Is Federation Exposing Your UC Servers to Denial of Service Attacks?

Is Federation Exposing Your UC Servers to Denial of Service Attacks?

By Phil Edholm January 7, 2014 3 Comments
NextPlane logo
Is Federation Exposing Your UC Servers to Denial of Service Attacks? by Phil Edholm

VoIP, SIP, UC, IM, Presence and Federation have introduced anew set of capabilities that are transforming many organizations and generating huge potential productivity gains and savings. However, we have all known that with great power comes great potential threats. With these technologies, we left the relatively secure world of the TDM based PSTN and ventured into a new world where the power of IP can be used to disrupt the communications or the communications system.

IP-based communications opens the door to a variety of attacks, some of which like a DDoS (Distributed Denial of Service) can inundate an IP location with traffic, potentially bringing services to a halt.  In the VoIP world, this threat did not generally materialize, as most of the VoIP solutions were site contained and to threaten the server required access to the physical LAN or WAN, made virtually impossible by firewalls and other security in the IP world. In fact, while early VoIP systems had some level of security available, it was often not even deployed, and there have not been horror stories.

However, SIP and federation open new doors, as the communications and collaboration functions now must extend beyond the walls of the enterprise. While Session Border Controls (SBCs) can provide protection in the SIP environment, especially against SIP voice Denial of Service (DoS) attacks and can extend to SIP-basedUC capabilities such as Presence, the challenges of securing an open federation environment are huge. This is especially true with platforms like Lync offering open Lync federation. It is also true with XMPP-based UC platforms which advertise their gateways using public DNS Service records. The danger is that a concerted attack of SIP or XMPP messages can flood through to the UC servers, potentially overloading them and resulting in the loss of legitimate services. This is the classic Denial of Service (DoS) attack - flood the server with requests, often generated from a distributed set of devices that are infected with a virus, resulting in the server being overwhelmed by meaningless traffic.  While we have not had publicized Dos or DDoS attacks in the VoIP/SIP/XMPP space, the experts agree that they are both possible and expected. There is also generally a belief that some attacks have happened, although no one wants to admit it.

An alternative path is to utilize a federation service that is designed to manage the SIP and XMPP traffic, and potential threats, before they come to the customer UC servers. One such offer is the UC Exchange Federation Service offered by NextPlane.  In addition to managing UC federation between a wide variety of UC platforms, including Cisco, Microsoft, IBM, Google, OpenFireand more, the NextPlane UC Exchange service stops attacks by dropping the unauthorized/malicious traffic intended for its customers while allowing legitimate traffic to go through. This is because, as opposed to UC platforms and services, the NextPlane UC Exchange does not accept traffic from domains that are not registered with its service. Hence, messages containing unknown source or destination domains are simply discarded. NextPlane manages the federation of its customers, which means that all requests can be managed through that security framework.  The result is a high level of control and security, not available with open federation.

A key benefit of UC is the ability to extend the power and capabilities beyond the walls of the organization and to non-employees. Federation provides a mechanism to use the rich services of UC, including Presence and IM, as well as voice, video, and other services. A big advantage of a cloud-based federation service is the opportunity to use all of these capabilities without fear that you are opening the door to an attack that could take down your entire UC platform.

As your organization looks to extend your UC deployment,both with SIP and other UC capabilities, a UC federation service is definitely one of the options that should be considered. Each organization needs to examine the threat models based on the services deployed, as well as the options, including SBCs and federation services.  

This paper is sponsored by NextPlane  

3 Responses to "Is Federation Exposing Your UC Servers to Denial of Service Attacks?" - Add Yours

Roberta J. Fox 1/8/2014 9:17:28 AM

Phil: Excellent summary on possible challenges of public network UC infrastructures and applications. I am sure our readers would welcome how your views would differ if clients were 100% hosted for all UC apps, i.e. Cloud Lync Telephony, exchange and collaboration portfolio, with SIP trunking provided by the same provider? (Obviously if clients have their own router/firewall/security solutions in place).
Farzin Shahidi 1/9/2014 12:55:35 PM

Roberta: Excellent comment!

We don't believe going to a 100% hosted UC is going to make a big difference. The evil resides in the way they are designed to handle direct federations: UC servers can not differentiate between valid traffic or malicious traffic, they process each message regardless.
Philipp Hancke 1/18/2014 7:17:08 AM

I am not convinced the described problem exists (in the XMPP world).

XMPP servers have methods against domain name spoofing (and even come with the ability to use the x509 PKIX for authentication). Hence it's quite easy to identify and block the offending domains to mitigate the attack. Some server even allow configuration of domain whitelists.

To Leave a Comment, Please Login or Register

UC Alerts
UC Blogs
UC ROI Tool RSS Feeds

Related UC Vendors

See all UC Vendors»