When it comes to phone calls, privacy is the most common security concern. Recently, we discussed how hackers can eavesdrop on VoIP calls to discover the content of participants' conversations. But eavesdropping isn't the only -- or, in some cases, even the most serious -- security risk you face when using VoIP.
In addition to intercepting the media protocol packets that contain the actual audio, VoIP attackers can target call-signaling protocols or the underlying networking (i.e., TCP/IP) protocols to cause poor call quality or even crash your VoIP devices and network. Here's a brief look at some of these types of attacks, what makes VoIP vulnerable to them, and how you can protect against them.
Denial-of-service (DoS) attacks
At the network and transport layers, a VoIP network is vulnerable to the same sorts of DoS attacks that attackers have perfected against data networks. A typical method for bringing down the network or a targeted IP-based device (whether it's a computer or a VoIP hard phone) is to flood it with a huge number of packets -- to the point where it's unable to handle the volume and shuts down (or at least performance degrades considerably).
Flooding and logic attacks
A TCP SYN (synchronization) flood exploits how the TCP connection process (the three-way handshake) works. SYN packets, requesting to open a new connection, are sent (usually from a spoofed IP address) in such large numbers and so frequently that it overloads the target system, fills up the connection queue table, and ignores legitimate new connection requests.
The handshake process never completes because the spoofed IP addresses don't return ACK (acknowledgement) packets; thus, the requests stay in the connection queue until they time out. You can mitigate this problem by adjusting the queue length and timeout configurations and by using firewalls that support stateful inspection and/or an intrusion detection system (IDS) to monitor for these attacks.
More specific to VoIP, attackers can use the same type of flooding technique to overload a VoIP device with VoIP protocol packets, such as SIP INVITE or REGISTER packets. Because these attacks occur at a higher level of the networking stack, fewer packets are required to cause problems.
In addition, it's not only SIP that's vulnerable. The Inter-Asterisk eXchange (IAX2) protocol has also been vulnerable to flooding of call requests.
Another way to disrupt network communications is through a logic attack. Unlike a flooding attack that uses the sheer volume of packets to disrupt service, in a logic attack the attacker uses packets that are out of sequence, malformed, or otherwise invalid.
As with flood attacks, logic attacks can focus on the network protocols (TCP/IP) or the higher layer VoIP protocols. For example, a logic attack could exploit SIP-signaling protocols by sending packets with invalid or incomplete fields. There are tools available at hacker sites, such as InviteFlood and IAXFlood, that attackers can use without needing to have extensive technical skills.
Protecting against flooding and logic attacks that use VoIP protocols requires a firewall or proxy that's SIP-aware and capable of detecting invalid SIP messages. In addition, you can use "fuzzing," or functional protocol testing, to detect protocol weaknesses; then, you can take measures to correct them.
Another way for hackers to attack VoIP calls is by injecting spoofed messages into the signaling channel of a call. Fake call teardown DoS attacks are one means of doing this. By using a "call teardown" message -- for example, a SIP BYE message or IAX HANGUP message -- the attacker can cause the call to terminate at whatever point he or she wants.
To protect against injected messages, encrypt protocols so no one can monitor the signaling channel, and authenticate all packets. Once again, hackers don't have to know how to do this themselves -- they can download tools such as sip-kill.
Call-hijacking attacks differ from eavesdropping in that they redirect the entire call to a different party, who can then participate in the conversation, pretending to be the legitimate called party. This is possible by modifying the VoIP registrar's database to replace the legitimate called party's IP address with that of the attacker. This causes the VoIP proxy to send calls intended for the original called party to the attacker instead.
Once again, encryption of the call-signaling packets can prevent this type of attack, but SIP messages are clear-text messages. SIP doesn't require authentication, making default SIP implementations vulnerable to these types of "man-in-the-middle" attack.
Using encryption, such as SIP over Transport Layer Security (TLS), or using IPSec on the VoIP network to encrypt packets as they travel across the network can protect against hijacking and related attacks. Another VoIP encryption option is Phil Zimmerman's Zfone, which uses the Z Real-Time Transport Protocol (ZRTP) to encrypt VoIP packets.
Caller ID spoofing
Another way for hackers to attack VoIP users is by spoofing caller ID information to make it appear that their calls originate from elsewhere (the same basic concept as e-mail return address spoofing). If the VoIP system uses caller ID information to authenticate callers, the hacker will appear to be an authenticated caller. Because knowledgeable attackers can easily spoof caller ID information, your system should never rely on caller ID information for authentication purposes.
When it comes to protecting VoIP from attackers, the most important element is encryption, encryption, encryption. But don't stop with encrypting the media channel -- the call-signaling channel needs protection as well. There are vendor-specific solutions for encrypting the signaling protocol itself, or you can use IPSec or TLS to encrypt the traffic at the network or transport layer.
There's no perfect, standard solution yet, but the first step toward defending your VoIP network is to be aware of the problem. By implementing VoIP-aware network devices and using encryption technologies, you can avoid many of the DoS, hijacking, and spoofing attacks to which VoIP is vulnerable.
Deb Shinder is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. She currently specializes in security issues and Microsoft products, and she has received Microsoft's Most Valuable Professional (MVP) status in Windows Server Security.
Want more tips and tricks to help you plan or optimize your VoIP deployment? Automatically sign up for our free VoIP newsletter, delivered each Monday!
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.