Dial ‘D' for DoS; VoIP's hidden security threat

Share this article:

Communication technology experts have released a report highlighting inherent security issues with VoIP applications such as Skype and Vonage that could give online criminals an opportunity to operate undetected.

The Communications Research Network (CRN), an organization of industry experts and academics funded by a joint venture between Cambridge University and the Massachusetts Institute of Technology, believes that VoIP applications could provide excellent cover for launching denial of service (DoS) attacks because VoIP runs continuous media over IP packets.

The ability to dial in and out of VoIP overlays allows for control of an application via a voice network, making it almost impossible to trace the source of an attack, the research body claims. In addition, proprietary protocols, used by a number of VoIP applications, inhibit the ability of ISPs to track DoS activity, whilst encryption, peer to peer and a superpeer system to assist with call routing and NAT/Firewall traversal further obscure the traffic.

"While the security measures [of VoIP] are in many ways positive, they would add up to a serious headache if someone were to use a VoIP overlay as a control tool for attacks," said the CRN's Jon Crowcroft, who is heading up the research.

"Although one could slowly shut down and patch or upgrade the exploited machines, it would be much harder to find affected computers and almost impossible to trace the criminals behind the operation," he added.

The CRN believes that if left unresolved, the security issues surrounding VoIP will not just decrease the likelihood of DoS detection but could also undermine consumer confidence in VoIP, which is already seen as a controversial technology.

Although the group acknowledged that there has yet to be a recognized instance of a VoIP coordinated DoS attack, the CRN said it is only a matter of time before the technique becomes mainstream. Crowcroft suggested that the loophole could be resolved if VoIP providers were to publish their routing specifications or switch over to open standards. The latter would not only allow legitimate agencies to track criminal misuse of VoIP, but according to Crowcroft, there is also a clear business case for their implementation.

If VoIP applications were to interwork with instant messenger tools that now offer voice, they could stand to increase their market share, Crowcroft believes. While if routing specifications were to be more transparent, ISPs supporting VoIP usage could offer a better quality of service to VoIP users.

Share this article:

Sign up to our newsletters

More in News

Research shows vulnerabilities go unfixed longer in ASP

Research shows vulnerabilities go unfixed longer in ASP

A new report finds little difference in the number of vulnerabilities among programming languages, but remediation times vary widely.

Bill would restrict Calif. retailers from storing certain payment data

The bill would ban businesses from storing sensitive payment data, for any long than required, even if it is encrypted.

Amplification, reflection DDoS attacks increase 35 percent in Q1 2014

Amplification, reflection DDoS attacks increase 35 percent in ...

The Q1 2014 Global DDoS Attack Report reveals that amplification and reflection distributed denial-of-service attacks are on the rise.