Dimitris Geneiatakis - Academia.edu (original) (raw)
Papers by Dimitris Geneiatakis
Page 1. 07/06/2006 Third Annual VoIP Security Workshop University of the Aegean Laboratory of Inf... more Page 1. 07/06/2006 Third Annual VoIP Security Workshop University of the Aegean Laboratory of Information & Communication Systems Security http://www.aegean.gr/Info-Sec-Lab Towards Effective SIP load Balancing Third Annual VoIP Security Workshop University of the Aegean Georgios Kambourakis, Dimitris Geneiatakis, Tasos Dagiuklas, Costas Lambrinoudakis and Stefanos Gritzalis This work was partially funded by the European Commission in the horizontal research activities involving SMEs -Co-Operative Research in the project SNOCER ...
Although privacy is often seen as an essential right for internet users, the provision of anonymi... more Although privacy is often seen as an essential right for internet users, the provision of anonymity can also provide the ultimate cover for malicious users. Privacy Enhancing Technologies (PETs) should not only hide the identity of legitimate users but also provide means by which evidence of malicious activity can be gathered. This paper proposes a forensic investigation technique, which can be embedded in the framework of existing PETs , thereby adding network forensic functionality to the PET. This approach introduces a new dimension to the implementation of Privacy Enhancing Technologies, which enhances their viability in the global network environment.
It is well known that no security mechanism can provide full protection against a potential attac... more It is well known that no security mechanism can provide full protection against a potential attack. There is always a possibility that a security incident may happen, mainly as a result of a new or modified attack that the employed countermeasures cannot handle or identify. It is therefore useful to perform a deferred analysis of logged network data, in an attempt to identify abnormal behavior/traffic that flags some type of security incident that has not been detected by the security countermeasures. Such an analysis of logged data for critical real time applications, like VoIP services, is certainly a valuable tool for enhancing the security level of the provided service.
Telecommunication Systems, 2007
The advent of Voice over IP (VoIP) has offered numerous advantages but, at the same time, it has ... more The advent of Voice over IP (VoIP) has offered numerous advantages but, at the same time, it has introduced security threats not previously encountered in networks with a closed architecture like the Public Switch Telephone Networks (PSTN). One of these threats is that of signaling attacks. This paper examines the signaling attacks in VoIP environments based on the Session Initiation Protocol (SIP), focusing on the design of a robust lightweight protection mechanism against them. The proposed scheme introduces a new SIP header, namely the Integrity-Auth header, which is utilized for protecting the SIP-based VoIP services from signaling attacks while ensuring authenticity and integrity.
Computers & Security, 2008
The work presented in this paper has been focused to the SIP protocol. However, generalization to... more The work presented in this paper has been focused to the SIP protocol. However, generalization to other signaling protocols is possible.
DNS amplification attacks massively exploit open recursive DNS servers mainly for performing band... more DNS amplification attacks massively exploit open recursive DNS servers mainly for performing bandwidth consumption DDoS attacks. The amplification effect lies in the fact that DNS response messages may be substantially larger than DNS query messages. In this paper, we present and evaluate a novel and practical method that is able to distinguish between authentic and bogus DNS replies. The proposed scheme can effectively protect local DNS servers acting both proactively and reactively. Our analysis and the corresponding real-usage experimental results demonstrate that the proposed scheme offers a flexible, robust and effective solution.
This paper presents a novel mechanism to protect Session Initiation Protocol (SIP)-based infrastr... more This paper presents a novel mechanism to protect Session Initiation Protocol (SIP)-based infrastructure against malformed message attacks. The basic characteristics of this mechanism are the following: lightweight and easy to adapt to various SIP implementations. The proposed mechanism has been evaluated in terms of overhead processing. It is demonstrated that the employment of appropriate IDS against malformed impose minimum overhead in terms of events' processing
Computers & Security, 2010
Session Initiation Protocol is a core protocol for coming real time communication networks, inclu... more Session Initiation Protocol is a core protocol for coming real time communication networks, including VoIP, IMS and IPTV networks. Based on the open IP stack, it is similarly susceptible to Denial-of-Service Attacks launched against SIP servers. More than 20 different research works have been published to address SIP-related DoS problems. In this survey we explain three different types of DoS
Computer Networks, 2007
This paper presents a framework that can be utilized for the protection of session initiation pro... more This paper presents a framework that can be utilized for the protection of session initiation protocol (SIP)-based infrastructures from malformed message attacks. Its main characteristic is that it is lightweight and that it can be easily adapted to heterogeneous SIP implementations. The paper analyzes several real-life attacks on VoIP services and proposes a novel detection and protection mechanism that is validated through an experimental test-bed under different test scenarios. Furthermore, it is demonstrated that the employment of such a mechanism for the detection of malformed messages imposes negligible overheads in terms of the overall SIP system performance.
