Most, if not all, large businesses use VoIP as their prime communications medium, usually because of the cost and functionality benefits it confers. As the market has developed, the ability to adopt a VoIP solution has extended to smaller businesses. However, as with other IT areas, VoIP has attracted the attention of miscreants, thieves and hackers intent on stealing information and disrupting business operations.
A new discipline, VoIP Security, has grown up to counteract these efforts.
In the larger IT environment, one particular thorn in the flesh has been Denial of Service (“DoS or DDoS”) attacks. These are intended to prevent normal communication with the organisations systems and services by flooding the organisations IT interfaces with large amounts of data, preventing authorised traffic from getting through. In a cloud environment, or for an Internet-based sales or service provider, this could be fatal.
It has happened and in a big way. In March of 2019, the VoIP systems of TelePacific systems were subject to a DDoS attack which brought their systems down.
The DDoS attack came from the Internet in the form of a large number of invalid VoIP registration requests. The outcome of the attack was large-scale service disruptions for a few days in late March when the usual daily level of 34 million requests for VoIP connections suddenly dramatically increased to 69 million and flooded the TelePacific systems, removing the ability to place calls.
It cost the company several hundred thousand dollars in customer credits. When the dust had settled, the services provider, a facilities and services company based in California and Nevada, boosted its security measures to mitigate against a similar DDoS attack in the future.
For this and other unreported attacks, VoIP Security now needs to consider how to detect and prevent DDoS attacks on the organisation’s voice and video communications systems.
The first step is to define what a DDoS attack in the communications environment is. Once we know what it is, we can then develop countermeasures.
DDoS in the VoIP Environment
The first thing to understand is that the VoIP systems IP protocols are exactly the same as and have the same weaknesses as the wider network IP protocols, which incidentally weren’t designed to support voice and video.
As a result, DDoS attacks in the VoIP environment have exactly the same intent and techniques as general DDoS attacks – denial of service. Because VoIP uses the same communications protocols as other network traffic, many general DDoS exploits can be easily applied to VoIP systems.
It is important to consider DDoS as one of many potential security risks that could arise in a VoIP environment, and that a properly setup VoIP security environment will guard against most DDoS attacks.
There are general security weaknesses that need to be addressed:
Spam, or in the VoIP world, Spam over Internet Telephony (“SPIT”);
A real problem, and an increasing one in the VoIP world. Large volumes of SPIT can act as a form of DDoS attack, flooding the phone system and preventing normal communications. SIP connections are particularly vulnerable to being clogged with SPIT.
Spoofing, or in general attempts to steal data; and
While not strictly speaking DDoS relevant, spoofing can be used as part of a DDoS attack to mask the origin of the attack, and cover while an attempt is made to steal data.
All networks, including VoIP networks, need authentication to prevent unauthorised access and potential misuse and theft of information. Rejecting unauthenticated traffic can go some way to reducing the DDoS traffic clogging up the system.
DDoS and VoIP Security
A general security profile that will mitigate against most DDoS attacks is made up as follows:
- Separate voice and data traffic. This can help to stop attacks on the general systems leaking over into the VoIP systems. A DDoS attack on the general system may not incapacitate the VoIP system, though it will be affected. Use encryption and VPN as part of the authentication environment. You may need a separate Internet connection purely for VoIP traffic.
- If you are a small business, the temptation is to buy cheap and cheerful hardware and software. Don’t, these systems are often very insecure and can provide an easy entry point into your systems.
- Use encryption and VPNs on your VoIP network. Many proprietary systems from major manufacturers already require the use of VLANs and natively support encryption. You should also definitely use encryption if you run VoIP between buildings and remote sites.
Technical considerations will also include:
- Opening only those server and router ports and activating only those services needed to support VoIP.
- Restricting access to VoIP servers to systems administrators.
- Logging and monitoring all access to the server.
- Implementing an intrusion detection system to detect any attempts, malicious or otherwise to gain entry to the VoIP network.
- Implementing a defence-in-depth security strategy. It should include multiple layers, incorporating dedicated VoIP specific firewalls.
While it is not possible to defend entirely against DDoS and other malicious attacks against VoIP system, common sense and the application of standard network security will go a long way towards mitigation and prevention.