Dos Attacks VoIP

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.


We must consider different scenario when studying DoS attacks:

In a typical situation of establishing a VoIP connection for voice conversation where end systems or/and gateway are targets. At first place subscribers try to establish a voice call conversation over a VoIP channel. VoIP services should be available to subscribers when requested. In order to manage the Media gateways deployed across the communications, some VoIP systems use control protocols (e.g. MGCP and Megaco/H.248) and security mechanism. VoIP secure gateways (VoIP-SGW) are developed in advance to make IP telephony protocols friendly for common firewall configuration.

In order to meet the unflawed communication level, a VoIP system must be having enough capability (i.e. routing, bandwidth, and QoS) that provide the VoIP system a high level proficiency of communication across the infrastructure.

A secure VoIP system implements an intrusion detection system (IDS), firewall on the phone itself to check the media packet flow, or perform authentication.

But at least a minimum set of defenses that filter unwelcome packets, for example a firewall, must be deployed.


IP telephony subscribers need to be blocked from using VoIP services. The attack can be carried out taking advantage of the following vulnerabilities:

  • VoIP security is in an initial phase at the moment, there is lack of expertise and security standards. Users might unintentionally expose the system. While there exist some basic countermeasures such as IDS and firewalls, administrator may not configure them appropriately
  • Older firewalls cannot work interactively with VoIP and may leave open many more ports than VoIP actually uses for a transmission, leaving your machine vulnerable to hackers.
  • Unit now VoIP has been developed and deployed focusing on functionality with less thought for security [SAV01]. That means that not vary advanced defenses are in place. For example, strong authentication is not common in VoIP.
  • VoIP is vulnerable to DoS attacks which have not previously been a security issue with the circuit-switched telephony systems because of its analog nature.
  • With the rush to implement new VoIP systems, features and standards, implementation flaws are common. IP PBXs include many layers of software that may contain vulnerabilities. Programming mistakes, such as not properly checking the size of the parameters of protocol request, when exploited, can result in the following issues. [VVS01]
  • “Remote access: An attacker obtaining remote (often administrator level) access.
  • Malformed request DoS: A carefully crafted protocol request (a packet) exploiting a vulnerability which results in a partial or complete loss of function.
  • Load-based DoS: A “flood” of legitimate requests overwhelming a system.”

  • As with any network-base service, enterprise VoIP must communicate with other components on a LAN and possibly over an untrusted network such as the internet, where packets are easy to intercept.
  • Because RTP carries media, which must be delivered in real-time to be usable for an acceptable conversation, VoIP is vulnerable to DoS attacks that impact the quality delivery of audio such as those that affect jitter and delay.
  • VoIP tools can offer very good cover traffic for DoS attacks because VoIP runs continuous media over IP packets [CRN01]


Two basic standards are used for VoIP systems: H.323 and SIP. We consider here an attack in an H.232 environment. The SIP attack can be considered a variant of this pattern or a separate pattern. Likewise, specific Dos attacks against gateways will be analyzed from the supporting Megaco/H.248 protocol viewpoint.

Figure 5.1 shows the class diagram of the structure of an H.323 system. The Layer 2 Switch provides connectivity between H.323 components. The Gateway takes a voice call from a circuit-switched - Public Switched Telephone Network (PSTN) and places it on the IP network. The PSTN uses PBX switches and Analog Phones. The internet (IP network) contains Routers and Firewalls to filter traffic to the Terminal Devices. The gateway also queries the Gatekeeper via the Internet with caller/callee numbers and the gatekeeper translates them into routing numbers based upon service logic. The IP-PBX server acts like a call-processing manager providing call setup and routing the calls throughout the network to other voice devices. Softphones are applications installed in Terminal Devices (e.g. PCs or wireless devices).

One method to launch a DoS attack is to flood a server with repeated requests for legal service in an attempt to overload it. This may cause severe degradation or complete unavailability of the voice service.

A flooding attack can also be launched against IP phones and Gateways (e.g. a flood of “register” or “invite” events). With this form of DoS attacks, the target system is so busy processing packets from the attack that it will be unable to process legitimate packets, which will either be ignored or processed so slowly that the VoIP service is unusable. Attackers can also use the TCP SYN Flood attack (also known as resource starvation attack) to obtain similar results. This attack floods the port with synchronization packets, normally used to start a connection. In a Distributed DoS, multiple systems are used to generate a massive flood of packets. To launch a massive DDoS attack the hacker previously installs malicious software on compromised terminal devices (infected with a Trojan horse) that can be triggered at a later time (a.k.a. “zombies”) to send fake traffic to targeted VoIP components. Targeted DoS attacks are also possible where the attacker disrupts specific connections.

The class diagram of Figure 5.2 shows the structure for a DDoS attack in an H.323 architecture where any VoIP component can be a target for Dos. Classes Attack Control Mechanism and Zombie describe the software introduced by the attacker.

Note that the Zombie is just a terminal device in a different role.

The sequence diagram of Figure 5.3 shows the sequence of steps necessary to perform an instance of a DoS attack of the first type mentioned above. An attacker (internal or remote), with knowledge of a valid user name on a VoIP system, could generate enough call requests to over-whelm the IP-PBX server. An attacker may disrupt a subscriber's call attempt by sending specially crafted messages to his/her ISP server or IP PBX component, causing it to over allocate resources such that the caller receives a “service not available” (busy tone) message. This is an example of a targeted attack.

Similarly, out-of-sequence voice packets (such as receiving media packets before a session is accepted) or a very large phone number could open the way to Application Layer attacks (a.k.a. Attacks against Network Services). Buffer Overflow attacks might paralyze a VoIP number using repeated calling. For example, an attacker intermittently sends garbage (I.e. both the header and the payload are filled with random bytes corrupting the Callee's jitter buffer voice packets) to the callee's phone in between those of the caller's voice packets. Therefore the Callee's phone is so busy trying to process the increased packet flow that the jitter (delay variation) causes any conversation to be incomprehensible [MDPV01]

Figure 5.4 shows the class diagram of the structure of a Megaco/H.248 environment. Megaco/H.248 is the media gateway control protocol, this is a master-slave, transaction oriented protocol in which Media Gateway Controllers (MGC) control the operation of Media Gateways (MG) [VVDN02] VoIP media gateways are vulnerable to DoS because they accept signaling messages.

In this setting a Dos attack would occur at MGC when the attacker sends large amount of UDP packets to the protocol's default port 2944 or 2945, which keeps the MGC busy handling illegal messages, and finally blocks the normal service. An attacker can keep sending Service change or Audit capabilities command to a MG and thereby bring down the MG [SVID01]. Therefore, VoIP Gateways will not be able to initiate calls or maintain a voice call during a DoS attack. The audio quality will be affected as well. An alternative to launch DoS attacks is when an attacker redirects media sessions to a media gateway. The attack will overwhelm the voice component and prevent it from processing legitimate requests.

Signaling DoS attacks on media gateways con consume all available Time Division Multiplexing (TDM) bandwidth, preventing other outbound and inbound calls and affecting other sites that use TDM, On the other hand, due to the fact that VoIP media session are very sensitive to latency and jitter, DoS on media is a serious problem.

VoIP media, which is normally carried with RTP, is vulnerable to any attack that congests the network or slows the ability of an end device (phone or gateway) to process the packets in real time. An attacker with access to the portion of the network where media is present simply needs to inject large numbers of either RTP packets or high QoS packets, which will contend with the legitimate RTP packets [VVS01].