Telephony Troubles

By Lauren Barack

Software makers, Internet service providers, and the government have each dedicated significant resources to try to limit and prevent spam, an issue that goes well beyond mere annoyance. Spam data-clog servers and often carry viruses that can shut down a firm's IT infrastructure. "Phishing," the latest form of spam, tricks unsuspecting employees into revealing their usernames and passwords. Such threats remain a constant enterprise IT challenge.

The next frontier for enterprise-wide spam attack is Voice over Internet Protocol (VoIP), a technology that allows phone calls to be made through broadband. VoIP sends calls in data packets through servers, the same way email and other Internet files are transmitted. Since it's less costly than traditional phone service, VolP is swiftly growing in popularity with businesses seeking affordable telephony. Cable VoIP had just 100,000 subscribers at the end of 2003, but that number is expected to leap to nearly 1 million by the end of 2004, and reach nearly 6 million in 2006, according to a recent report from the research firm The Yankee Group.

When spam comes through VoIP, it is called SPIT (spam over Internet protocol). VoIP spam comes in the guise of a phone call rather than a text message, sending up to 1,000 calls every five seconds, according to one company that has started testing antispam tools for VoIP. The presence of SPIT compounds an existing problem for companies considering or using VoIP. The amount of bandwidth consumed by voice data is already perceived as a strain on server resources, but SPIT has the potential to exponentially increase data across a network server. The result is an overloaded server, similar to a distributed denial of service attack, which can cripple a company's entire infrastructure, compromise data, and present service disruptions. Consider that when a computer network goes down, executives and employees may experience a business crisis. Tie the phone lines to that server, as VoIP does, and companies have a new problem altogether.

Because VoIP is just beginning to grow, SPIT is not yet the formidable problem that email spam is today. But as more cable companies offer this service to their clients, VoIP spammers are expected to invent new opportunities to launch attacks. And since Internet telephony is not protected with "Do Not Call" lists, businesses currently cannot automatically turn to regulators for assistance.

The lower cost of VoIP makes it an attractive alternative to traditional phone service in the eyes of budget-minded executives, and therefore, it is likely to be a more widely used form of corporate telephony in the future. IT departments planning to adopt this technology can help protect their networks from VoIP spam by taking some basic precautions:

• Use a closed-model provider. Similar to an instant messaging buddy list, this model isolates specific Internet telephony calls from the rest of the Internet. More importantly, it removes them from telemarketers, who are often the source of SPIT.



• Acquire a phone number along with an IP address. VoIP phone networks usually assign their customers an IP address as the phone call data is transmitted across the Internet just like any other data such as email. Firms will want to make sure that when switching to VoIP, they have their phone lines assigned true phone numbers as well as the IP address necessary for Internet traffic. This gives two identifiers, rather than one, which thwarts automated programs searching for standalone VoIP Internet addresses.

VoIP is an option that CIOs will want to explore as the technology becomes more standardized. But changes to any part of a firm's telecommunications strategy can impact the entire network. With VoIP, SPIT can cause disruptions to an IT infrastructure. Basic precautions can offer a way to stop SPIT in its tracks.

Lauren Barack's work has appeared in Business 2.0 and Wired.