TMCnet News

VoIP: DoS Jerk's Best Friend?
[January 26, 2006]

VoIP: DoS Jerk's Best Friend?


By DAVID SIMS

TMCnet CRM Alert Columnist

Picking up a lot of chatter here about how VoIP can be used to enable denial-of-service attacks. Let's see what the scoop is.

According to Cambridge University professor Jon Crowcroft, "armies of ordinary PCs that have been infected by a virus and put under malicious control" -- a.k.a. zombie computers in botnets -- "could be controlled and orchestrated by messages hidden in VoIP traffic generated by programs such as Skype," IDG News has reported.



Denial-of-service attacks are usually shut down by tracing control messages sent by chat and instant messaging programs, Crowcroft tells IDG. It's not hard to do, given how ISPs can trace IM, but using VoIP would make tracing much harder.

Really? Industry observer Joris Evers reports the Communications Research Network's findings that VoIP applications such as Skype "could provide excellent cover for launching denial-of-service attacks." Specifically, VoIP's evidently a great way to hide control of the nefarious networks of zombie computers used in DoS.


The Communications Research Network is a group of industry experts, academics and policy makers funded by the Cambridge-MIT Institute, a joint venture between Cambridge University and the Massachusetts Institute of Technology, Evers explains.

Denial-of-service attacks are when so many information requests are sent via e-mail to a Web server that it overloads, and legitimate traffic can't access the server. Hacked -- zombie --computers are frequently used to launch such attacks in a "botnet," which cyberjerks rent out relatively inexpensively. This is where over half of your spam comes from, as well as good old extortion -- "Pay up or we'll launch a denial-of-service attack."

How common are such attacks? Industry observer Dinah Greek says the scale of the DoS problem "is notoriously difficult to assess. Many attacks are simply not reported because organizations fear they may undermine client confidence in their security." Estimates of the number of zombie computers used to launch these distributed DoS attacks "always range in the millions."

These attacks are stopped by tracing control messages, normally sent by chat and IM programs, industry observer Peter Judge reports. It's not hard to do. But "if someone were to use a VoIP overlay as a control tool for attacks, it would be much harder to find affected computers and almost impossible to trace the criminals behind the operation," he reports Crowcroft, who revealed the technique at CRN, saying.

Yes, that's right, Crowcroft's done it: "It would be irresponsible to build something that could go out and be used," Crowcroft said, who built a demonstration system. "It was write-once, tear-up code, very easy to do – unfortunately," Judge reports him saying.

There have been no reports of VoIP being used in such a fashion yet.

The CRN urges VoIP providers -- hi Skype -- to publish their routing specifications or switch to open standards. "These measures would... allow legitimate agencies to track criminal misuse of VoIP," Crowcroft said in a released statement.

The Skypers don't dismiss such fears, Judge reports, but do downplay them a bit, noting that "there isn't a protocol you can't use as a covert signaling channel," as Kurt Sauer, director of security operations at Skype said: "Some large commercial groupware products have encrypted XML streams -- they may not be quite as good at firewall traversal, but that's still an opaque data stream."

Skype's routing specification is proprietary, which is how Skype likes it, but the company's willing to discuss making some things public: "To the extent that we make it difficult to do that, we want to address that in our products," Sauer says.

David Sims is contributing editor for TMCnet. For more articles please visit David Sims' columnist page.


[ Back To TMCnet.com's Homepage ]