SIPPING D. York Internet-Draft Voxeo Intended status: Informational July 14, 2008 Expires: January 15, 2009 SIP Usage Scenarios Similar to SPIT draft-york-sipping-spit-similarity-scenarios-01 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on January 15, 2009. Copyright Notice Copyright (C) The IETF Trust (2008). Abstract This document outlines scenarios in which legitimate SIP traffic may appear similar to traffic associated with voice spam, also known as "SPIT" or "Spam for Internet Telephony. This document is created to provide input into the current discussions about how best to address the issue of SPIT. York Expires January 15, 2009 [Page 1] Internet-Draft SIP Usage Scenarios Similar to SPIT July 2008 Table of Contents 1. Author's Note . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Outbound SIP Scenarios . . . . . . . . . . . . . . . . . . . . 4 3.1. Emergency Notification Systems . . . . . . . . . . . . . . 5 3.2. Urgent Notification Systems . . . . . . . . . . . . . . . 6 3.3. Event-Driven Notification Systems . . . . . . . . . . . . 6 3.4. Routine Notification Systems . . . . . . . . . . . . . . . 7 4. Inbound SIP Scenarios . . . . . . . . . . . . . . . . . . . . 7 4.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 5. Network Failures . . . . . . . . . . . . . . . . . . . . . . . 9 6. Other Considerations . . . . . . . . . . . . . . . . . . . . . 9 7. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 10. Security Considerations . . . . . . . . . . . . . . . . . . . 10 11. Informative References . . . . . . . . . . . . . . . . . . . . 10 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 11 Intellectual Property and Copyright Statements . . . . . . . . . . 12 York Expires January 15, 2009 [Page 2] Internet-Draft SIP Usage Scenarios Similar to SPIT July 2008 1. Author's Note After review in the RUCUS mailing list, it was determined that this document should be folded into a larger document, most likely either the existing RUCUS problem statement or another yet-to-be-created document on a reference scenario. Given that direction by the mailing list, this will most likely be the final submission of this document as a standalone document. While this document may be folded into a larger document in the future, comments and feedback are definitely welcome. 2. Introduction If the administrator of a VoIP network suddenly noticed 10,000 outbound SIP INVITE messages traversing the network in the space of a minute or two, could this be a spammer generating voice spam on the network? Or could this be the legitimate triggering of an emergency notification system? As outlined in the recently published RFC 5039 [RFC5039], communication using the Session Iniatiation Protocol (SIP) could be a target for a form of spam commonly known as either "voice spam", "Spam for Internet Telephony" or simply "SPIT". Essentially, SPIT is the transmission of bulk unsolicited messages via SIP. It is telemarketing brought to the world of IP where the traditional costs and delays associated with telemarketing in the PSTN world are removed. Telemarketers can now very rapidly and inexpensively send out a very high volume of calls, which we might see as "spam". For reasons outlined in RFC 5039, SPIT attacks are not yet widely seen, but can be expected as further interconnections occur between SIP systems. RFC 5039 and related Internet Drafts ([I-D.tschofenig-sipping-framework-spit-reduction] and [I-D.niccolini-sipping-spitstop]) outline the potential threat of SPIT and also lay out suggestions for possible solutions. Beyond the potential solutions offered thus far, it is very conceivable that traditional network security vendors will seek to use existing tools to combat SPIT at a network traffic level. For instance, a system designed to monitor network traffic and trigger alerts based on anomolies seen in network traffic could be modified to look for anomolies in the base rate of SIP traffic. The purpose of this document is to provide input into the ongoing discussions around preventing SPIT that highlights the fact that there are cases where legitimate SIP traffic may in fact look like York Expires January 15, 2009 [Page 3] Internet-Draft SIP Usage Scenarios Similar to SPIT July 2008 SPIT. If the administrator of a VoIP network suddenly noticed 10,000 outbound SIP INVITE messages traversing the network in the space of a minute or two, this could be SPIT being generated by a system connected to that VoIP network - or it could be an emergency notification system. Solutions to the potential problem of SPIT do need to take into account that some legitimate uses of SIP communication might resemble the launch of a SPIT session or indeed might resemble a Denial of Service (DoS) attack. This document outlines some of those