How SBC Development Protects Your VoIP Network from Toll Fraud and SPIT

VoIP systems move actual dollars. Each minute of traffic, each route in which your system participates, and each SIP end point on your network are opportunities for financial transactions. This is why the VoIP architecture can be considered particularly vulnerable to fraud and spam attacks. If you have failed to consider session border controller development as an integral part of securing your network against these threats, then this article should serve as a good introduction for you.

We are going to look at how toll fraud and SPIT attacks occur, why a well-designed SBC should be your primary line of defense against these kinds of attacks, and how to build an effective SBC.

Understanding the Threat: Toll Fraud and SPIT

It might be necessary to get acquainted with the threats first before looking at how you can mitigate them.

Toll Fraud

This involves using your telecom system to make calls without your permission. Toll fraud is considered the most financially harmful risk faced by telecom operators, as evidenced by the estimated loss of tens of billions of dollars worldwide per year due to telecom fraud, according to the Communications Fraud Control Association.

The most common toll fraud attacks include:

PBX hacking: Attackers get access to a business PBX via credential exploitation or security flaws. Then they start routing international calls on your network, charging you huge bills for them.

SIM boxing: Fraudsters divert international calls as local calls through SIM banks, avoiding interconnect costs while charging you for the same.

Subscription fraud: In this attack, fake subscriptions are made simply to cause call traffic. By the time the billing cycle ends, the attacker will have disappeared.

Wangiri one-ring: an automated dialler places brief calls to real phone numbers. As soon as the user calls back the missed number, he gets redirected to premium-rate numbers.

CLI spoofing: The attacker manipulates the originating number in the call in order to circumvent the filters in place or pretend to be legitimate businesses.

SPIT (Spam over Internet Telephony):

SPIT is similar to spam, but instead of email messages, it targets SIP-based endpoints. An automated system is used to send thousands of calls to the target, creating denial of service situations for the victim.

What Is a Session Border Controller and Why Does It Matter?

The SBC operates at the edge of your VoIP network, precisely at the point where your system interfaces with the outside world. All SIP sessions coming into and out of your network will go through the SBC. This placement allows it to do things that no other element in your network stack can.

It acts as both a gateway and a traffic manager by handling the following:

• SIP signalling normalisation and verification
• Media anchoring and NAT traversal
• Topology concealment (shielding your internal network from any threats)
• Access management and authentication
• Quality of service enforcement
• Call admission control
• Threat detection and mitigation

While a generic SBC setup provides all of this functionality, Session Border Controller development, which is built specifically to fit your network, does a lot more.

How SBC Development Addresses Toll Fraud

SIP Authentication Enforcement

Any incoming SIP session must undergo authentication before hitting your routing layer. A quality SBC will validate credentials and check against a list of known malicious parties while dropping unauthenticated sessions at the network perimeter without wasting any processing resources.

It sounds trivial, but there are numerous VoIP installations that leave room for improvement with regard to authentication of SIP sessions, especially within internal extensions or SIP trunks. A custom SBC for VoIP networks helps you address those shortcomings methodically.

Rate Limiting and Anomaly Detection

A toll fraud attack is usually accompanied by either unusually high numbers of calls going to particular destinations or a suspiciously large volume of traffic targeting expensive phone numbers. A well-thought-out SBC watches out for these anomalies and reacts with dynamic rate limiting.

If one SIP user who used to make only 20 daily calls all of a sudden makes 200 calls within an hour, then the anomaly detection system will automatically kick in. You can configure the triggering thresholds to match your own traffic characteristics.

Destination Blacklisting and Whitelisting

VoIP security solutions at the SBC level include proactive management of lists of numbers being called. High-risk countries can be blocked via their respective prefixes. Known prefixes of premium-rate numbers as well as attacked destinations in the past can also be blocked. Whitelisting may be implemented for legitimate high-value destinations to avoid any errors due to such filters.

Time-Based Call Restrictions

A vast majority of cases of toll fraud occur after normal business hours and when vigilance in terms of monitoring decreases. The development of customized services based on your SBCs can be leveraged to implement time-based regulations for calling. Thus, any calls being made to particular destinations out of these time periods will automatically be filtered, effectively stopping toll fraud.

CLI Validation and STIR/SHAKEN Integration

Prevention of CLI spoofing at the network level is only possible via SBCs. The STIR/SHAKEN protocol has become a must-have regulation for carriers in the USA, and this too requires support from your SBC to be able to sign caller identity tokens during outgoing calls and validate the same in incoming calls.

How SBC Development Defends Against SPIT

SIP Flood Detection

The SPIT attacks take place through huge amounts of SIP INVITE messages generated. The flood detection mechanism implemented in an SBC involves the monitoring of the number of SIP messages arriving from individual source IP addresses, user agents, and geographic locations. Whenever the threshold limits for flood attacks are breached, rate limiting gets enabled and the attacking sources blocked.

Behaviour Analysis

In the evolution of the modern session border controller designing process, behaviour-based approaches have been incorporated into the system. There is a difference in behaviour between an authorised contact centre placing thousands of phone calls, on the one hand, and a SPIT attack, on the other hand.

CAPTCHA and Challenge-Response for SIP

Where a network requires SPIT prevention without shutting down legitimate high-frequency connections, CAPTCHA can be implemented via challenge-response mechanisms in the SIP protocol. It is especially useful for enterprise communication systems receiving incoming calls from strangers.

