Skip to content

The State of UC Security – (Si vis pacem, para bellum – if you want peace, prepare for war)

January 12, 2014

Distributed denial of service attacksAs the adoption of unified communications (UC) continues to grow, the incidence of Distributed Denial of Service (DDoS) attacks is on the rise as well. DDoS attacks are intentional, organized, complex network attacks designed to overload an UC or IP telephony network with traffic to slow or crash applications and servers. The attacks are fomented by hackers who are no longer satisfied with disrupting the usual suspects – financial organizations and government entities.

It doesn’t really matter if your organization is attacked today or tomorrow, all of us will soon become the victims of these attacks in some form. Whether it is impacting business productivity by causing downtime or security breaches, undoubtedly, more attacks are on the way. Downtime is often measured by the amount of time a system is unavailable, but, as we all know, downtime inevitably includes a lot of hidden costs including staff and customer disruptions, idle-time costs, and other issues.

While it is difficult to quantify the actual costs of an attack across the board as each company and industry is different, when we look at the available research, the figures are shocking. An extensive study of the cost of data breaches was conducted by the Ponemon Institute in late 2011 and published in March 2012. The institute conducted in-depth interviews with 49 U.S. companies in 14 industries that had experienced attacks on their infrastructure. The total associated cost of a single attack was at least $5.5 million dollars!

The incidence of attacks has become so prevalent that network security has become the number one concern of IT professionals around the world.  In a recent survey of over 600  professionals working in network IT conducted by TechTarget and Computer Weekly,  the main priority for networking professionals in the coming 12 months is to ensure that their network is secure.

The new types of attacks are specifically designed to disrupt UC platforms. A flooding attack is a network-driven attack, and is similar to the types of attacks inflicted on Internet Web servers. In the case of a SIP-flood, seemingly valid SIP protocol requests attempt to either gain access as a remote endpoint or inundate the UC platform and its endpoints with so many requests that the systems or devices crash, which ultimately disrupts services or exposes vulnerabilities.

UC servers are susceptible to many types of attacks when they are published to the Internet. Without a solution, user accounts can easily be locked out in Active Directory Domain Services, passwords can be brute-forced, and internal server resources can be consumed unnecessarily by DDoS attacks. Lync environments using open federation, (where anyone running Lync can discover and federate with them) are especially vulnerable to SIP-flooding.

To make federations a no brainer, XMPP-based platforms are designed to accept any XMMP traffic from any XMPP-based domain. This is a double-edged sword as this makes them vulnerable to flooding attacks, among other types.

Although several approaches have been proposed to detect and counteract SIP or XMPP flooding attacks, most of these do not provide effective countervailing schemes to protect normal messages from abnormal ones after attacks have been detected. In addition, these approaches have some limitations in large user environments for SIP or XMPP-based multimedia services.

For SIP-based UC platforms, Session Boarder Controllers offer partial protection against DoS and DDoS attacks. Unfortunately, there is no partial protection against XMPP DoS and DDoS attacks.

One way to avoid being severely impacted by an attack is to join NextPlane’s UC Exchange. UC Exchange protects its members in the following ways:

  • Accepts only SIP/XMPP message when the source and destination domains in the message are part of the UC Exchange directory. Messages containing unknown source or destination domains are simply discarded.
  • Accepts SIP messages only over a TLS connection, and for TLS, UC Exchange will only accept certificates from the set of known and valid Certificate Authorities.
  • A member UC can treat UC Exchange as its sole “federation gateway” and the firewall in the UC perimeter network can be configured to allow communication only with the UC Exchange IP address. This will ensure any direct rogue attacks are stopped at the UC firewall right away.
  • Blacklists domains or users to stop attacks from known domains or users.
  • Defends against DDoS attacks at the network, session, and application layers. For example, the infrastructure is able to blacklist specific IP addresses involved in an attack.
  • Accepts and processes only messages that are relevant in the context of UC federation i.e., those related to chat, presence, audio or video communication. So it is impossible to mount an attack consisting of “control” messages that may destabilize UC systems.
  • Uses a specific FQDN or IP address for a domain instead of the published SRV records (if any). This ensures that UC Exchange communicates with a trusted endpoint even in the case of DNS service hijacking.

Irrespective of the type of UC platform you are using-XMPP or SIP-based, remember the warning attributed to Latin author Publius Flavius Vegetius Renatus in his tract De Re Militari (4th- or 5th-century), Si vis pacem, para bellum – if you want peace, prepare for war.

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s