Protecting your voice gateway is extremely important for preventing toll fraud and other criminal activities that can be conducted through your VoIP system. This post covers five key areas that can help reduce risks to your voice gateway.
The other day I was looking through my firewall logs and noticed numerous connect attempts on UDP and TCP port 5060. Since I don't utilize SIP for my home phone service I wasn't too concerned with these connect attempts but I was curious to see who was knocking on my digital door. When I checked the IP address range that the scans were coming from I saw that a large cable Internet service provider owned it. More than likely these packets were from some knucklehead running a VOIP scanning tool against my network range. While I was not going to lose sleep over someone scanning my network for SIP services I was not running, it did highlight for me the fact that there are many VoIP gateways out on the Internet that are not being protected properly and plenty of ethically challenged individuals that are more than happy to take advantage of them.
While my experience with VoIP abuse was harmless, In April of this year we saw an example of the dark side of cloud computing through a SIP brute force password attack that originated from Amazons EC2 cloud service. Someone grabbed their credit card (I'm SURE it was their own personal credit card) and spun up a few virtual machines on Amazon to find and exploit unsecured SIP services on the Internet. While this may have seemed like a good idea, the attackers didn't realize that they had just unleashed the digital equivalent of Godzilla on an unsuspecting Tokyo, resulting in a serious cloud computing smack down. Amazon promptly shut down the VMs after they received reports of numerous sites being taken down through a Denial of Service because of the amount of traffic they were slamming their poor phone systems and Internet pipes with. One site was claiming they were getting hit with over 6gb of traffic a day. This traffic was being generated through an application scanning for SIP services on VoIP getaways and then trying to guess the password. Since amazons cloud service can auto scale computing power and bandwidth based on how much an application uses flooding these sites with traffic. For more info from an actual victim of these attacks and their experience trying to get Amazon to turn off the digital firehose turned off, click here.
These attacks against voice gateways are not a one-time thing based on a specific vulnerability, but a continuous search for exploitable systems. Criminals already realize the economic viability of stealing voice services through the Internet. They can resell VoIP services, make expensive calls, and conduct voice phishing attacks against a businesses customers. With the proliferation of SIP voice services for businesses and end users offering a less expensive alternative to the traditional landline this threat will only get worse. The Internet Storm Center, run by the SANS Institute, shows that reports for SIP port 5060 scan/attacks have increased significantly since June of this year validating that this attack trend is on the upswing.
TCP Port 5060 Scans on the rise Source: SANS Internet Storm Center
The good news is that the impact of many of these threats can be mitigated through five basic security precautions.
In my next post I will go over some great tools that you can use for testing and auditing VoIP security. Until then, feel free to share your thoughts in the comments below.
Chris Jackson, CCIE (Security, Routing, Switching), CISA, CISSP, ITIL, SANS, Technical Solutions Architect in the Cisco Architectures and Verticals Partner Organization, has focused for the past six years on developing security practices with the Cisco partner community. During a 15-year career in internetworking, he has built secure networks that map to strong security policies for organizations, including UPS, GE, and Sprint. Chris is an active speaker on security for Cisco through TechwiseTV, conferences, and webcasts. He has authored a number of whitepapers and is responsible for numerous Cisco initiatives to help build stronger security partners. He holds dual CCIEs in security and routing and switching, CISA, CISSP, ITIL, seven SANS certifications, and a bachelor's degree in business administration.
Residing in Bradenton, Florida, Chris enjoys tinkering with his home automation system and playing with his ever-growing collection of electronic gadgets. His wife Barbara and three children Caleb, Sydney, and Savannah are the joy of his life and proof that not everything has to plug into a wall outlet to be fun.
Chris's latest book, Network Security Auditing, has been selected as the August, 2010, book giveaway on Cisco Subnet.
Read a chapter excerpt of Network Security Auditing hosted by Cisco Subnet.
Buy a copy of Network Security Auditing now.
Enter this month's book giveaways from Cisco Subnet, Microsoft Subnet and Open Source Subnet.