x
Optical/IP

VOIP Threats Loom Large

VOIP is skyrocketing in popularity, but is it outgrowing industry's ability to secure IP networks?

Ram Dantu, assistant professor at the University of North Texas's department of computer science and engineering, is worried that VOIP networks aren't as secure as they should be. He says most enterprise networks using VOIP phones now are exposed to distributed denial-of-service (DDOS) attacks -- network attacks designed to cripple a network or phone system by flooding it with useless traffic.

Typically, an IP phone can be put out of service by sending signaling messages at the rate of three calls a minute, Dantu says. "A low-end PC can bring down an entire enterprise VOIP system within a few minutes," he warns.

Dantu's concerns aren't new (see Vendor Points to VOIP Vulnerabilities and VOIP Security Poses a Problem). Security experts have long been fretting that, on an IP network, any malicious device can be made to act like an IP phone, and it could theoretically bypass enterprise firewalls. And having a telephone, VOIP or POTS, requires the ability to get calls from unknown, untrusted sources, a characteristic that is at odds with firewall filtering used to protect data networks.

"Absolutely, VOIP is vulnerable to DOS/DDOS attacks," writes Jim Greenway, VP of marketing at Kagoor Networks in an email to Light Reading. Greenway notes that devices like Kagoor's session controllers already protect enterprises and service providers from DDOS attacks with features such as rate limiting, call gapping, and admission control.

Session controllers like Kagoor's do add a layer of security, in addition to performing the necessary tasks associated with handing traffic off between carrier and enterprise IP networks (see Session Controllers: Limited Lifespan?).

Some newer devices are addressing VOIP DDOS directly. BorderWare's new SIPassure SIP Firewall, announced earlier this month, is aimed at preventing voice spam, DDOS attacks, and packet-level intrusion.

Dantu, however, is worried that point solutions from a variety of vendors isn't a good enough strategy. He says that few, if any, vendors are taking a layered security approach. Networks need several devices providing different aspects of network security, and all the devices communicate potential threats to one another in real time.

Further, he says, you can't treat VOIP traffic the same as data traffic. Quarantining the incoming calls, shaping the calls, and tracing the calls are new challenges for VOIP vendors, in addition to firewall and NAT traversal, Dantu says. "All the solutions need to take into account the level of trust and behavior of the calling party, as well as presence of the called party."

Unfortunately, he doesn't have a magic wand to fix these problems today. But Dantu and his industry colleagues will chew over the possible solutions to VOIP's biggest threats during a day-long VoIP Security Workshop in December that is being held in conjunction with IEEE's Globecom 2004 conference in Dallas.

Speakers for the event will include Paul Kurtz, a former special assistant to President Bush, and Jeffery Hunker, former senior director of critical infrastructure for the White House. Dantu says the program's committee is still considering technical and research papers that will be published at the workshop.

— Phil Harvey, News Editor, Light Reading

Page 1 / 4   >   >>
mu-law 12/5/2012 | 1:13:20 AM
re: VOIP Threats Loom Large for goodness sake... its not 1994 anymore.

are we really to believe that corporate voip networks really unprotected from the public internet? do ip phones in the many publicized 50,000 seat deployments of ip pbx and ip centrex really allow terminations arbitrarily from the public network?

this is either a smokescreen for somebodys agenda, or a group of folks in need of a serious reality check.
dljvjbsl 12/5/2012 | 1:13:20 AM
re: VOIP Threats Loom Large Lightreading:

A VoIP phone will die with 3 calls per minute?

This sounds very very odd. What sort of configuration is assumed for this?
dljvjbsl 12/5/2012 | 1:13:19 AM
re: VOIP Threats Loom Large
I should have addded that 3 calls per minute would not be unusual for a hunt group serving a group of receptionist. 3 calls per minute must mean some sort of termination rate across all stations given some sort of proxy server configuration. Otherwsie, it just seems to be very very very odd.
Upside_again 12/5/2012 | 1:13:17 AM
re: VOIP Threats Loom Large Nice try Kagoor. Shame on you.
alchemy 12/5/2012 | 1:13:16 AM
re: VOIP Threats Loom Large It would be fairly easy to attack Vonage. It wouldn't take long to identify all their media gateways and start bombarding them with rogue RTP flows. It's clearly much more difficult to attack an enterprise VoIP solution since most live on a private network that's sitting behind NAT.
dljvjbsl 12/5/2012 | 1:13:15 AM
re: VOIP Threats Loom Large
It wouldn't take long to identify all their media gateways and start bombarding them with rogue RTP flows.


This is an Internet and not a specific VoIP vunerability. Similar statements can and have been made about DNS. As you point out in the next sentencem VoIP networks can be made secure.

I suppose that what this indicates is that the Internet model of blind trust is not adequate for systems that have great implications for the national economy. Architectures which can provide trust and strucutre interactions are required. I know that the SIP effort was working on such issues a while ago. However, at elast then, they did not seem to be making much if any progress. It seemed to me that this difficulty came from the difficulty in providing a specific issue to solve. VoIP providers will have a much easier time of it since they will be working to secure specfic networks
netgenius 12/5/2012 | 1:13:13 AM
re: VOIP Threats Loom Large alchemy writes:
It would be fairly easy to attack Vonage. It wouldn't take long to identify all their media gateways and start bombarding them with rogue RTP flows. It's clearly much more difficult to attack an enterprise VoIP solution since most live on a private network that's sitting behind NAT.

The attack you describe against Vonage could be used against any VOIP GW as long as the attack is coming from the customer side of the VOIP network(enterprise or internet). Minimizing the importance of DDOS attacks in an enteprise network would be a mistake.

Both of these can be prevented/mitigated through the use of Session Border Controllers...although from this article it seems that Kagoor doen't have a solution for this- I know for a fact that some other SBCs do address these problems.
fgoldstein 12/5/2012 | 1:13:12 AM
re: VOIP Threats Loom Large Both of these can be prevented/mitigated through the use of Session Border Controllers...although from this article it seems that Kagoor doen't have a solution for this- I know for a fact that some other SBCs do address these problems.

I suppose that such problems are handled not only by SBC, but by BellSouth, MCI, and lots of other PSTN operators too.

(Yes, pun intended.)

Blind worship of Eye Pee because of its k3wl and l337 nature are not a valid substitute for the PSTN. Sure, VoIP's useful for some purposes (and PacketCable's safe because it normally isolates the IP from everything else), but let's not throw the PSTN away in favor of putting everything onto an insecure Internet.
netgenius 12/5/2012 | 1:13:11 AM
re: VOIP Threats Loom Large d00d....its not about the internet or about throwig away the PSTN...nevermind...I have a feeling this is a waste of keystrokes.
prv_n 12/5/2012 | 1:13:10 AM
re: VOIP Threats Loom Large DOS attacks are real bad, you dont even know what to do. And anyone with afew 100 $ in pocket, if needed could deliberately do it to cripple his competitor.

http://www.computers.infoarmy....
Page 1 / 4   >   >>
HOME
Sign In
SEARCH
CLOSE
MORE
CLOSE