Problem solve Get help with specific problems with your technologies, process and projects.

Short-circuiting hackers' SIP-based VoIP attacks

Hacker attacks against SIP-based VoIP may have been rare so far, but as VoIP use grows, service providers need to be ready to secure their voice networks as they route traffic without using the public switched telephone network.

Hacker attacks against SIP-based VoIP networks have been rare. But as the use of the protocol grows and extends to other types of multimedia interaction, attacks will become more prevalent and potentially slow the growth of this technology. Service providers must work with standards bodies, equipment suppliers and customers to develop and deploy defenses. 

Service providers must remain vigilant against security threats or risk losing customers who fall victim to attacks.

David Jacobs, President, The Jacobs Group

Currently most SIP usage simply provides a less expensive way to link an enterprise's phones to the public switched telephone network (PSTN) or provides an interconnect to an enterprise's remote offices. But as SIP providers interconnect with each other to provide purely digital paths that never touch the PSTN, the danger of hacker attacks is increasing.

Generally, attacks fall into two broad categories:

  • Service disruption
  • Fraud attempts

Service disruption

Hackers can attempt to disrupt a service provider or an enterprise in ways similar to those used to block access to websites. Denial of service attacks can be carried out by sending thousands of either REGISTER requests or INVITE requests.

SIP end-user clients send a REGISTER request to the domain's Registration Server to announce the IP address to which incoming calls should be directed. The Registration Server must be able to accept commands from outside the enterprise's or service provider's network to enable calls to be directed to a SIP-enabled cell phone. Multiple registrations for a phone number can exist simultaneously so incoming calls can ring a desk phone and cell.

Hackers can flood a Registration Server with thousands of REGISTER requests, and each must be authenticated. Depending on the method used, verification can take a significant level of compute resource. A flood of requests can prevent processing legitimate requests.

The SIP INVITE command signals an incoming call. Since an incoming call can come from anywhere, no authentication is required. INVITE requests come first to the Domain Proxy. The Domain Proxy then accesses the domain's Location Service to find the IP address or addresses currently registered for the called party. A flood of hacker initiated INVITE requests will consume the resources of the Domain Proxy and the Location Service. Possibly more serious, calls that do get through can ring phones throughout the attacked enterprise.

Fraud Attempts

Networks carrying both voice and data VLANs are vulnerable. Hackers publicized how they used freely available network scanning software to compromise a hotel network, gaining access to the hotel's internal corporate network.

Registration hacking is a way to listen in on others' calls. It requires the hacker to gain access to the target's registration authentication credentials. The hacker sends a REGISTER request to the Registration Server. The command directs all calls intended for the targeted recipient to the hacker. Since it is possible to have multiple registrations simultaneously, the call will go to the intended recipient and to the hacker. Use of a secure authentication method protects against this type of threat

Vishing is the voice equivalent of phishing. Instead of email with an imbedded link, the victim receives a phone call from a bank or credit card company. The victim is requested to call a specified number. The recorded message at that number requests account information. Individuals who would not be deceived by phishing have fallen victim to vishing.

Spam over Internet telephony (SPIT) can be even more aggravating than email spam. Infected zombies can be used, just as they are used to generate spam, to increase the volume and camouflage the message source. Both vishing and SPIT could be generated via the PSTN using automated phone equipment, but it would require dialing individual phone calls. Vishing and SPIT messages can be generated by the thousands. Receiving dozens of calls each day advertising drugs or pornography will drive users to switch back to traditional phone service.

Service provider defense measures

Service providers must remain vigilant against security threats or risk losing customers who fall victim to attacks.

The choice of network components is key. Both firewall vendors and Session Border Controller (SBC) vendors claim protection against SIP threats. Firewalls protect against threats carried by the SIP protocol packets themselves. SBCs also correlate session parameters established by the SIP protocol with the RTP data stream. This protects against a type of theft of service in which the SIP protocol specifies a low bandwidth session, but then a high bandwidth stream of RTP packets is sent.

SBCs also filter incoming REGISTER and INVITE requests to protect network components from denial of service attacks. The SBC discards requests that exceed network capacity but recognize and pass through prioritized requests, such as 911 calls. Some SBCs have been enhanced to detect and block SPIT and other types of threats such as viruses carried in SIP headers.

Service providers must monitor and assist in the work of standards bodies as they develop defenses against threats. Service providers must adopt standards as they are developed and insist that enterprise customers adhere to the requirements placed upon them.

Enterprise customers must also be educated about how to address threats beyond the service provider interface. For example, placing a firewall between data and voice VLANs protects against hackers who attempt to gain access to the internal data network.

Viruses and spam have been expensive irritants to email and web users. SIP and VoIP offer attractive targets to hackers. Only vigilance on the part of all interested parties can protect against potentially serious damage from attacks.

About the author: David B. Jacobs of The Jacobs Group has more than 20 years of networking industry experience. He has managed leading-edge software development projects and consulted with Fortune 500 companies, as well as software start-ups.

This was last published in February 2008

Dig Deeper on Telecommunication networking