VOICE OVER IP

From the May 2005  issue of Communications News

Protect your voice network

Hackers will find ways to exploit weaknesses in IP voice networks.

by Chris Risley


The best defense is to have the performance “headroom” to respond to a dramatic increase in queries.

As voice over IP (VoIP) proliferates in large, high-profile businesses, hackers will find ways to exploit the weaknesses they already know to disrupt voice service. As network convergence moves forward, separating data, voice, video and other media will become more difficult.

Attacks frequently target the IP network’s logical infrastructure, particularly the domain name system (DNS). DNS servers connect names to IP addresses or, in the case of VoIP, to a server that provides call routing (an SIP proxy). The DNS infrastructure as a whole is subject to a number of threats, including:

  • attacks on open source BIND servers;

  • distributed denial-of-service (DDoS) attacks targeting DNS services;

  • worms that overload networks; and

  • “man-in-the-middle” or “spoofing” attacks.

Any of these attacks could seriously disrupt voice service, but there are ways to mitigate these risks. Many enterprises use open source BIND servers for both caching and authoritative name servers. BIND has a raft of known security problems, however, ranging from buffer overflow and denial-of-service weaknesses. Attackers frequently target BIND servers to shut down or infiltrate networks.

An easy solution is to run DNS software that does not share any code with BIND. Major service providers are adopting commercial DNS software for security reasons. Simply diversifying DNS servers offers better resistance to attacks.

Shutting down DNS servers effectively shuts down network services. In DDoS attacks, hackers hijack unwitting computers. When activated, these “zombies” flood target DNS servers with queries until they cannot respond to legitimate queries anymore.

The best defense is to have the performance “headroom” to respond to a dramatic increase in queries. If your DNS servers run at 80% capacity and an attack triples DNS traffic, then you are out of service. If the DNS servers are running at only 10% to 20% of capacity, however, they can continue responding to all requests, giving you time to identify the source of the attack.

There are several approaches for gaining this performance headroom:

  • Scavenge hardware to run more DNS servers.

  • Upgrade the server hardware. Faster processors may help, but no one’s hardware budget is unlimited. Improving software efficiency is usually cheaper.

  • Use efficient DNS server software. Highly efficient DNS servers can deliver many times the throughput of standard implementations.

Regardless of the intent of their payload, worms and viruses can overload networks much like a DDoS attack, flooding network infrastructure with worm-related traffic. The first line of defense is having enough capacity to absorb the inflated traffic while finding the source of the problem. The RFC 2870 specification for root name servers suggests that root servers should always be able to handle three times their normal peak capacity in terms of requests per second. Enterprises would do well to adopt a best practice of using at most 30% of capacity for better network resiliency.

Man-in-the-middle (MITM) attacks erode the integrity of network services. In a data network, an attacker might respond to a DNS query for your online banking service with his IP address. The attacker then intermediates the session between you and your bank, intercepting private account and password data along the way. In a VoIP scenario, the attacker could come between your phone call and the target’s server, essentially eavesdropping on communications.

There are several potential defenses for MITM attacks. The DNSSEC protocol verifies the validity of DNS data through digital signatures and cryptography. Accelerating authoritative name servers can help, as faster responses limit the attacker’s window for insinuating themselves in the session. If the legitimate name server responds with the correct address before the attacker, it has thwarted the attack. Or, improve caching name servers. These should not accept responses from servers they have not queried.

For more information from Nominum:
www.rsleads.com/505cn-255

Chris Risley is president and chief executive officer of Nominum, Redwood City, Calif., an IP name and address software company.