« Common VoIP Security Problem - Spoof Attacks | Main | Why So Many Consumer VoIP Service Providers Struggle »

December 01, 2007

Denial of Service Attacks and VoIP

Most folks who have been around the Internet for any period of time have heard about "denial of service attacks," where a flood of packets are sent to a device and the device has to spend all of its resources sorting through the bad packets just to respond to the good ones.  This is the Internet equivalent of trying to drink from a firehose, where there is so much water moving so quickly that you can't actually swallow any of it. 

Denial of service attacks can target any Internet device, including VoIP phones and VoIP adapters, and hackers already have access to ready-made tools for launching these attacks, such as the InviteFlood tool that is available on hacker sites.  It sends tons of SIP INVITE messages to your VoIP device so that your phone is overwhelmed and stops functioning. 

Other forms of denial of service attacks combine message injection attacks with flooding, where a SIP BYE or CANCEL message is sent to your VoIP phone in massive quantities, hoping to make your phone hang up on any call in progress.

To fight these kinds of attacks, you can use a combination of tools:

  1. Use Transport Layer Security (TLS) to secure your SIP signaling sessions between your VoIP phones and their SIP Proxy servers.  I described this TLS technique in yesterday's post.  By securing your SIP signaling sessions, your VoIP phone can know to immediately discard any packets that don't arrive on the secure session.  It doesn't make your VoIP phone immune to denial of service attacks, but it does make a hacker send a lot more packets to impair your phone. 
  2. Use a SIP-aware firewall to weed out SIP packets from untrusted sources, and to weed out malformed SIP packets.  Most of these denial of service attacks send malformed SIP packets on purpose to try to confuse your VoIP endpoint.  A SIP-aware firewall, or "Session Border Controller" can stop these packets before they ever reach your VoIP phones.

These same techniques can be used to protect SIP Proxy Servers in service provider networks, too.

I have mixed feelings about Session Border Controllers, though.  They perform a vital function but they are expensive, and like Network Address Translation Firewalls, they can create reliability problems for VoIP applications. More on Session Border Controllers in a future post.

Posted by Ike Elliott at 10:31 AM in Web/Tech |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/t/trackback/2699836/23853606

Listed below are links to weblogs that reference Denial of Service Attacks and VoIP:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Post a comment

If you have a TypeKey or TypePad account, please Sign In