About

Disclaimer

  • Just in case it isn't already obvious, all of the posts on this blog are only my opinions and not the opinions of any of my clients, employers, former employers, or anybody else. Let the reader beware, and use these opinions at your own risk!

Recent Posts

Categories

BUNGL Award Winners

Archives

More...

Blogroll

Previously Read

Music I Like

« Common VoIP Security Problem - Spoof Attacks | Main | Why So Many Consumer VoIP Service Providers Struggle »

December 01, 2007

Denial of Service Attacks and VoIP

Most folks who have been around the Internet for any period of time have heard about "denial of service attacks," where a flood of packets are sent to a device and the device has to spend all of its resources sorting through the bad packets just to respond to the good ones.  This is the Internet equivalent of trying to drink from a firehose, where there is so much water moving so quickly that you can't actually swallow any of it. 

Denial of service attacks can target any Internet device, including VoIP phones and VoIP adapters, and hackers already have access to ready-made tools for launching these attacks, such as the InviteFlood tool that is available on hacker sites.  It sends tons of SIP INVITE messages to your VoIP device so that your phone is overwhelmed and stops functioning. 

Other forms of denial of service attacks combine message injection attacks with flooding, where a SIP BYE or CANCEL message is sent to your VoIP phone in massive quantities, hoping to make your phone hang up on any call in progress.

To fight these kinds of attacks, you can use a combination of tools:

  1. Use Transport Layer Security (TLS) to secure your SIP signaling sessions between your VoIP phones and their SIP Proxy servers.  I described this TLS technique in yesterday's post.  By securing your SIP signaling sessions, your VoIP phone can know to immediately discard any packets that don't arrive on the secure session.  It doesn't make your VoIP phone immune to denial of service attacks, but it does make a hacker send a lot more packets to impair your phone. 
  2. Use a SIP-aware firewall to weed out SIP packets from untrusted sources, and to weed out malformed SIP packets.  Most of these denial of service attacks send malformed SIP packets on purpose to try to confuse your VoIP endpoint.  A SIP-aware firewall, or "Session Border Controller" can stop these packets before they ever reach your VoIP phones.

These same techniques can be used to protect SIP Proxy Servers in service provider networks, too.

I have mixed feelings about Session Border Controllers, though.  They perform a vital function but they are expensive, and like Network Address Translation Firewalls, they can create reliability problems for VoIP applications. More on Session Border Controllers in a future post.

Posted by Ike Elliott at 10:31 AM in Web/Tech |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e54f0f53c0883400e54fa693ac8834

Listed below are links to weblogs that reference Denial of Service Attacks and VoIP:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment