[VOIPSEC] Voipsec Digest, Vol 15, Issue 18

Joseph Burdick joseph.burdick at gmail.com
Wed Mar 15 01:09:18 CST 2006 

>
> Well said Dan!


So as we embrace enum and other P2P enablers, we're actually opening
ourselves up to trouble.  So if I were a SPITTER  (contemporary spammer), I
might start with that international number pool that will be full of enum
users.  Yikes, I'm in that pool?!?!  No SPIT yet...

2+2=4cents,
-Joseph

------------------------------
>
> Message: 7
> Date: Tue, 14 Mar 2006 15:03:49 -0800
> From: dan_york at Mitel.com
> Subject: Re: [VOIPSEC] Confirmed cases of SPIT
> To: voipsec at voipsa.org
> Cc: jcaldwell at SonicWALL.com
> Message-ID:
>        <
> OF5028C78D.56CF8637-ON85257131.00793777-88257131.007EB194 at mitel.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Jeff,
>
> On 14 Mar 2006, at 10:49 AM, <jcaldwell at SonicWALL.com>
> <jcaldwell at SonicWALL.com> wrote:
>
> > Hello,
> > To date, I have personally confirmed but single case of SPIT (Spam
> > over
> > Internet Telephony).  The report was from one of our customers in the
> > Netherlands's area and was reported as an unsolicited Religious
> > Evangelism call apparently emanating from the US.  There has been a
> > great deal of press and discussion surrounding SPIT.  However, I am
> > interested in hearing if there have actually been other confirmed
> > cases.
>
> I think a number of us have taken the position that SPIT is a sexy topic
> that can generate nice headlines (i.e. "SPIT happens", "When the SPIT hits
>
> the fan", etc.) but *today* is not much of a real threat.  DoS attacks
> and other network-level threats are far more of a real concern.  Also,
> as Irwin Lazar from the Burton Group said in his recent webinar slides,
> the
> PSTN serves as a natural "firebreak" between enterprises.  Today, even
> though enterprises may have large VoIP deployments, calls that go
> *between* enterprises still (usually) have to go through the PSTN.
> Ditto for consumer VoIP services.
>
> So essentially VoIP deployments are still all islands connected together
> through the PSTN. This means that VoIP spammers (i.e. telemarketers) are
> still constrained by the inherent limitations of spam over the PSTN
> (aka telemarketing calls), i.e. you are limited by the number of trunks
> you have, the latency of the call connection process... all of which
> a telemarketer/spammer can deal with today with larger numbers of trunks
> and larger banks of wardialling software and appropriate interfaces.
>
> So because of that, I don't think you'll see many cases of "true" SPIT.
>
> *Today*.
>
> But I think this does change, though, once we all start supporting things
> like SIP trunking *and* calls from random IP endpoints.  SIP trunking
> alone
> doesn't necessarily open things up because you can do a SIP trunk out
> to your ITSP or soft-switch provider which has the same essential
> function as your trunk today to your PSTN access provider.  Only
> difference
> is you are going over a data connection versus an actual T1 or similar
> PSTN connection.
>
> But once you start allowing connections to your SIP trunk from other
> *random* SIP endpoints, now you open yourself up to potential of the
> automated attacks that make good headlines (i.e. script kiddies can
> make a script that goes and floods a SIP server with SIP INVITE messages
> and then starts streaming RTP to whatever endpoints answer) and generally
> automate the PSTN wardialling of today.
>
> Whether or not that potential for automated attacks becomes a reality will
> probably largely depend on how well standards evolve for assuring
> identity... and the success of that is one of those questions that
> will probably divide this group into either optimists ("We will solve it
> before it becomes a major problem") or pessimists ("We're never going to
> be able to fix it and are going to drown in SPIT").
>
> I'm sure others on this list will have some opinions on this.
>
> My 2 cents,
> Dan
>
> P.S. Jonathan and I did a mini-tutorial on SPIT on our podcast #18 at
> http://www.blueboxpodcast.com/2006/03/blue_box_podcas_1.html
>
> --
> Dan York, CISSP
> Dir of IP Technology, Office of the CTO
> Mitel Corp.     http://www.mitel.com
> dan_york at mitel.com +1-613-592-2122
> PGP key (F7E3C3B4) available for
> secure communication
>
>
> ------------------------------

More information about the Voipsec mailing list