Stop DoS attacks against your VoIP

Stop DoS attacks against your VoIP

First, understand that there are a number of types of DoS attacks to which VoIP is vulnerable. One problem is generic bandwidth starvation attacks, which are likely targeting your network as a whole, not specifically your VOIP systems. Many of the recent worms/viri blast out such a huge amount of traffic that your WAN, to say nothing of your LAN, grinds to a halt. To stop this, obviously, you need to implement some of the usual defenses: Internet firewalls, and inbound and outbound access-control lists on screening routers. And, of course, keep your hosts patched and run anti-virus software. Duh.

Curiously though, you have likely already solved this problem in your LAN and WAN. That's because you probably deployed QoS prior to rolling out VOIP solutions to prevent your time-sensitive voice traffic from being overwhelmed by normal user traffic. It doesn't really matter whether it's web surfing or millions of ICMP packets, if your QoS is working, it should protect you from either.

The next type of DoS attack uses the control protocols. For example, miscreants can forge H.323 or SIP signaling packets that tell an endpoint to disconnect. Unfortunately, there is little you can do about this from a network perspective, as most of this traffic won't be passing through firewalls, and even if it is, your firewalls may not be able to distinguish between real and forged packets.

The solution then, is to configure authentication so that the voice applications

    Requires Free Membership to View

    Login

    SearchUnifiedCommunications.com members gain immediate and unlimited access breaking industry news, expert advice on UC, technical guides, and more -- all at no cost. Join me on SearchUnifiedCommunications.com today!

    Kate Gerwig, Editorial Director

    By submitting your registration information to SearchUnifiedCommunications.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchUnifiedCommunications.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

know to whom they're talking. Although some the authentication mechanisms are likely vendor-specific at this time, because you may want to integrate it into your Active Directory or other LDAP, or perhaps a RADIUS server, the SIP protocol itself has a header used for authentication. As an example, Cisco's SIP-based IP Phones and SIP Proxy Servers support HTTP Digest and CHAP.

For details, read RFC 2543, section fourteen, which explains how SIP uses basic authentication, digest authentication (which uses MD5) and proxy authentication. These authentication methods are described in RFC 2617.

Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.


This was first published in October 2003

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top