Attackers are always on the prowl trying to hack into enterprise communication networks and disrupt services either to extort ransom from enterprises or just to make a point. Several state-sponsored actors too use DoS and DDoS attacks as a tool for political gain. During the Hong Kong protests, the encrypted application Telegram faced a massive DDoS attack, allegedly from Chinese IP addresses, that was intended to disrupt the application and prevent communication among the protestors. In an older incident, TelePacific Communications’ VoIP call processing service was brought down by a DDoS attack, which forced the company to rethink its VoIP security strategy.
Attacks, such as DoS and DDoS, are intended to disrupt communication networks. When it comes to VoIP, attackers can send a large number of SIP registration messages and flood the ports of a SIP trunk with millions of TCP/UDP packets. They take advantage of VoIP security gaps or vulnerabilities to
- send a large amount of illegitimate traffic that consumes network bandwidth
- send malicious traffic to target specific vulnerabilities in servers and applications or
- send malformed packets, among other methods.
Session Border Controllers (SBC) are capable of stopping such VoIP security incidents/attacks from wreaking havoc in your communication networks. Correctly configured and managed SBCs use their SIP traffic monitoring and detection features to prevent attacks launched using SIP INVITE and REGISTER message floods, malformed packets, media flood, among others.
VoIP security: How TDoS attacks happen
Attackers use different attack vectors to target communication networks from multiple levels.
- At the endpoint level, they can crash phones and computers.
- At the gateway level, they can target network components that sit between the SIP networks of enterprises and the public Internet.
- At the network level, they can flood session managers with session requests to target the enterprise IP
The following sequence of events illustrates how attackers use SIP registration message floods to launch DDoS attacks:
- An attacker sends millions of SIP registration messages from multiple sources to a single destination in an attempt to flood communication networks
- The SBC at the service delivery logic layer detects the DDoS attack and SIP registration flood and informs the SDN. The SBC also uses its analytical tools to prevent further attacks
- The SDN controller responds by modifying the packet forwarding rules at the edge of the network
- The SDN controller prevents the DDoS attack from succeeding at the network edge.
How SBCs help bolster VoIP security
SBCs are configured to process and police specific rules and can manage high traffic volumes to protect enterprise networks from DoS and DDoS attacks. However, standard SBCs that are sometimes given away free when you buy a bunch of products from suppliers, provide limited protection, which is not enough. For example, standard SBCs cannot detect sophisticated DDoS attacks with subtle variations, such as a drop in the daily call traffic of a call centre from the typical 1000 calls to 100 calls in just 30 minutes. This kind of short-term deviation might be the result of a far-end service disruption, most probably at the service provider level, with attackers possibly redirecting the calls to their fake call center. When you configure your SBC correctly and monitor it periodically, you can detect such service disruption attacks through pattern recognition algorithms by monitoring such traffic deviations over a period of months.
Here are five ways managing configuring your SBC correctly can prevent TDoS attacks and boost your VoIP security status.
Access Control Lists
One of the most basic defense mechanisms SBCs use is Access Control Lists, which control access to enterprise networks.
- White lists contain IP addresses and network prefixes that are always allowed inside
- Black lists contain IP addresses and network prefixes that are never allowed access inside networks.
- Dynamic black lists contain a list of endpoints that are temporarily blacklisted and deregistered because their behavior falls out of the configured parameters.
Flood and fuzzing protection
SBCs use customised protocol scrubbing rules to detect malformed packets that cause communication network components to crash. Malformed packets are also intended to degrade performance of critical network components to make networks vulnerable to further DoS and DDoS attacks.
For example, attackers might target endpoints by fuzzing RTP streams. Malware protection tools do not detect such attacks because fuzzing involves adding only invalid data into the stream, which is not malware. However, SBCs can detect this invalid data passing through their media engine by filtering the messages and discard the invalid data in RTP streams.
Malicious attack protection
SBCs can identify VoIP traffic from malicious traffic that is intended to shut down communication networks by scanning the traffic using configured parameters and allow only genuine VoIP traffic to enter the networks.
SBCs also have access to the application layer of the OSI model, which allows them to modify the resources allocated to network components and isolate the affected components to prevent degradations in QoS during DoS and DDoS attacks.
Media and signaling encryption
SBCs use TLS and SRTP to encrypt and secure media and signaling traffic. Encryption also helps retain privacy and comply with government regulations.
Human-readable SIP signaling messages can be easy to intercept, but encryption secures these messages. Moreover, peer authentication and cryptographic protections ensure further protection to the signaling messages.
SBCs encrypt all calls and hardened SBCs use stronger encryption keys and ensure that SRTP is negotiated separately on individual legs of calls. Additionally, hardened SBCs use customized TLS and SRTP profiles for signaling and media interfaces and relay services for better security.
Call Admission Control
SBCs use Call Admission Control (CAC) to ensure audio quality and performance in communication networks by regulating the bandwidth usage, the total number of calls, and the total data passing through the networks.
Sophisticated SBCs allow a certain amount of degradation in the quality of audio calls and performance of the network components before they prevent more calls from being set up, while hardened SBCs take this a bit further and regulate calls using defined parameters, specific to your network.
Traffic policing and rate limiting
SBCs use traffic policing to ensure all traffic entering communication networks complies with a traffic contract, which is a set of policies defined to determine authentic traffic. To ensure VoIP security, SBCs can discard all traffic that doesn’t comply with the traffic contract policies.
Using traffic contract policies together with rate limiters, which limit the rate of https requests passing through the network, SBCs can prevent DoS attacks and greatly improve your VoIP security posture. Hardening the traffic policies and rate limiters gives you enhanced protection and a configuration that fits your network topology like a glove.
Conclusion
DoS and DDoS attacks didn’t exist in traditional TDM telephony systems, which were voice-only networks isolated from the data-only enterprise networks. With the onset of VoIP-based communications, enterprise networks are plum targets for criminals looking to rake in the moolah.
Though an SBC can thwart a lot of attacks, it must be configured and managed correctly to do so — as a secure edge that scans signaling and media traffic against set protocols and monitors specific failures to detect and prevent attacks on your VoIP systems. This makes SBC security a critical component of VoIP security. But putting SBC security into practice is neither an easy nor a one-time activity.
Assertion® SecureVoice™ can help. Besides ensuring that your SBC’s configurations are dynamically updated to bolster your VoIP security, it studies every call through your SBC in real-time to block malicious attacks so you stay protected from service-disrupting attacks. To get a glimpse into how it works, get in touch with us at sales@assertion.cloud.