[OpenSIPS-Users] question about rtpbleed and MediaProxy by Ag-Projects

Dan Pascu dan at ag-projects.com
Thu Mar 15 03:31:07 EDT 2018 

On 14 Mar 2018, at 18:55, Carlos Oliva wrote:

> Hi!
> 
> Many thanks Bodgan and Dan for the analysis.
> 
> I made some attack tests in our MediaProxy installation and this impersonation is possible, but very difficult to success. You must be quicker than the legitimate user sending RTP to the right ports. Other relays are continuously learning the media destination from the last received packet, it not seems to be the case of MediaProxy. I think is not needed to be in the signalling path, you can spray the port range of media relay with packets randomly because send UDP packets is very cheap.

Mediaproxy is a distributed solution, where you can run multiple media relays. If you are not in the signaling path, you will need to spray multiple IPs and port ranges since you do not know which media relay was chosen. This complicates things because you now have to send a lot of RTP packets before you can trigger the attack, which reduces your chances as this will make you a lot slower.

> I used rtpnatscan utility (with few modifications) to do the tests.
> 
> I think RTP with NAT involved can not be authenticated in any way, is a problem of the protocol itself and we can do nothing about that. I agree with Dan the only thing we can do for privacy is to use SRTP or ZRTP where possible. 
> 
> I only found a possible improvement to MediaProxy. It allocates ports in consecutive and very predictable way and maybe a future improvement could be to randomize the selected ports to mitigate the possibility of a successful attack. Just my 2 cents.

Not sure how this would help if you spray the whole port range. Besides port allocation is predictable if you have access to the relay, otherwise it depends on all other calls made which are random and out of the attacker's control. Plus the relay doesn't necessarily allocate consecutively. It takes the first available port, which is only consecutive in the beginning after the relay was started. After that, as calls are made and dropped, the available ports will have gaps and holes in them given by the active calls.

--
Dan

More information about the Users mailing list