scenarios. It should be noted that most of the solutions suggested thus far within the IETF to address the issue of SPIT do not use behaviorial techniques that may run into the issues addressed in this draft. However, as noted earlier, it is to be expected that other solutions will be put forward by vendors, some of which may use techniques that do not work well with the scenarios listed here. It is primarily for those solutions that this draft is aimed. It should also be noted that the concern addressed in this document is for the spammer who may generate a large amount of SIP traffic in a short period of time and thus potentially come to the attention of network monitoring tools. This may be the case, for instance, when a spammer connects to another party's network (for instance, one using unprotected WiFi) and wants to send out the most messages in the least amount of time. A spammer may also simply be trying to send the messages out as fast as possible for one client in order to move on to other clients. Obviously a spammer could simply slow down the rate of sending SIP messages to evade this type of detection. In that case the SPIT traffic would resemble normal SIP traffic and be subject to the concerns and potential solutions suggested in RFC 5039 and other Internet-Drafts. NOTE: Reflecting the fact that SIP can be used for far more than voice, RFC 5039 discusses call spam, IM spam and presence spam. This document, however, primarily focuses on call spam. 3. Outbound SIP Scenarios Given the ease with which SIP systems can be connected to existing applications such as databases, creating a system to do large scale initiation of SIP messages is easy to do and both commercial and open source implementations of such functionality exist today. York Expires January 15, 2009 [Page 4] Internet-Draft SIP Usage Scenarios Similar to SPIT July 2008 Any system that generated a large amount of outbound SIP traffic might potentially be viewed as a generator of SPIT. This section breaks down those systems into several categories. 3.1. Emergency Notification Systems In the wake of recent school shootings in the USA, particularly the April 2007 event at Virginia Tech, academic institutions at all levels are seeking technical solutions which will allow them to do "emergency notification" on a massive scale. Such systems can be triggered by school administrators or potentially public safety officials and immediately begin notifying students, faculty and now even parents. Notification may take the form of phone calls, text messages (SMS), IM messages or all of the above. Were such a system to be SIP-based, the triggering of the system might result in the immediate flow of: o SIP INVITE messages to phones, conceivably to every known SIP endpoint on the campus o SIP messages to PSTN gateways to initiate outbound calls to regular phones o SIP messages to SMS gateways to initiate outbound text messages o SIP messages to IM networks If a university were to have, for instance, 10,000 students and several thousand more staff and faculty, an extremely large number of SIP messages would be sent in a very short time. It is important to note that in the case of an emergency notification system, messages are typically extremely time-sensitive and are looking for immediate delivery. There also may be health, legal or at least public relations ramifications if the messages are blocked from delivery. There will also typically be no notification of the triggering of such a system and, hopefully, the system will almost never be used. To the unaware system administrator just routinely monitoring network traffic, this would be an extremely surprising event. Beyond usage in educational settings, emergency notification systems like this are also be established in a variety of other situations such as government alerts about impending weather or natural events (ex. tornados, fires). York Expires January 15, 2009 [Page 5] Internet-Draft SIP Usage Scenarios Similar to SPIT July 2008 3.2. Urgent Notification Systems While not rising to the same level of criticality as "emergency" systems, there are other "urgent" notification systems that follow a similar profile. Examples include: o Airline systems notifying travelers of delayed or cancelled flights o School systems notifying families of school delays or cancellations o Stock price change notifications Again, the notification system may trigger on an infrequent basis or go through seasonal cycles and may involve a large number of calls. In some situations, such as a school notification, the number of calls may be close to the same in each event. For example, the number of student families to notify may fluctuate slightly but typically not by much. In other situations the number of calls may vary widely. For example, the number of calls to be made by an airline notification system may depend upon how many people are traveling and how many of those travelers provided contact information or requested to be notified.. 