[VOIPSEC] Actual Attacks
ammar.alammar at gmail.com
Sat Feb 19 23:37:17 GMT 2005
A few comments on Chris' response below.
On Fri, 18 Feb 2005 21:50:29 -0600, Christopher A. Martin
<chris at sip1.com> wrote:
> Just some quick tips on these concerns...
> - Unless there has been an update vomit it is only good against legacy
> skinny protocol (Cisco call manager deployments)...
> - If you are deploying switched networks in your LAN infrastructure, where
> VoIP is deployed, you will immediately reduce your chances of successful
> packet capture...if you are on shared medium even tools such as ethereal can
> play back media for public domain codec's... and many commercial product
> also replay very nicely.
> - Dedicated Voice VLANS are also a good recommendation in the switched
> environment (Cisco has some good literature on their SAFE model, which can
> be Googled very quickly). This can be implemented whether or not the VoIP
> client supports VLAN capability (unless it is a soft client on a PC, in
> which case it is a hostage to the host.
In my opinion, this VLAN solution won't last long because of the
convergance between devices. we have mobile PDAs that can do VoIP,
smartphones, softphones, IP Phones with browsers and so on. To
maintain a VLAN seperation we need all these devices to support VLANs
and have the flexibility in being configured to direct VoIP traffic on
the VOIP-VLAN. I don't believe that all such devices will provide this
level of VLAN and configuration support.
Any suggestions on what to do in such device scenarios?
> - Standard DoS today in terms of flooding cannot be stopped, but it can be
> handled in the Internet backbone (which often occurs transparently
> so the rest of us don't see it).
For DoS, you can use a more integrated model of security such as
having your IDS or Firewall instruct the Switch(es) where the DoS is
originating from to apply a strict policy (or even disconnect). This
level of integration is being implemented by some vendors such as
Enterasys and the policy-based-networking is a great way of
maintaining business continuity.
For example, if I'm a call-Centre agent with a soft phone on a laptop
and I happen to have been infected with a worm that is applying a DoS
attack, then the IDS(or firewall) will instruct my switch to apply
the "Vice-only" Policy. I may no longer be able to accecss my CRM and
other applications when taking calls, however, I can still receive
calls to continue running the call centre. If the PC is still
generating a DoS, then I may be disconnected (reducing the dicconnect
scenario to a very narrow VOIP-related DoS attack).
> - Also standard precautions, such as deploying SIP aware firewalls or border
> controllers which handle the media dynamically prevent a majority of port
> scans and other direct attacks which low end devices are typically
> susceptible to.
> - Don't hesitate to commission VoIP consulting expertise to aid in
> deployment. Many good shops exist that can reduce the risk very quickly and
> create an immediate return on investment. (This can be hard to justify even
> with traditional data networking but with today's regulatory requirements
> has become a high priority)
> There are measures for WAN deployments as well...
> The big thing is to take the common sense approach to deployment... shore up
> the traditional vulnerabilities and then focus on VoIP (Unless it is already
> deployed)...if the traditional exploits exist on the existing data
> environment all bets are off (the solution may be compromised before it is
> even deployed).
> Christopher A. Martin
> P.O. Box 1264
> Cedar Hill, Texas 75106
> Low cost domain name registration & other Internet services.
> Sign up for your PayPal merchant account today and start selling your
> products on line today!
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> Behalf Of David Chitolie
> Sent: Friday, February 18, 2005 7:02 AM
> To: Robert Rolen; <Voipsec at voipsa.org> <Voipsec at voipsa.org>
> Subject: Re: [VOIPSEC] Actual Attacks
> Hi All,
> Although I have been involved in IP systems for many years I am fairly
> new to VoIP and have a new project to deploy many VoIP systems around
> the world.
> From what I have found on the web it seems like Vomit (Voice over
> Misconfigured Internet Telephony) SPIT (SPAM over internet technology)
> and DOS (Denial of Service) are the most common form of expected
> attacks to VoIP systems.
> VOMIT allows users to save telephone conversations to a .wav file from
> a tcpdump file. I am guessing that the risk here is with LAN users
> running tcpdump to capture traffic and in a switched environment this
> will not be very easily achieved unless ARP redirect or switch port
> monitoring is used by an employee.
> SPIT - (unwanted messages clogging up your voice mail box) This is not
> a problem now but there are lots of warnings to be aware it may happen
> DOS - This sounds like a real threat as IP DOS attacks are already here
> in standard IP networks and from the reply by Christopher Martin it
> looks to be a problem already.
> Has anyone found a database of help or known security concerns?
> I have found a useful sites for SIP security and SIP firewalls:
> David Chitolie
> Freelance Project Manager
> On 17 Feb 2005, at 12:30, Robert Rolen wrote:
> > Has a catalog or database been established to report and track actual
> > attacks against VOIP systems. I realize there are typical internet
> > attacks (spoofing, Trojans, sniffers, denial of service), but are the
> > attacks being documented to track the increase in attacks.
> > There are a lot of telecommunications managers that are not talking
> > with the IT departments and some of the IT departments see the
> > telephone system as just another responsibility added to their staff.
> > The trend of convergence for all security systems (Access Control,
> > CCTV, Alarms) into IP networks is rapidly becoming a reality.
> > Is there a trend to continue the isolation of the telephone system
> > from the office LAN?
> > A storybook of problems, incidents and trends would go a long way to
> > enhance the VOIP protection budget.
> > Any Thoughts?
> > Bob Rolen
> > Birmingham, Al
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> Voipsec mailing list
> Voipsec at voipsa.org
> Voipsec mailing list
> Voipsec at voipsa.org
Free yourself, Open new doors ... OpenSource
More information about the Voipsec