Voice over IP (VoIP) communications based on SIP is taking more and more market shares from classic telephony, making the support of open SIP interfaces a necessity, even with IP-based PBXes. However, this migrates telephony from a closed - and thus in comparison relatively secure - to an open, much more vulnerable platform. Concurrent with this development the cost of telephony has been in a steady decline, which is noticeable by the increased number of flat rate offers available today. Due to those changes on the technical and economical level, new risks and abuse potential telephony emerged. Our "VoIP Security" working group deals with the covers the following issues.

"Toll Frau" is an attack scenario, which has been enabled by the broad coverage of VoIP today: VoIP allows users to log into their home service provider independent of their current position via the internet and use their account to make calls. Due to calls to mobile networks, to special rate numbers and to foreign countries usually not being included in flat rate offers, it is attractive to use forged account information to place calls using other peoples accounts, causing them to be charged for the call. The real owner of said account information can accumulate high charges very quickly that way.

Another attack scenario is the use of VoIP telephony to place calls for broad scale advertisement or other purposes due to the low cost of VoIP calls. The problem is usually classified as SPIT (SPAM over Internet Telephony). A DoS attack on VoIP server as a third problematic must be considered as well.

Research of the Networking Technology Group chair with special VoIP Honeynet systems has shown that communication systems with SIP interfaces exposed to the internet were discovered very quickly and attempts to use them as Toll Fraud or SPIT vehicles were made afterwards. Similar to the deleopment of threats to personal computers on the internet like worms, Denial of Service, SPAM and other attacks, the current attacks can be seen as a precursor of things to come in an ever growing new "market". In an ongoing field test in the network laboratories of our chair, we have recorded SIP traffic since 2009 and stored in a database. Due to recent analysis, which shows a growth in the number of attacks over the last two years, it is our assumption, that the frequency of such attacks will continue to increase over the next years, especially due to the growing utilization of SIP functionality in consumer grade gateways and future end to end connections without SIP infrastructure components.

In multiple research projects our chair develops recognition and defense methods and evaluates their usefulness in recognizing and disarming emerging threats. We could also show, that the already existing threat scenarios can be realized easily with readily available too suites.

To study attacks in SIP based networks the VoIP Honeynet system has been implemented, which consists of a monitoring component for entire network blocks - SIP Trace Recorder (STR) - and the actual VoIP Honeypots, which are based on the open source software Asterisk. This systems allows conclusions about currently relevant attack scenarios and is the basis for conceptual design and implementation of recognition algorithms on the application layer (signaling data), for example the VoIP Misuse Sensor (VMS). The VMS enables recognition of VoIP specific abuse and attack patters, like for example SPIT, Toll Fraud and DoS. Distributed usage of the sensor allows threshold based storage of possible attempts at abuse and attack sequences on a multitude of critical places in the network and evaluation of stored data using a central service, allowing the launch of appropiate counter measures against occuring attacks.

Relevant research projects:

• SUNsHINE
• Nornet
• G-Lab