[VOIPSEC] Cellphone Botnets, Blackmailing VOIP & a Healthy Cybercrime Economy - Desktop Security News Analysis - Dark Reading (UNCLASSIFIED)

Ari Takanen voipsa at codenomicon.com
Wed Oct 22 01:32:32 CDT 2008 

Hello all,

On Tue, Oct 21, 2008 at 04:39:40PM -0400, Craig wrote:
> As has been discussed before by many, the main reason there haven't
> been more documented attacks is due to the fact that most VoIP
> implementations are not exposed to the raw Internet.  Without that
> exposure, is it possible to launch an effective VoIP specific DoS
> blackmail scheme against a company?

The article probably meant to say DDoS. A distributed DoS can be
launched against any service that receives connections from the
unlucky victims that the attacker is controlling. It is not very
technical attack. Imagine for example 10 bots calling your mum all the
time. It has nothing to do with VoIP. VoIP is used to launch the
attack though.

The above applies to Any Voice Service.  VoIP is actually much more
resistant to DDoS than PSTN.

The other kind of DoS is based on tiny individual packets that just by
themselves crash any Voice infrastructure components. These DoS
situations are based on implementation mistakes by vendors, and remain
in hiding (in enormous numbers) until a lucky researcher somewhere
catches one, and publishes that. These DoS packets will crash (or
execute remote code) on the target systems until someone "patches"
them. These packets can crash anything that processes them, but they
can easily be routed from one network to another through gateways.

Again, a good VoIP system (which are not very many) is much more
resistant to this than any PSTN system (which is not tested for such
packets). I often see that a test actually crashes something
completely unexpected in the Voice infrastructure.

> On a side note, regarding the fact that it seems VoIP is always on
> the lists of emerging threats about to happen, perhaps we, as an
> industry of VoIP security types, need to be wary that we don't push
> the panic button too often.

The entire article seemed to be scaremongering, and looking for fame
(i.e. marketing). Security threats are the marketing tool for security
people. Security resilience is the marketing tool for vendors. Fix
your VoIP equipment finally, and talk about it. I would be happy to
help in the process.

-- 
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
Ari Takanen                       Codenomicon Ltd.
ari.takanen at codenomicon.com       Tutkijantie 4E
tel: +358-40 50 67678             FI-90570 Oulu
http://www.codenomicon.com        Finland
PGP: http://www.codenomicon.com/codenomicon-key.asc
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-

More information about the Voipsec mailing list