Geoblocking and IP Reputation Filtering

When you run your business in particular geographical locations, there isn’t any sensible reason to allow SIP traffic coming from suspicious IPs in other areas where your organization doesn’t operate. Combining SBC-based geoblocking with IP reputation filtering will significantly decrease your vulnerability.

Topology Hiding: Protecting Your Internal Infrastructure

One important feature that sometimes is overlooked during deployment of an SBC on a rudimentary level includes topology hiding. The information in the SIP request’s header builds up along the route of the request through your network. The problem here is that such information exposes your server addresses, PBXs, and topology of your network.

A good SBC will take care of stripping out or modifying this information before it leaves your network boundary. The only thing visible outside your network boundary becomes the address of the SBC itself, while the rest of your network stays hidden from any prying eyes.

TLS and SRTP: Encryption at the Border

SIP signaling and RTP media flows can be intercepted if transmitted in unencrypted form. Security capabilities inherent in the SBC include:

TLS for SIP signaling: Encrypts call setup and signaling traffic so that no one can eavesdrop on who is calling whom and when and for how long the call lasts.

SRTP for media: Encrypts the voice traffic of the call. If SRTP is not employed, then anyone having access to your LAN segment would be able to piece the conversation together.

Development of a custom SBC will take care of TLS termination and SRTP keying at the edge of the network, making encryption more manageable otherwise.

Call Admission Control: Managing Capacity and Costs

Toll fraud is not always about making unapproved calls. Instead, toll fraud can be when legitimate users make an amount of calls that is too much to support based on your billing method. By using Call Admission Control (CAC), you can regulate the call amounts per user, per trunk, and per destination.

It is especially relevant for wholesale VoIP providers and telecom companies that sell their services to other smaller companies. The reason being, without a proper call control, one small company that experiences a fraud attack can use up your bandwidth.

What Goes Into Custom SBC Development

Constructing an effective SBC cannot be accomplished simply by downloading and deploying software. Key aspects of building an effective SBC for VoIP networks include the following:

Architecture design: Deciding whether the SBC will be deployed standalone or in clusters, how to handle failover, and where geographically the SBC will be distributed based on traffic flow.

Security policy definition: Specifying authentication procedures, rate limitations, destination restrictions, and alerts before the first line of code is written.

Integration with existing infrastructure: Your SBC must have clean integration with your existing SIP proxy servers, media servers, billing system, and logging facilities.

Performance tuning: SBCs must deliver reliable service without being bottlenecked or introducing packet loss due to network overhead, which requires careful scaling and network performance tuning at the kernel level.

Ongoing threat intelligence integration: As threats are constantly changing, there should be a method for your SBC to get updated IP reputation, fraud signatures, and attack pattern rules without requiring downtime.

Frequently Asked Questions

Q: Do we need a dedicated SBC if we already have a firewall?

A: Yes. A network firewall understands IP and TCP. A Session Border Controller understands SIP, RTP, and VoIP-specific attack patterns. They serve different purposes and work best together, not as substitutes for each other.

Q: Can an SBC eliminate toll fraud completely?

A: No security system eliminates risk entirely. A well-built SBC dramatically reduces your exposure and catches the vast majority of fraud attempts, but it works best as part of a layered security strategy that also includes strong authentication, monitoring, and user access controls.

Q: How does SBC development differ from deploying a commercial SBC product?

A: Commercial SBC products cover common use cases well. Custom development addresses your specific topology, your traffic patterns, and your compliance requirements. It also integrates with your existing toolchain in ways that off-the-shelf products may not support.

Q: How long does SBC development and deployment take?

A: A basic SBC deployment for a mid-sized VoIP operation typically takes six to twelve weeks. Full-featured development including custom fraud detection, billing integration, and high-availability clustering can take three to five months.

Q: What is the difference between SPIT and DoS attacks on VoIP?

A: SPIT specifically refers to unwanted call sessions (SIP INVITEs) delivered for commercial or disruptive purposes. A DoS attack targets availability by flooding any layer of the stack with traffic. Many SPIT attacks have DoS effects as a secondary consequence of the volume they generate.

Q: Can SBC development support multi-tenant VoIP deployments?

A: Yes. Multi-tenant SBC configurations maintain separate security policies, rate limits, and routing rules for each tenant while sharing the underlying infrastructure. This is standard for hosted VoIP and UCaaS providers.

Conclusion

Both toll fraud and SPIT are tangible threats that cost VoIP operators actual money on an everyday basis. Purposeful SBC development for your network will be your best initial protection.

A rightfully designed SBC ensures all session authenticity, detects suspicious activity in real time, protects your internal infrastructure by masking it, encrypts your data streams, and applies access controls required to prevent attackers. Correctly setting up SBC from the very beginning is much less expensive than post-fraud recovery.

Protect Your VoIP Network with Custom SBC Development from Dialiqo

At Dialiqo, we specialize in the development of VoIP security solutions and custom SBCs optimized specifically for your environment and usage patterns. We have rich experience in developing custom SBC software products for carriers, enterprises, call centers, and hosted VoIP solutions.

Get in touch with Dialiqo now and consult with our VoIP security professionals regarding the necessary measures and get a technical assessment of your VoIP system vulnerabilities.

Find out more about our VoIP development and security services at dialiqo.com.