While in general it is best to follow this advice, support staff need to be aware that updates that correct a vulnerability in one area also have the potential to create one in another. The best approach, therefore, is to ensure updates have been thoroughly tested in a configuration that matches that in which they are to be deployed.
Attacks aren’t limited to routers, switches and other network equipment, however. Softphones – computers equipped with an application to allow them to make IP phone calls – are also vulnerable. In October 2005, for example, an update to one major vendor’s software had to be released to close a loophole that could allow an attacker to commandeer a user´s PC.
This is one reason why some authorities (e.g., the US National Institute of Standards and Technology) suggest that softphones be prohibited where particularly high standards of security and availability are required. This advice is based both on the potential for computers that act as softphones to be infected with viruses and on the fact that softphones create bridges between data and voice networks that may otherwise have been kept separate to improve security and reliability.
Six top threats
Attacks will be conducted for a number of different reasons. We think the six below will prove the most common.
Denial of service attacks
The goal: To reduce the quality of the phone service, potentially to the extent of preventing users from making and receiving calls.
How it works: There are two main ways of denying access to IP telephony services. If calls are routed through the public internet (as is the case for the services offered by Skype, Vonage and others as well as for BT Communicator and BT Broadband Voice) or across another network that shares capacity on a ‘first come, first served’ basis, interference can result even as a result of perfectly legitimate activities, such as downloading large files. The packets of data that carry the call get delayed, causing breaks in the conversation. In severe cases, the ‘line’ will be cut. Those wishing to deny users the ability to use IP telephony services can exploit the weakness by flooding the network with spurious data, reducing its ability to carry calls.
Alternatively, an attacker can flood a target call manager, phone, or IP telephony infrastructure with spurious service requests or malformed data packets. These will either overload the systems and software completely, or significantly impede their ability to handle legitimate calls. In similar ‘denial of service’ attacks on web servers and other computer systems, attackers use viruses, worms and other techniques to ‘sign up’ computers around the internet to take part in the assault, typically without the user’s knowledge. The result is termed a distributed denial of service attack.