3.3. Event-Driven Notification Systems In a similar fashion to the previous scenarios, it is quite conceivable that automated systems will be used by a wide variety of organizations to alert people to impending events. For instance, a professional sports team might use a system to alert all the members of a fan club about an upcoming game. A business group might remind all of its members about an upcoming conference. A political campaign might call a list reminding people to go out and vote. The list of potential users of such a system could be quite lengthy. Some examples might be: o Professional sports teams o School events o Local theatres o Business groups o Town/city governments/associations York Expires January 15, 2009 [Page 6] Internet-Draft SIP Usage Scenarios Similar to SPIT July 2008 o Political campaigns The key element here is that the calls might happen on an infrequent basis. There might be a large number of calls made in a short period of time - and once the event is over there are no more calls made by that entity until the next similar event. 3.4. Routine Notification Systems While the previous scenarios have outlined situations where a large amount of traffic was generated with no warning, there also exist a class of scenarios where a large amount of traffic might be generated on a regular interval. For instance, some school systems in the USA are starting to use notification systems to alert parents to events that have occurred that day or will be occurring. They might receive a phone call each day stating what homework their child had and/or informing them of a school meeting occuring later in the week. With a large school district, the automated notification system might initiate thousands of calls every day at, for example, 3pm. Similarly, a movie theater might call every subscriber in a special promotional club on every Thursday afternoon to let them know what movies might be premiering during the upcoming weekend. Again, there are a large number of potential users of such a system. The key difference in this scenario is that the traffic may occur at a regular time and period. Security systems that monitor network traffic might flag these notification systems as potential sources of SPIT but conceivably those systems could be configured in such a way that this notification traffic is incorporated into a network "baseline" as known and expected traffic. 4. Inbound SIP Scenarios In a similar fashion to outbound SIP scenarios, it is possible that sufficient legitimate inbound traffic to a SIP system/network might cause administrators or automated systems to believe they are receiving a large amount of voice spam/SPIT. For instance, if a system were on the receiving end of an emergency notification system (ex. an IP-PBX operated by a department within a university) a high level of SIP INVITE messages would be received that might go to all extensions on the system. Similarly, the system/network might be receiving calls due to a contest or other event (ex. an "American Idol"-type of show where people call in and vote or a radio station contest). Note, though, that in this situation the calls might be coming in from a range of York Expires January 15, 2009 [Page 7] Internet-Draft SIP Usage Scenarios Similar to SPIT July 2008 different endpoints and could also resemble a Denial of Service (DoS) or Distributed Denial of Service (DDos) attack. The primary difference from outbound scenarios is that with the inbound scenario the destination of all the traffic would typically be the SIP proxy/gateway for a given network. Again, this may make differentiation between legitimate traffic and SPIT - or a DoS or DDoS - difficult. 4.1. Similar to the Event-Driven outbound systems, there may be legitimate inbound calling due to specific *known* events. Examples include: o "American Idol"-style TV shows o Radio station listener contests, ticket giveaways, etc. o Interview shows (Ex. "Call now to ask your mayor questions about the school budget.") o Advertising (Ex. "Call in the next 5 minutes to obtain your copy of ____ for only $19.95!") The major distinction here is that at some point it is known that this traffic will be generated, in comparison to the section below. For instance, the time when callers may be calling in to vote in the TV show will be known in advance. (Whether or not all systems in the path of the call will be alerted to this is a separate matter.) 