Unregister Attacks in SIP

A. Bremler-Barr, R. Halacmi-Bekel and J. Kangasharju
NPSec workshop,
Conferences & Workshops


n this paper we present the unregister attack, a new kind of a denial of service attack on SIP servers. In this attack, the attacker sends a spoofed “unregister” message to a SIP server and cancels the registration of the victim at that server. This prevents the victim user from receiving any calls. We have tested common implementations of SIP servers and show that the unregister attack is easily performed on SIP servers which do not use authentication. Even on SIP servers with authentication, an attacker able to sniff the traffic between the client and server can still successfully attack common servers. We show that the root causes behind this vulnerability are either buggy implementations, or the SIP specification RFC which does not require sufficient security from the implementations. We present a solution, the SIP one-way hash function algorithm (SOFIA), motivated by the onetime password mechanism [6]. SOFIA prevents the unregister attack in all situations. The algorithm is easy to deploy since it requires only a minor modification, namely adding one header field into the SIP messages. Furthermore, the algorithm is fully backwards compatible and requires no additional configuration from the user or the server.

  author={Bremler-Barr, Anat and Halachmi-Bekel, Ronit and Kangasharju, Jussi},
  booktitle={2006 2nd IEEE Workshop on Secure Network Protocols}, 
  title={Unregister Attacks in SIP},