UCbuyer Logo

Your Source For Enterprise Communications & Collaboration News & Insights

Defending Against Two Types of Voice and Video DOS Attacks – How SBCs Can Prevent Them

Posted by Paul Desmond

Jan 28, 2015

Imagine you work in a call center and every so often you pick up a call and hear nothing but a maddening screeching sound on the line.  Over time, the screeching calls become more frequent, every 3rd or 4th call. Pretty soon you’d be dreading each new call. 

That’s exactly what happened to a bank that had become the victim of a form of denial of service (DOS) attack. The attack went on for more than a year before the company was able to sort it out and address it, with some help from the FBI. On top of putting its contact center agents on edge, the episode likely cost the company customers as well. That’s because while its agents were taking all those screeching calls, real customers were having trouble getting through.  Denial_of_Service_Contact_Center_UC

This is just one type of DOS attack that companies face as they start employing SIP trunking and various forms of unified communications, says Mykola Konrad, VP of Cloud and Strategic Alliances for Sonus Networks, Inc.  Hackers employ the attacks to make money or simply wreak havoc on companies they don’t like, usually in one of two ways.

Protecting Your Company From the Phony CLEC DOS Attack

The first, exemplified by the bank example, is to set up a phony telephone company, known as a competitive local exchange carrier (CLEC), typically in a country with lax oversight of such matters. The hackers then create a network of botnets that infects computers around the world and gets them to do their bidding.

In this case, that bidding was calling the 800-number of the bank. The way calls to any toll-free number works is, the company that owns the number pays its carrier so much per call, let’s say 10 cents. That carrier then pays every other carrier that had a role in handling the call some fraction of that figure, maybe .2 or .3 cents each. The hackers, having set themselves up as the CLEC that originated the call, make some money on each call placed by computers compromised by their botnets; and the longer the call is placed on hold, the better because more minutes equates to more money. Of course there is no human on the line – hence the screeching when the call is finally connected.

“It was a cross-border attack so the FBI was called in and it turned into an international issue,” Konrad says. “The hackers were doing it primarily for the money, but the effect on the contact center was it had a lot of upset customers because they couldn’t get through. The bank thinks they lost customers because of it.”

The problem was the bank was transitioning to a SIP trunk architecture and had not yet implemented a session border controller (SBC). SBCs can address the DOS issue in a couple of ways. One is to create policies around types of sessions or calls which are simply not allowed. It may be calls from certain countries or even groups of IP addresses. If the bank knows, for example, that it has no customers outside of North America, it could allow only calls originating from North America.  SBCs can also throttle the number of calls allowed to go through at any particular time; if volumes get too high, as they do during a DOS attack, calls above a predefined threshold will be dropped.

Securing Your Business Against DOS Attacks Based on Malformed Packets

Another form of DOS attack has to do with intruders using malformed packets to inflict damage, Konrad says. In this instance, they will send packets that are intentionally malformed in such a say that the receiving device, such as an IP PBX or video codec, can’t deal with them. 

For the hackers, the hope is that the target system will try to parse the packet, won’t be able read it correctly and will be forced to restart. “That makes you drop calls,” he says. “It could be 5 or 10 minutes before everything comes back online.” By repeatedly sending such packets, the intruders can deny access to voice and video services for hours or days.  Even if the system stays online the effort of processing millions of “fake” packets will keep real calls from completing – therefore denying service.

SBCs can protect against such attacks because they perform deep packet inspection, looking at every packet as it comes through to make sure it’s properly formatted and makes sense in the context of the voice or video call. Any bad packets are simply denied access.

The moral of these stories is, if you’re going to employ SIP trunks (which can save you lots of money), make sure you protect them with an SBC. Failure to do so may wind up costing you far more in time and money.

Topics: Security, Best Practices, SIP, Session Border Controller