Skip to main content
European Commission logo print header

Low Cost Tools for Secure and Highly Available VoIP Communication Services

Final Report Summary - SNOCER (Low cost tools for secure and highly available voice over internet protocol (VoIP) communication services)

The aim of the SNOCER project was to investigate different approaches adopted to overcome temporal network, hardware and software failures and ensure the availability of the offered Voice over internet protocol (VoIP) services based on low cost distributed concepts. The solutions investigated led to the development of security enhancement tools that allow the service provider to monitor the network, detect irregularities such as a Denial of service attack (DoS) or failure of a certain component and to take the most appropriate measures to handle these irregularities.

Regarding VoIP security, the SNOCER project focussed on specific attack possibilities on VoIP networks and particularly, on networks based on the Session initiation protocol (SIP). It examined weaknesses in the SIP protocol which could make it vulnerable to attackers.

The main outcomes were:
- High complex operation: The SIP specifications regulate many steps in the communication between hosts and their operation. The project succeeded in gathering a broad list of possibly malicious message flows that could harm or disable proper network functionality.
- ASCII-based free-form text messages: SIP messages can be arbitrarily complex and at the same time conformant to specifications. Decent parsers are needed to handle such messages.
- SIP security mechanisms: The project examined current SIP security mechanisms and their applicability to prevent malicious attacks as well as common flaws on the current security mechanism, the WWW digest authorisation and alternatives such as Transport layer security (TLS).
- High dependency on other services: A SIP network relies for flawless operation on other services such as Domain name system (DNS), E.164 number mapping (ENUM), Network address translation (NAT) and application servers. The project examined those services for vulnerability issues. As SIP entities rely heavily on DNS servers, hence the project judged attacks on DNS service providers with DNS poisoning or irresolvable address requests as serious threats for a SIP network.

Regarding the VoIP reliability, the SNOCER project has examined the following:
- Single point of service availability: Several possibilities exist to connect a client to a redundant provider set; however, these might become problematic in SIP environments. SIP replies need to follow the exact path as their according requests, which is difficult to handle if one of the processing entity fails during a SIP session. For the same reason, advanced clustering solutions like load-balancing seem to be difficult to incorporate into SIP. From the available solutions, we judge different types of DNS updates (multiple A records, Service (SRV) records) to be the most practical. However, examination of current clients shows that not all of them are fully compliant to this standard solution.
- User base replication: The project evaluated client-based replication, server-based replication with SIP messages and server-based replication with the underlying database module.
- Authorisation delegation: The project examined mechanisms which are needed in order to transfer authorisation rights to backup servers without revealing user credentials to the backup servers.