chania-Crete, Greece, Sept. 2005.
47. Y.-S. Wu et al., "SCIDIVE: A Stateful and Cross Protocol Intrusion Detection Architecture for Voice-over-IP Environments," Proc. 2004 Int'l. Conf. Dependable Systems and Networks (DSN'04).
48. D. Geneiatakis et al., "SIP Message Tampering: THE SQL Code INJECTION Attack," Proc. 13th Int'l. Conf. Software, Telecomm. and Computer Networks (SoftCOM 2005) IEEE, Split, Croatia, Sept. 2005.
49. P. Srisuresh et al., "Middlebox Communication Architecture and framework," IETF, RFC 3303, Aug. 2002.