Intrusion Detection System
The device's Intrusion Detection System (IDS) feature detects malicious attacks on the device and reacts accordingly. A remote host is considered malicious if it reaches or exceeds a user-defined threshold (counter) of specified malicious attack types.
If malicious activity is detected, the device can do the following:
|
■
|
Block remote hosts (IP addresses / ports) considered by the device as malicious. The device automatically blocks the malicious source for a user-defined period, after which it is removed from the IDS Active Blocked List (see Viewing IDS Active Blocked List). |
|
■
|
Send SNMP traps to notify of malicious activity and/or whether an attacker has been added to or removed from the IDS blocked list. For more information, see Viewing IDS Alarms. |
IDS is an important feature as it ensures legitimate calls are not being adversely affected by attacks, and prevents Theft of Service and unauthorized access.
There are many types of malicious attacks, the most common being:
|
■
|
Denial of service: This can be Denial of Service (DoS) where an attacker wishing to prevent a server from functioning correctly directs a large amount of requests – sometimes meaningless and sometimes legitimate, or it can be Distributed Denial of Service (DDoS) where the attacker controls a large group of systems to coordinate a large scale DoS attack against a system: |
|
●
|
Message payload tampering: Attacker may inject harmful content into a message, e.g., by entering meaningless or wrong information, with the goal of exploiting a buffer overflow at the target. Such messages can be used to probe for vulnerabilities at the target. |
|
●
|
Message flow tampering: This is a special case of DoS attacks. These attacks disturb the ongoing communication between users. An attacker can then target the connection by injecting fake signaling messages into the communication channel (such as CANCEL messages). |
|
●
|
Message Flooding: The most common DoS attack is where an attacker sends a huge amount of messages (e.g., INVITEs) to a target. The goal is to overwhelm the target’s processing capabilities, thereby rendering the target inoperable. |
|
■
|
SPAM over Internet Telephony (SPIT): VoIP spam is unwanted, automatically dialed, pre-recorded phone calls using VoIP. It is similar to e-mail spam. |
|
■
|
Theft of Service (ToS): Service theft can be exemplified by phreaking, which is a type of hacking that steals service (i.e., free calls) from a service provider, or uses a service while passing the cost to another person. |
The IDS configuration is based on IDS Policies, where each policy can be configured with a set of IDS rules. Each rule defines a type of malicious attack to detect and the number of attacks during an interval (threshold) before an SNMP trap is sent. Each policy is then applied to a target under attack (SIP Interface) and/or source of attack (Proxy Set and/or subnet address).