VoIP Application and Protocol Specific Threats

The application and protocol specific threat category covers the set of threats that are specific to VoIP applications and to the protocols used to drive these applications. The standard protocol defined by the Internet Engineering Task Force for VoIP and other real-time communication applications is the Session Initiation Protocol (SIP).

SIP is implemented either as a primary protocol or as an option in the majority of VoIP systems. Inherent in the design of SIP are a number of potential vulnerabilities that have been demonstrated in many real-world products. These include flooding attacks that flood a VoIP server with registration requests or with bogus calls.

Registration requests are sent whenever a SIP based end-point such as a hardware phone or a soft-phone is powered on or started. The request tells the VoIP application server or IP-PBX that the device is active and ready to receive calls. In most cases the VoIP application server requires that the registering device provides authentication details. A of flood registration requests can swamp a VoIP.

Malicious floods can send as many as 30,000 to 40,000 requests per second. Receiving and checking these requests is time consuming and can take up so much system resource that the server that it is unable to process new calls. The author has tested at least one commercial system that was affected to the point where not only did new calls fail, but existing calls were dropped.

A call flood is a slightly more subtle attack. A call flood rings phones and either plays a short message when the phone is answered or simply hangs up, immediately ringing the same phone again. Both registration floods and call floods are very effective denial of service attacks which are very easy to run on an IP network.

Application specific threats are not limited to denial-of-service attacks. The VoIP protocols can be manipulated to disrupt calls, for example by terminating calls or transferring them. These attacks would be serious for any organisation, but potentially devastating for an industry with a heavy reliance on a reliable phone service such as a call centre.

Peter Cox, CTO of Borderware, will be speaking at FIRST Security Conference in Sevilla. FIRST is the premier organization and recognized global leader in incident response. For more info, visit FIRST's website at http://www.first.org.