Internet telephony like any other Internet service suffers from security flaws caused by various ... more Internet telephony like any other Internet service suffers from security flaws caused by various implementation errors (e.g. in end-users terminals, protocols, operating systems, hardware, etc). These implementation problems usually lead VoIP subsystems (e.g. SIP servers) to various unstable operations whenever trying to process a message not conforming to the underlying standards. As Internet telephony becomes more and more popular, attackers will attempt to exhaustively "test" implementations' robustness, transmitting various types of malformed messages to them. Since it is almost infeasible to avoid or predict every potential error caused during the developing process of these subsystems, it is necessary to specify an appropriate and robust, from the security point of view, framework that will facilitate the successful detection and handling of any kind of malformed messages aiming to destruct the provided service. In this paper, we adequately present malformed message attacks against SIP network servers and/or SIP end-user terminals and we propose a new detection "framework" of prototyped attacks' signatures that can assist the detection procedure and provide effective defence against this category of attacks.
The Internet based telephony services (IPTel) are mainly exposed to set of vulnerabilities that i... more The Internet based telephony services (IPTel) are mainly exposed to set of vulnerabilities that inherited from the employed protocols such as TCP/IP and proprietary VoIP protocols. One of the most critical threats in this sensitive environments is considered the denial of service (DoS) attacks. The main concern of a mechanism that focuses on detecting such attacks is the potential end-to-end delay between communicating parties. In this paper is described a hash based flooding detection mechanism and evaluated in an experimental test bed architecture. The outcomes demonstrate the potentiality of the mechanism as the end-to-end delay is negligible.
Recent serious security incidents reported several attackers employing IP spoofing to massively e... more Recent serious security incidents reported several attackers employing IP spoofing to massively exploit recursive name servers to amplify DDoS attacks against numerous networks. DNS amplification attack scenarios utilize DNS servers mainly for performing bandwidth consumption DoS attacks. This kind of attack takes advantage of the fact that DNS response messages may be substantially larger than DNS query messages. In this paper we present a novel, simple and practical scheme that enable administrators to distinguish between genuine and falsified DNS replies. The proposed scheme, acts proactively by monitoring in real time DNS traffic and alerting security supervisors when necessary. It also acts reactively in co-operation with the firewalls by automatically updating rules to ban bogus packets. Our analysis and the corresponding experimental results show that the proposed scheme offers an effective solution, when the specific attack unfolds.
The IP Multimedia Subsystem (IMS) infrastructure is currently considered to be the main core of N... more The IP Multimedia Subsystem (IMS) infrastructure is currently considered to be the main core of Next Generation Networks (NGNs), integrating IP and other network types under one common infrastructure. Consequently, IMS inherits security flaws and vulnerabilities residing in all those technologies. Besides, the protection against unauthorized access in NGN services is of great importance. In this paper we present a call conference room interception attack and we propose a new cross layer architecture to shield IMS against it.
Computer Communications, 2008
The emergence of Voice over IP (VoIP) has offered numerous advantages for end users and providers... more The emergence of Voice over IP (VoIP) has offered numerous advantages for end users and providers alike, but simultaneously has introduced security threats, vulnerabilities and attacks not previously encountered in networks with a closed architecture like the Public Switch Telephone Network (PSTN). In this paper we propose a two layer architecture to prevent Denial of Service attacks on VoIP systems based on the Session Initiation Protocol (SIP). The architecture is designed to handle different types of attacks, including request flooding, malformed message sending, and attacks on the underlying DNS system. The effectiveness of the prevention mechanisms have been tested both in the laboratory and on a real live VoIP provider network.
