Mudhakar Srivatsa, Ling Liu and Arun Iyengar Presented by Mounica Atluri Voice-over-IP Attacks Proposed solution Experimental Evaluation Conclusion Data transmission through Public switched telephone network Uses Circuit switched networks Expensive We see people talking through Skype, Vonage, instant messengers Technology behind is called VoIP Transmission of voice traffic over IP-based networks Sounds are recorded and compressed Benefit of VoIP: Very economical Caller anonymity and QoS Existing approaches use Mix networks Mix networks route traffic through nodes with random delays and random routes For example, Onion routing Other examples are Tor, Freedom and Tarzan Mix networks cannot accommodate the QoS requirement Low latency apps are vulnerable to timing attacks Uses RTP for data transmission Route Set Up protocol for call set up and termination Operates in four steps 1. initSearch: initiates a route set up request 2. processSearch: processes a route set up request 3. processResult: processes the results of a route set up request 4. finSearch: concludes the route set up procedure src initiates a request by broadcasting dst src If p receives a request from q, it checks if the sipurl is the url of the client connected to p. dst p src If p receives result (searchId, q), it searches for <searchId, sipurl, prev>, adds <sipurl, q> and forwards result to prev dst p src If src receives result, it adds <dst, q> to its routing table dst q src Encryption with shared symmetric key Exposes dst (through dst.sipurl) dst adds a random delay src or dst can be inferred if all of their neighboring nodes are malicious Triangulation based timing attacks 3 steps in triangulation based timing attacks • Candidate caller detection: malicious nodes deduce a list of potential callers • Candidate caller ranking: malicious nodes associate a score with every potential caller • Triangulation: Colluding malicious nodes combine their sets to obtain more accurate list of callers. Deterministic triangulation attack Statistical triangulation attack Differential triangulation attack 2 assumptions • Link latencies are deterministic • All nodes are synchronized 2 properties of route setup protocol • Protocol establishes shortest route between the src and dst • Node p that receives route set up request originated from src can estimate dist(src, p) Candidate caller detection • Compute S(p) for all s ∈ S(p), Candidate caller ranking • Compute the score Triangulation • Compute the final score Link latencies are independently distributed Length of a path P is given by In candidate caller detection, p computes a set of Pareto-optimal distances to all nodes v A set of path lengths d1, d2.. dm is Paretooptimal if for all other path lengths d, A node v is marked as a candidate caller if If link latencies follow Gaussian, the path latencies follow Gaussian too Score of v can be computed as For other any other distribution, use Chebyshev’s inequality to compute In Triangulation step, the aggregate score for a candidate caller v is computed Eliminates time stamp ts from the route set up request Malicious nodes can estimate the difference In candidate caller detection, malicious node p computes statistical shortest distances to every other node v as Statistical distance distpq[v] is given by distp[v] – distq[v] v is a candidate caller if If the link latency distribution is Gaussian, the score of v is given by Finally, the average score for v is computed Network topology should be known for Timing attacks Achieved by ping and pong messages pong(y´,x) y´ ping(x,all) x y pong(y, x) Experimental set up • A synthetic network with 1024 nodes • Topology was constructed using NS-2 topology generator • Node-to-node round trip times varies from 24ms150ms with a mean of 74ms Deterministic Triangulation • Number of suspects varies with number of malicious nodes • Epsilon should not be too small or large Statistical Triangulation • More effective than deterministic when there are uncertainties in link latencies Differential Triangulation • Statistical attack performs better if the clocks are synchronized • Differential triangulation can achieve a top-10 probability of 0.78 with only 10 malicious nodes Topology Discovery • With m=20 and ttl=2, about 75% of the topology is discovered Latency perturbation • each node adds random delay Random Walk Search Algorithm • Resilient to timing attacks but generates suboptimal routes Hybrid route set up • Trade off anonymity with QoS Sends a search request to a randomly chosen neighbor Two key properties • Markovian property • Random walker does not traverse the shortest path between any two nodes Controlled Random Walk • • • • Combination of two protocols γ limits the length of random walk Starts with random walk search Switches to broadcast search with probability 1-γ q Multi-Agent Random Walk • Similar to random walk • Src sends ω random walkers (ω >1) • Route is established when the first random walker reaches dst • Higher ω results in optimal route latency • Vulnerable to triangulation based timing attack if src sends out random walkers at time t=0 Performed on 1024-node synthetic VoIP network topology using NS-2 Algorithms implemented using Phex: an open source Java based implementation of peerto-peer broadcast based route set up protocol Performance • Characterized by cost of messaging QoS guarantees • Routes with latency<250ms satisfy QoS requirements • Larger route set up latency does not affect the quality of voice conversation Optimal parameter settings Attack resilience • 99% optimal parameter settings Topology discovery • Only fraction of topology has been discovered • Top-10 probability for marw was 42% less, crw was 33% less and broadcast was only 9% less • Random walk protocols are more sensitive to topology VoIP in becoming popular due to its advantages in cost and convenience It is a major concern to provide anonymity to the clients Threat models targeting callers’ anonymity are efficient Even if a small fraction of network is malicious, the caller can be inferred accurately It is difficult to trade QoS with anonymity
© Copyright 2026 Paperzz