Is VoIP the next target?
The scale of the DoS problem, where networks are brought down by flooding them with e-mail, is difficult to assess. Many attacks are simply not reported because organizations fear they may undermine client confidence in their security.
The number of "zombie" computers being used to action these distributed DoS attacks is another unknown, but estimates always range in the millions. Armies of zombie computers can be hired for relatively small amounts of money on the black market, and the attack command is usually given via instant messaging. Internet service providers (ISPs) are currently able to survey the instant message servers, and ascertain from the traffic where the control is coming from, where it is going and even anticipate an attack. If the control traffic were to be obfuscated, however, then catching those responsible for DoS attacks would become more difficult.
According to CRN, VoIP tools could offer good cover traffic for DoS attacks because VoIP runs continuous media over IP packets. The ability to dial in and out of VoIP overlays allows for control of an application via a voice network, making tracing the source of an attack almost impossible. In addition, proprietary protocols--intended to protect a company's technology edge and prevent those ISPs who are also telephone companies from blocking the VoIP application--inhibit the ability of ISPs to track DoS activity. Encryption for user privacy, P2P and a super-peer system to assist with call routing and NAT/firewall traversal further obscure the command traffic.
"While these security measures are in many ways positive," says CRN's Jon Crowcroft, Marconi professor of communications systems at Cambridge University, "they would add up to a serious headache if someone were to use a VoIP overlay as a control tool for attacks. Although one could slowly shut down and patch or upgrade the exploited machines, it would be much harder to find affected computers and almost impossible to trace the criminals behind the operation."
Crowcroft suggests that the loophole could be resolved if VoIP providers were to publish their routing specifications or switch over to open standards. These measures would not only allow legitimate agencies to track criminal misuse of VoIP, Crowcroft contends there is also a clear business case for their implementation. If VoIP providers were to interwork with instant messenger tools that now offer voice, they could stand to increase their market share. If the routing specifications were to be more transparent, those ISPs who are not telephone companies could traffic engineer for VoIP traffic, delivering a better quality of service to VoIP users.
One of the CRN's key recommendations is for the establishment of a central database where companies and individuals can log attacks anonymously, thereby allowing the communications industry to assess the scale of the problem and identify patterns of attack.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Voice-over Internet Protocol applications; Communications Research Networks (CRN) report about a security loop in VoIP|
|Date:||Apr 1, 2006|
|Previous Article:||Highway robbery.|