The maturation of enterprise VoIP deployments has opened IT organizations to a new world of VoIP security issues — telephony denial of service (TDoS) attacks, flagged by the FBI last year as a danger to consumers. Enterprise and contact center networks will also be attractive TDoS targets as hackers try to profit directly off attacks or use them as a diversion for a bigger con.
Like distributed denial of service (DDoS) attacks, TDoS attacks block legitimate VoIP sessions or disrupt business by flooding or hijacking IP telephony infrastructure with bogus calls. These attacks can saturate all of the lines on a SIP trunk to block phone calls or cause phones to ring incessantly.
In addition to the risk of data or financial theft that TDoS attacks pose — almost always by virtue of their ability to cause a diversion — they also paralyze user productivity and block legitimate business transactions or processes.
Dan Fontaine, senior vice president of technology at VIPdesk, a virtual contact center outsourcer, is still in the planning phases of deploying VoIP. But VoIP security issues such as TDoS prevention are already on his radar as potential threats to his business.
“We haven’t come up with a plan to address TDoS yet, but it is on the roadmap,” Fontaine said. “We are going to keep the VoIP traffic within the encrypted tunnel created by the Citrix Access Gateway. As a result, the VoIP ports will not be exposed to the Internet.”
Service providers have spent years wrestling with TDoS attacks, but those attacks were primarily aimed at theft of service, said Jonathan Zarkower, director of product marketing at Acme Packet, a session border controller (SBC) vendor. Hackers use enterprise TDoS attacks almost exclusively for financial gain, and most customers who have reported them said the attack was an inside job, he said.
“We actually see more inside attacks than outside attacks. There’s a lot of money to be made by disgruntled employees,” Zarkower said. “As IP continues to proliferate in the enterprise, I think we’re going to see more of this.”
Mitigating VoIP security issues: Track more than call volume
Acme Packet’s Net-Net series of SBCs has the ability to identify, intercept and shut down potential TDoS attacks, Zarkower said.
The appliances’ software can detect the insertion of white noise or other media, abnormal signals, call establishment and call flow rates. Net-Net SBCs by default block IP multipathing protocols (IPMP) which Zarkower said are not essential to voice communications and are often used to launch a TDoS attack.
“There are multiple facets to a TDoS attack, and whatever solution you’re using also has to be multifaceted,” he said. “It’s more than being able to detect unusually high call volume … [and prevention] also means implementation of organization-wide security practices, polices and enforcement.”
Contact centers, particularly in the financial and healthcare industries, are prime targets for TDoS attacks due to the high call volume and sensitive data they handle, according to Mykola Konrad, director of enterprise products at Sonus Networks, another SBC vendor.
Sonus recently announced two VoIP security applications, VoiceSentry Analyzer and VoiceSentry Guardian, which work in conjunction with Sonus’ SBC and take an application-layer approach to identifying and shutting down bogus calls.
VoiceSentry Analyzer, which operates on Oracle Netra servers, runs alongside Sonus’ SBCs and monitors call detail records (CDRs) and other metrics in real time as it looks for anomalies. It forwards suspicious calls to a second appliance, VoiceSentry Guardian, which runs on Sonus’ proprietary hardware. Guardian executes an audio CAPTCHA test on those suspicious calls.
“It routes you to a special announcement that says, ‘Please [dial] 1234,’ and if you’re a human being, you say, ‘This is idiotic’ and [dial] 1234,” Konrad said. “But if you’re a robot, you would have no idea what to do.”
Administrators can customize the test to sound like the rest of its Interactive Voice Response (IVR) system and disguise the CAPTCHA to appear more like a usual prompt a caller would expect, such as a prompt for an ID number, he said.
Telecom engineers can configure Guardian with policies that dictate how bogus calls are handled from there, whether they’re rerouted to law enforcement or simply dropped. Analyzer comes pre-populated with common attack patterns, and customers can subscribe to receive regular updates from Sonus’ database.
Sonus’ SBCs have traditionally prevented TDoS attacks at the packet layer, flagging malformed packets as phony. But that did nothing to stop calls from a software application designed to tie up lines with white noise, as one customer recently experienced, Konrad said.
The customer, which he declined to identify, had historically monitored the call volume in its contact center very closely. Telecom engineers there noticed minor increases in call volume — nothing that would be flagged as an attempt to overwhelm equipment with bottlenecks — but their software detected none of the hallmarks of an attack, such as signal irregularities or malformed packets, Konrad said. At the packet layer, they looked like legitimate sessions.
The small spikes in call volume coincided with reports from call center agents that they were receiving mysterious calls that contained just four minutes of white noise or siren sounds. After working with the FBI and their service provider, AT&T, the telecom engineers learned the calls originated from a hacker in Manitoba, Canada, Konrad said.
The hacker had purchased a bevy of SIP trunks and written a SIP dialing script that would call toll-free numbers and dial 8, which he had determined would likely bypass the IVR system to get a live agent, Konrad said. The hacker had misrepresented himself as a business customer “who just happened, as part of his business, to have to make many toll-free calls,” he said.
The hacker threatened his local carrier that he would take his “business” to another service provider if the local carrier didn’t give him a cut of the toll-free tariffs it collected from contact centers the hacker had targeted, Konrad said. The carrier obliged, he said.
“The very first thing people think is, ‘What’s wrong with the equipment?'” he said. “What you need is an application-aware appliance of some sort to really take a look at the media coming through … and at some level to even listen to the voice and say, ‘Is this a real human?'”