Ip multimedia subsystems – issues, comparison and simulation

Toll Fraud:

It in an attack on the accounting process of the IP-Multimedia Sub-System (IMS). An attacker can
forge a User Equipment and send a Bye request to Call Session Control Function (CSCF). The CSCF will
assume that the session has ended and stops accounting at that of time; the User Equipment does not
release the media streams.

This will result in the User Equipment continuing to exchange flows without being counted. This
threat can be called as media theft and uses the weakness of lack of effective control of media streams.
The attacker may also impersonate a gateway between the local PSTN and IMS.

P-CSCF Attack:

It is an attack on the integrity and availability of Information Management System (IMS). Since
Proxy-Call Session Control Function (P-CSCF) is the first contact point for the users of the IMS and
functions as a proxy server for the user equipment; all Session Initiation Protocol (SIP) signaling traffic to
and from the user equipment must go through the P-CSCF.

The attacker can break the process of discovering P-CSCF, through Domain Naming Service
(DNS), by poisoning DNS Cache so that fake IP or domain name will be returned to UE. This will
ultimately lead to the UE not being able to register with IMS network or registered with a fake server.

This attack leverages one of the many inherent security issues of the underlying IP system on
which IMS is being built.

Comparison of above two issues:

The toll fraud requires the ability to procure or create malicious hardware components or use
powerful simulation tools to be able to forge a user equipment.

The P-CSCF attack on the other hand relies on the DNS not authenticating responses to recursive
queries. Manipulate network packets, so as to poison the DNS cache entries is a common problem and
in one of the instances, a state actor purposefully poisoned their dns cache, which spread all over the
world.

The feasibility of toll fraud is high due to the reason, that protocols and specifications are still
being ironed out.

The feasibility of P-CSCF attack is also high due to the dependency of IMS on legacy system such
as the IP.

Design and Simulation:

The Open IMS Core is an Open Source implementation of IMS Call Session Control Functions
(CSCFs) and a lightweight Home Subscriber Server (HSS), which together form the core elements of all
IMS/NGN architectures as specified today within 3GPP, 3GPP2, ETSI TISPAN and the Packet Cable
initiative.

The setup includes:

1. Linux operating system - Ubuntu distribution

2. An OpenIMSCore – installed as a model. Appropriate scripts to attach to the running process or
for managing their status.
3. The default couple, Alice&Bob, configured in the HSS, which has web based console.
4. The OpenIC_lite IMS client configured with the above users.
5. The MONSTER IMS client configured.