Call Flooding Attack

As part of VoIP threat series, I'd like to introduce "Call Flooding" which is the typical VoIP attack against availability (refer to previous blog "VoIP Threat Taxonomy" to know the category). Typically, An attacker floods valid or invalid heavy traffic (signals or media) to a target system (for example, VoIP server, client, and underlying infrastructure), and drops the performance significantly or breaks down the system. The methods of flooding are as follows:

1. Valid or invalid registration flooding: An attacker uses this method commonly because most registration servers accept the request from any endpoints in the public Internet as an initial step of authentication. Regardless of whether the messages are valid or invalid, the large number of request messages in a short period of time (for example, 10,000 SIP REGISTER messages per second) severely impacts the performance of the server .

2. Valid or invalid call request flooding: Most VoIP servers have a security feature that blocks flooded call requests from unregistered endpoints. So, an attacker registers first after spoofing a legitimate user, and then sends flooded call requests in a short period of time (for example, 10,000 SIP INVITE messages per second). This impacts the performance or functionality of the server regardless of whether the request message is valid or not.

3. Call control flooding after call setup: An attacker may flood valid or invalid call control messages (for example, SIP INFO, NOTIFY, Re-INVITE) after call setup. Most proxy servers are vulnerable because they do not have a security feature to ignore and drop those messages.

4. Ping flooding: Like Internet Control Message Protocol (ICMP) ping, VoIP protocols use ping messages in the application layer to check out the availability of server or keep the pinhole open in the local Network Address Translation (NAT) server, such as SIP OPTIONS message. Most IP network devices (for example, a router or firewall) in the production network do not allow ICMP pings for security reasons. However, many VoIP servers should allow the application-layer ping for proper serviceability, which could be a critical security hole.

The following figure illustrates the example of distributed flooding with zombies; an attacker compromises other computers with malware (for example, a virus) and uses them as zombies flooding registration messages. Each zombie sends 1,000 SIP REGISTER messages per second with different credentials that are randomly generated. 

call flooding

 In the figure, the flooded messages will impact the registration server (SIP Rregistrar) severely as long as the server processes and replies with any error codes, such as "401 Unauthorized," "404 Not Found," "400 Bad Request," and so on. The impact can be high resource consumption (for example, CPU, memory, network bandwidth), system malfunction, or service outage. Whether the server responds or not, flooding the SIP registrar with sufficient registration messages will result in the degradation of service to the legitimate endpoints.

Not only the intentional flooding just mentioned, but also unintentional flooding exists in VoIP networks, so-called "self-attack," because of incorrect configuration of devices, architectural service design problems, or unique circumstances. Here are some examples:

1. Regional power outage and restoration: When the power is backed up after a regional outage, all endpoints (for example, 10,000 IP phones) will boot up and send registration messages to the server almost at the same time, which are unintentional flooded messages. Because those phones are legitimate and distributed over a wide area, it is hard to control the flooding traffic proactively.

2. Incorrect configuration of device: The most common incorrect configuration is setting endpoint devices (for example, IP phones) to send too many unnecessary messages, such as a registration interval that is too short.

3. Misbehaving endpoints: Problematic software (firmware) or hardware could create unexpected flooding, especially when multiple or anonymous types of endpoints are involved in the VoIP service network.

4. Legitimate call flooding: There are unusual days or moments when many legitimate calls are made almost at the same time. One example is Mother's Day, when a lot of calls are placed in the United States. Another example is natural disasters (for example, earthquakes), when people within the area make a lot of calls to emergency numbers (for example, 911) and their family and friends make calls to the affected area at the same time.

Those types of intentional and unintentional call flooding are common and most critical threats to VoIP service providers, who have to maintain service availability continually.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.