4.2. Unexpected events such as those that might cause a significant amount of outbound calling (as outlined in the Emergency Notification Systems earlier) may also create a significant amount of *inbound* calling. Such events include, but are certainly not limited to, such things as: o Natural disasters o School shootings o Large traffic accidents o Bombings Again the issue here is that these events are entirely unexpected and therefore the traffic entering a SIP network could very easily be York Expires January 15, 2009 [Page 8] Internet-Draft SIP Usage Scenarios Similar to SPIT July 2008 viewed as a Distributed Denial-of-Service attack. 5. Network Failures Another scenario to consider is the case where excessive amounts of SIP traffic are not the result of exceptional amounts of inbound or outbound calling but rather a failure in the actual network infrastructure. For instance, consider the case where there is a wide area network with multiple SIP-to-PSTN gateways and a large distributed infrastructure. An outage at specific points in the network might result in all the traffic for the larger network being routed through a single SIP signaling node. To the administrators of that node, the sudden influx of additional traffic might cause concern of a DoS or SPIT attack. One might hope that the administrators would also be able to easily ascertain the network status and understand why they are receiving this traffic, but that might not be possible in all network configurations. 6. Other Considerations One logical reaction to these scenarios might be to suggest that the legitimate senders simply reduce their send rate to be below any timing thresholds that might trigger automated systems. For instance, if a system needing to contact 10,000 endpoints were to send one SIP INVITE every half-second, the INVITEs would then all go out over the space of a bit under 1.5 hours. For some systems, such the "Routine Notification Systems" identified earlier, spacing out the INVITE messages might be fine and in fact might actually be required in order for the media servers to keep with streaming the outbound media to all the invited endpoints. However, in other situations, such as emergency notification systems, some spacing out of INVITE messages may be possible but at some threshold any further delays may be unacceptable and indeed in some cases could be life- threatening. 7. Summary Voice spam, also known as "SPIT", has the potential to be a serious problem if we move to a space where we have interconnected systems where any SIP endpoint can call any other SIP endpoint - and we do not have any mechanisms in place to prevent abuse of the system to generate large volumes of unsolicited calls. Solutions are being discussed and such work needs to be continued. In looking at potential solutions, it is important to recognize that York Expires January 15, 2009 [Page 9] Internet-Draft SIP Usage Scenarios Similar to SPIT July 2008 there are legitimate cases where SIP systems may generate large volumes of calls in a rapid timeframe. Any solutions to addressing the problem of SPIT do need to take into account these legitimate scenarios. 8. Acknowledgements The author is grateful for the work done by the SPITSTOP mailing list and the authors of the associated drafts as well as the authors of RFC 5039. The author thanks Dan Burnett for feedback on an initial version of this document. Comments were appreciated on the initial draft from Dan Wing, Hannes Tschofenig, Brian Rosen, Harsha Ramanagoudra, Raphael Tryster and others. 9. IANA Considerations This memo includes no request to IANA. 10. Security Considerations This document relates entirely to security considerations for potential voice spam. 11. Informative References [I-D.niccolini-sipping-spitstop] Niccolini, S. and J. Quittek, "Signaling TO Prevent SPIT (SPITSTOP) Reference Scenario", draft-niccolini-sipping-spitstop-00 (work in progress), January 2007. [I-D.tschofenig-sipping-framework-spit-reduction] Tschofenig, H., Schulzrinne, H., Wing, D., Rosenberg, J., and D. Schwartz, "A Framework to tackle Spam and Unwanted Communication for Internet Telephony", draft-tschofenig-sipping-framework-spit-reduction-02 (work in progress), November 2007. [RFC5039] Rosenberg, J. and C. Jennings, "The Session Initiation Protocol (SIP) and Spam", RFC 5039, January 2008. York Expires January 15, 2009 [Page 10] Internet-Draft SIP Usage Scenarios Similar to SPIT July 2008 Author's Address Dan York Voxeo Corporation Keene, NH USA Phone: +1-407-455-5859 Email: dyork@voxeo.com URI: http://www.voxeo.com/ York Expires January 15, 2009 [Page 11] Internet-Draft SIP Usage Scenarios Similar to SPIT July 2008 Full Copyright Statement Copyright (C) The IETF Trust (2008). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Acknowledgment Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA). York Expires January 15, 2009 [Page 12]