SIP is rapidly becoming a standard for service integration within a variety of wireless and wirel... more SIP is rapidly becoming a standard for service integration within a variety of wireless and wireline networks. In this regard high availability, reliability and redundancy are key factors for any SIP based infrastructure. In an adverse environment, especially the Internet and foreseeable 3GPP IMS, high availability solutions are of major importance for SIP network components to smoothly mitigate call increments, device failures, misconfigurations, physical disasters and throttle active attacks. This paper proposes a practical and transparent failover solution for SIP and RTP-Proxy servers. We demonstrate that both methods work properly and increase stability and availability of such systems. Furthermore, high availability solutions are enhanced through the employment of easy to implement load balancing schemes. All the proposed solutions are technically analyzed and evaluated via properly designed test-beds, showing fine performance in terms of service times. modes of communication is inaccessible. Without doubt, these capabilities make SIP a basic component of foreseeable ubiquitous realms. In a nutshell SIP really provides the intelligence that makes these advanced communications capabilities possible. This is why SIP has been adopted by various standardization organizations as the de-facto protocol for both wireline and wireless world in the Next Generation Networks (NGN) era. For instance, 3GPP's IP Multimedia Subsystem (IMS) [1] employs SIP for call control to support thousands or even millions of users.
IEEE Communications Surveys and Tutorials, 2006
The open architecture of the Internet and the use of open standards like Session Initiation Proto... more The open architecture of the Internet and the use of open standards like Session Initiation Protocol (SIP) constitute the provisioning of services (e.g., Internet telephony, instant messaging, presence, etc.) vulnerable to known Internet attacks, while at the same time introducing new security problems based on these standards that cannot been tackled with current security mechanisms. This article identifies and describes security problems in the SIP protocol that may lead to denial of service. Such security problems include flooding attacks, security vulnerabilities in parser implementations, and attacks exploiting vulnerabilities at the signaling-application level. A qualitative analysis of these security flaws and their impacts on SIP systems is presented.
Page 1. 07/06/2006 Third Annual VoIP Security Workshop University of the Aegean Laboratory of Inf... more Page 1. 07/06/2006 Third Annual VoIP Security Workshop University of the Aegean Laboratory of Information & Communication Systems Security http://www.aegean.gr/Info-Sec-Lab Towards Effective SIP load Balancing Third Annual VoIP Security Workshop University of the Aegean Georgios Kambourakis, Dimitris Geneiatakis, Tasos Dagiuklas, Costas Lambrinoudakis and Stefanos Gritzalis This work was partially funded by the European Commission in the horizontal research activities involving SMEs -Co-Operative Research in the project SNOCER ...
Although privacy is often seen as an essential right for internet users, the provision of anonymi... more Although privacy is often seen as an essential right for internet users, the provision of anonymity can also provide the ultimate cover for malicious users. Privacy Enhancing Technologies (PETs) should not only hide the identity of legitimate users but also provide means by which evidence of malicious activity can be gathered. This paper proposes a forensic investigation technique, which can be embedded in the framework of existing PETs , thereby adding network forensic functionality to the PET. This approach introduces a new dimension to the implementation of Privacy Enhancing Technologies, which enhances their viability in the global network environment.
It is well known that no security mechanism can provide full protection against a potential attac... more It is well known that no security mechanism can provide full protection against a potential attack. There is always a possibility that a security incident may happen, mainly as a result of a new or modified attack that the employed countermeasures cannot handle or identify. It is therefore useful to perform a deferred analysis of logged network data, in an attempt to identify abnormal behavior/traffic that flags some type of security incident that has not been detected by the security countermeasures. Such an analysis of logged data for critical real time applications, like VoIP services, is certainly a valuable tool for enhancing the security level of the provided service.
