VOIP and DOS / SPIT – History and Challenges
VOIP and DOS / SPIT – History and Challenges
After nearly 20+ years of working in the Telecom arena, I’ve seen a number of developments and challenges within the industry. One such challenge has been the advent of SPIT (Spam Over Internet Telephony), which is unsolicited bulk messages sent over a VOIP system and essentially ‚clogging‘ up the VOIP system altogether.
While SPIT seems to be more of an issue with VOIP systems, older telephone systems also experienced similar challenges. In the case of classic telephony (here we are talking about analog lines and ISDN), simple blocking filters were set up when an ‚spammer‘ would try to clog up phone lines.
The blocking could be done at the local PBX or in case of very persistent attackers, at the regional government Postal, Telegraph and Telephone Service (in Germany the PTT would be Deutsche Telekom). Also it was not worthwhile at that time for the “spammer” to keep the exchange lines of a provider always “busy”.
A simple look in the call list and you could bring the culprit to the police.
Times change and so does (VOIP) telephony
What if you never find out who the caller is? Or if it is even a human being who keeps dialing your number? What if you can’t just “hang up” or even “don’t answer” is no longer an option? Well with a SIP connection this is now the case.
Now here is where you will say, “Wait a minute, I have an ISDN system!” Most medium-sized companies still have an ISDN PBX in operation. This is based locally on ISDN and is the central hub point of telephony within a company‘s premises.
The PBX however is typically connected to an on premise device provided by the telecom provider, that converts the VoIP to ISDN and allows the old technology to communicate with the new.
Furthermore your business may require, from your telecom provider, a cloud based BPX or a SIP connection, which means you will need at least a Session Border Controller (SCB) and an Asterisk based PBX (a server with the appropriate software) on premise, further exposing your network to VoIP based attack.
The development of SIP
I should mention that the development of SIP was intended from the beginning as a competing product against the worldwide ISDN network. The development of SIP led the developers to almost frantically rewrite the protocol to reflect various ISDN services, at theexpense of security or stability.
I see here already the following problems that you as an administrator must keep in mind:
- The audio converters have software that was vulnerable to Wanacry in 2017 and Log4J in 2021.
- It is an impossible to design an error free VoIP system. Sources of errors can usually be solved by complex intelligent architecture and the use of multiple software and hardware redundancies. (points of attack)
- VoIP systems depend on the availability and latency of the ISP connection.
Administrators will often impement firewalls into the VoIP system to strengthen the security posture. Unfortunately, these firewalls do not inspect or block SIP and RTP traffic. Traffic marked as SIP is simply passed through to the SBCs, which will always forward logical packets to the audio codec or Asterisk without any ifs or buts.
Attacks on enterprises
Newer generation SPIT attacks are not yet widespread, yet. However they are gaining in popularity, and have increasingly become a tool of extortionists since 2021. Most attacks on SIP infrastructure include:
- buffer overflow and bandwidth overload.
- amplification attacks after spoofing via amplifiers.
- service port attack (5060 UDP for SIP)
- SYN flood attacks on TCP traffic.
- attacks on Layer7 when SIP or https requests are sent.
The security posture of VoIP systems is at further risk when you couple the vulnerabilities and susceptibilities of VoIP, as stated above, with the advent of new attack methods in DDoS on the telecom provider infrastructure.
An example of this type of risk can be seen with the recent attacks on VoIP.ms:
A cycercriminal group called REvil succeeded in harassing the SIP provider VoIP.ms in such a way that the companies that bought their SIP traffic from VoIP.ms urged VoIP.ms to pay the ransom of $45,000.
However, this was understandably refused and the attacks continued for days.
VoIP.ms attempted to protect itself from DDoS attacks, but it was only partially successful. The website was accessible from time to time. But the VoIP service still suffered. And after REvil managed to cripple the VoIP.ms service for 3 days, the ransom increased to $4.3 million.
Eventually, the attacks stopped on September 30 only after the carriers of Voip.ms suffered outages themselves intermittently
This event showed that many IP telephony providers have no efficient way to filter VoIP traffic between legitimate and SPIT. Actions taken when there is an attack occurring are less than ideal and usually involve one of the following options:
- Black hole routing.
- Be routed to another SIP processing carrier
This lack of capability is troubling, especially as it gets easier to create large attacks on VoIP systems and DDoS their providers
Before 2021, there were no major DDoS attempts on SIP providers, and any attack methodologies were merely theoretical. But the recent well-prepared attacks VOIP providers, and the fact that they were previously spied on by their alleged customers, shows that SIP at companies can no longer keep their collective heads in the sand.
Conclusion VOIP and DOS / SPIT
There have been studies that predicted such scenarios that are now being experienced. At the time of those studies, the first botnets were not yet so widespread; if you combine these studies with today’s botnets and today’s layer 7 attacks, you find that today, 22 years after the introduction of SIP, it has become a vulnerable infrastructure.
As such, you should review security capabilities of your VoIP network, and look at working with a DDoS mitigation service, to ensure you can keep the phone lines open.
Effective protection as a precaution
Link11 offers a proven and patented DDoS protection that can effectively protect you from such threats.
The cloud-based technology works in real time and mitigates attacks from known and unknown vectors within the shortest possible time. Close every loophole and enjoy the highest level of security.