It is often said that understanding the problem is 90% of the solution, and VoIP security is no exception. It is fear of the unknown which is likely to elicit a knee-jerk reaction of panic, so the first step is to understand the threats and then classify them. We also have to ask the question: what does security mean to me and what does it mean to my customers?
Security to the customer means protecting their device and identity and the continuity of their service. Security to the service provider means protecting their network their revenue and their customers. In this feature we will look at service disruption and service theft.
A service can be disrupted by breaking the user’s device, flooding the IP network with traffic or breaking the service provider’s infrastructure. Disruption is usually achieved through either Logic Attacks or Flood Attacks or Application Layer Attacks.
o Logic attacks exploit vulnerabilities in protocols or their implementations, e.g. Ping of death, Teardrop, Land etc.
o Flood attacks disable targets through traffic volume; a flood attack can originate from a single platform or from multiple platforms.
o Application Layer Attacks include: SIP-SPAM, and identity forging.
We can also divide the attacks into IP layer and SIP layer thus:
IP Logic Attack / IP Flood Attack
SIP Logic Attack / SIP Flood Attack
Application Layer attack
IP Logic Attacks
IP Logic attacks on SIP devices are no different to any other IP device; these include well known exploits such as: Ping of death, Teardrop, Land, Chargen and Out of sequence packets. All of these can disable a device which has not been fully tested to protect itself against these exploits.
IP Flood Attacks
IP Flood attacks include: SYN flood attack (TCP SYN Floods are one of the oldest DoS attacks in existence), Smurf Attack, Fraggle attack and the list goes on… These attacks are designed either to overcome the device by tying up resources or to simply overwhelm the network through shear weight of traffic.
SIP Logic Attacks
SIP logic attacks exploit weaknesses in SIP signalling implementations. Incomplete or incorrect fields, invalid message types can disable not only client devices but also core network devices. This type of attack can be countered by thorough testing of any devices against suites such at the IETF SIP Torture test developed through the SIPiT Events or the PROTOS Test-Suite, developed by the University of Oulu.
A more sophisticated attack can be to inject messages into a call to terminate it prematurely. This type of attack can be largely avoided by the use of strong authentication techniques, thus, the injected packet would not be authenticated and therefore would be rejected.
SIP Flood Attacks
SIP flood attacks exploit weaknesses higher up the communications stack that require more processing resources. As a consequence, it takes a much smaller flood to cause disruption. For example, one or more devices may send multiple registrations or call requests to a server.
Countering this type of disruption requires network based devices like Session Border Controllers (SBCs) to police the signalling stream and rate limit registrations and calls to Softswitches to predetermined limits. Acting as a proxy in the signalling stream the SBC can also filter inappropriate protocols, IP DoS attacks and invalid SIP messages. This helps compartmentalise the network and restricts any disruption to just one network segment.
Protect the User Device
These devices will typically be incapable of rate limiting and may be overrun by flood attacks. This means they are subject to both logic and flood attacks. Again the user device will benefit from the protection afforded by network based SBCs blocking DoS attacks and invalid SIP messages.
A simple example of service theft is to signal that a voice call it being made but exchange video data. This hits the service provider on two fronts: a) loss of revenue by billing for only a voice call and b) potential degradation in service quality for other users resulting in dissatisfaction.
The structure of a VoIP call with separate media and signalling streams has lead to some innovative ploys. For example, a rogue PC client which transports media in the RTCP quality monitoring stream, this is not policed in most networks. Another ploy is to transport media in the call signalling then failing the call before billing commences. Not only does this mean a free call but repeated call set can cause huge signalling rates which are a DoS attack in themselves.
The solution is to police all components of the call. SBCs police the signalling and the media to ensure that the call is executed as requested and that RTCP traffic is within expected bounds.
Security is a vast subject and needs to be ubiquitous in its implementation. Take care of the fundamentals first:
Test, authenticate, protect, block, limit and police.
o Test network elements against standard IP and SIP test suites to ensure they can survive IP and SIP logic attacks
o Implement strong authentication, identifying your users protects their identity, protect their service and combats disruption.
o Protect the Network by compartmentalizing it to restrict the range of any disruption.
o Block malicious or inappropriate traffic – do not propagate the problem.
o Limit the rate of traffic to core elements to ensure the survivability of the service.
o Police all aspects of the traffic flowing across the network to prevent fraudulent or inappropriate use.
A secure and dependable service brings with it benefits to users and provider alike. It will build user confidence which in turn creates dependable revenue for the service provider and by addressing the basics from day one, need not be complex or expensive.