Telecommunication Systems, 2007
The advent of Voice over IP (VoIP) has offered numerous advantages but, at the same time, it has ... more The advent of Voice over IP (VoIP) has offered numerous advantages but, at the same time, it has introduced security threats not previously encountered in networks with a closed architecture like the Public Switch Telephone Networks (PSTN). One of these threats is that of signaling attacks. This paper examines the signaling attacks in VoIP environments based on the Session Initiation Protocol (SIP), focusing on the design of a robust lightweight protection mechanism against them. The proposed scheme introduces a new SIP header, namely the Integrity-Auth header, which is utilized for protecting the SIP-based VoIP services from signaling attacks while ensuring authenticity and integrity.
Computers & Security, 2008
The work presented in this paper has been focused to the SIP protocol. However, generalization to... more The work presented in this paper has been focused to the SIP protocol. However, generalization to other signaling protocols is possible.
DNS amplification attacks massively exploit open recursive DNS servers mainly for performing band... more DNS amplification attacks massively exploit open recursive DNS servers mainly for performing bandwidth consumption DDoS attacks. The amplification effect lies in the fact that DNS response messages may be substantially larger than DNS query messages. In this paper, we present and evaluate a novel and practical method that is able to distinguish between authentic and bogus DNS replies. The proposed scheme can effectively protect local DNS servers acting both proactively and reactively. Our analysis and the corresponding real-usage experimental results demonstrate that the proposed scheme offers a flexible, robust and effective solution.
This paper presents a novel mechanism to protect Session Initiation Protocol (SIP)-based infrastr... more This paper presents a novel mechanism to protect Session Initiation Protocol (SIP)-based infrastructure against malformed message attacks. The basic characteristics of this mechanism are the following: lightweight and easy to adapt to various SIP implementations. The proposed mechanism has been evaluated in terms of overhead processing. It is demonstrated that the employment of appropriate IDS against malformed impose minimum overhead in terms of events' processing
Computers & Security, 2010
Session Initiation Protocol is a core protocol for coming real time communication networks, inclu... more Session Initiation Protocol is a core protocol for coming real time communication networks, including VoIP, IMS and IPTV networks. Based on the open IP stack, it is similarly susceptible to Denial-of-Service Attacks launched against SIP servers. More than 20 different research works have been published to address SIP-related DoS problems. In this survey we explain three different types of DoS
Computer Networks, 2007
This paper presents a framework that can be utilized for the protection of session initiation pro... more This paper presents a framework that can be utilized for the protection of session initiation protocol (SIP)-based infrastructures from malformed message attacks. Its main characteristic is that it is lightweight and that it can be easily adapted to heterogeneous SIP implementations. The paper analyzes several real-life attacks on VoIP services and proposes a novel detection and protection mechanism that is validated through an experimental test-bed under different test scenarios. Furthermore, it is demonstrated that the employment of such a mechanism for the detection of malformed messages imposes negligible overheads in terms of the overall SIP system performance.
Internet telephony like any other Internet service suffers from security flaws caused by various ... more Internet telephony like any other Internet service suffers from security flaws caused by various implementation errors (e.g. in end-users terminals, protocols, operating systems, hardware, etc). These implementation problems usually lead VoIP subsystems (e.g. SIP servers) to various unstable operations whenever trying to process a message not conforming to the underlying standards. As Internet telephony becomes more and more popular, attackers will attempt to exhaustively "test" implementations' robustness, transmitting various types of malformed messages to them. Since it is almost infeasible to avoid or predict every potential error caused during the developing process of these subsystems, it is necessary to specify an appropriate and robust, from the security point of view, framework that will facilitate the successful detection and handling of any kind of malformed messages aiming to destruct the provided service. In this paper, we adequately present malformed message attacks against SIP network servers and/or SIP end-user terminals and we propose a new detection "framework" of prototyped attacks' signatures that can assist the detection procedure and provide effective defence against this category of attacks.
The Internet based telephony services (IPTel) are mainly exposed to set of vulnerabilities that i... more The Internet based telephony services (IPTel) are mainly exposed to set of vulnerabilities that inherited from the employed protocols such as TCP/IP and proprietary VoIP protocols. One of the most critical threats in this sensitive environments is considered the denial of service (DoS) attacks. The main concern of a mechanism that focuses on detecting such attacks is the potential end-to-end delay between communicating parties. In this paper is described a hash based flooding detection mechanism and evaluated in an experimental test bed architecture. The outcomes demonstrate the potentiality of the mechanism as the end-to-end delay is negligible.
Recent serious security incidents reported several attackers employing IP spoofing to massively e... more Recent serious security incidents reported several attackers employing IP spoofing to massively exploit recursive name servers to amplify DDoS attacks against numerous networks. DNS amplification attack scenarios utilize DNS servers mainly for performing bandwidth consumption DoS attacks. This kind of attack takes advantage of the fact that DNS response messages may be substantially larger than DNS query messages. In this paper we present a novel, simple and practical scheme that enable administrators to distinguish between genuine and falsified DNS replies. The proposed scheme, acts proactively by monitoring in real time DNS traffic and alerting security supervisors when necessary. It also acts reactively in co-operation with the firewalls by automatically updating rules to ban bogus packets. Our analysis and the corresponding experimental results show that the proposed scheme offers an effective solution, when the specific attack unfolds.
The IP Multimedia Subsystem (IMS) infrastructure is currently considered to be the main core of N... more The IP Multimedia Subsystem (IMS) infrastructure is currently considered to be the main core of Next Generation Networks (NGNs), integrating IP and other network types under one common infrastructure. Consequently, IMS inherits security flaws and vulnerabilities residing in all those technologies. Besides, the protection against unauthorized access in NGN services is of great importance. In this paper we present a call conference room interception attack and we propose a new cross layer architecture to shield IMS against it.
Computer Communications, 2008
The emergence of Voice over IP (VoIP) has offered numerous advantages for end users and providers... more The emergence of Voice over IP (VoIP) has offered numerous advantages for end users and providers alike, but simultaneously has introduced security threats, vulnerabilities and attacks not previously encountered in networks with a closed architecture like the Public Switch Telephone Network (PSTN). In this paper we propose a two layer architecture to prevent Denial of Service attacks on VoIP systems based on the Session Initiation Protocol (SIP). The architecture is designed to handle different types of attacks, including request flooding, malformed message sending, and attacks on the underlying DNS system. The effectiveness of the prevention mechanisms have been tested both in the laboratory and on a real live VoIP provider network.
SIP is rapidly becoming a standard for service integration within a variety of wireless and wirel... more SIP is rapidly becoming a standard for service integration within a variety of wireless and wireline networks. In this regard high availability, reliability and redundancy are key factors for any SIP based infrastructure. In an adverse environment, especially the Internet and foreseeable 3GPP IMS, high availability solutions are of major importance for SIP network components to smoothly mitigate call increments, device failures, misconfigurations, physical disasters and throttle active attacks. This paper proposes a practical and transparent failover solution for SIP and RTP-Proxy servers. We demonstrate that both methods work properly and increase stability and availability of such systems. Furthermore, high availability solutions are enhanced through the employment of easy to implement load balancing schemes. All the proposed solutions are technically analyzed and evaluated via properly designed test-beds, showing fine performance in terms of service times. modes of communication is inaccessible. Without doubt, these capabilities make SIP a basic component of foreseeable ubiquitous realms. In a nutshell SIP really provides the intelligence that makes these advanced communications capabilities possible. This is why SIP has been adopted by various standardization organizations as the de-facto protocol for both wireline and wireless world in the Next Generation Networks (NGN) era. For instance, 3GPP's IP Multimedia Subsystem (IMS) [1] employs SIP for call control to support thousands or even millions of users.
IEEE Communications Surveys and Tutorials, 2006
The open architecture of the Internet and the use of open standards like Session Initiation Proto... more The open architecture of the Internet and the use of open standards like Session Initiation Protocol (SIP) constitute the provisioning of services (e.g., Internet telephony, instant messaging, presence, etc.) vulnerable to known Internet attacks, while at the same time introducing new security problems based on these standards that cannot been tackled with current security mechanisms. This article identifies and describes security problems in the SIP protocol that may lead to denial of service. Such security problems include flooding attacks, security vulnerabilities in parser implementations, and attacks exploiting vulnerabilities at the signaling-application level. A qualitative analysis of these security flaws and their impacts on SIP systems is presented.