[VOIPSEC] Cellphone Botnets (shortened subject)

[J. Oquendo]

On Wed, 22 Oct 2008, Ari Takanen wrote:

> The article probably meant to say DDoS. A distributed DoS can be
> launched against any service that receives connections from the
> unlucky victims that the attacker is controlling. It is not very
> technical attack. Imagine for example 10 bots calling your mum all the
> time. It has nothing to do with VoIP. VoIP is used to launch the
> attack though.

Ari, I would hope everyone on this list know what a denial of service
attack is, distributed or not. I've been studying, analyzing, dissecting
them before Trinoo, Stacheldraft, etc., in fact I believe David Dittrich
referred to an series (of sorts) I started circa 1997-1999 called Theories
in DoS.

> 
> The above applies to Any Voice Service.  VoIP is actually much more
> resistant to DDoS than PSTN.

Depends on who's attacking. Period, but that's a different story. With
VoIP and PSTN you're comparing apples and oranges. Let's take a voice
T1 with all its 24 channels... You're comparing that to a data T of
which I can squeeze 36+ (won't get into codecs here) lines. So on the
outside view, you'd think "well more channels less of the golfball
through the waterhose effect" which is true for DATA. How many script
kiddiots are attacking PSTN lines. Didn't this die down during the
90's (Legion of Doom/Masters of Deception).

Seriously, they're completely different attack vectors and require a
completely different skillset. I guarantee you if you attended any
"security conference" the ratio of "security professionals" who
understand TDM, POTS, PSTN, etc., to those who understand IP is going
to be so far lopsided you'd think you're driving up Mount Everest.

> The other kind of DoS is based on tiny individual packets that just by
> themselves crash any Voice infrastructure components. These DoS
> situations are based on implementation mistakes by vendors, and remain
> in hiding (in enormous numbers) until a lucky researcher somewhere
> catches one, and publishes that. These DoS packets will crash (or
> execute remote code) on the target systems until someone "patches"
> them. These packets can crash anything that processes them, but they
> can easily be routed from one network to another through gateways.

I don't necessarily agree wholeheartedly with this. When I was tinkering
with Asteroid which affected Asterisk, I didn't target Asterisk at all.
I just needed something at the moment to test with. My tinkering came
via the RFC levels and the structure of SIP itself irrespective of any
particular vendor. In fact I was going back and forth with quite a few
vendors to make sure they weren't prone to some of the research I was
fiddling with.

At this point you're statement is a little confusing in the sense
you're confusing exploitation of a product with a Denial of Service
on a protocol. E.g., Smurf affected IP because of the way it was
designed whereas PHF exploited Apache and NOT IIS. Make sense to
you. Researchers as far as I'm concerned, be they good or bad, have
different methods and approaches when fiddling with Denial of Svce
attacks. I like the "protocol level" view since theoretically it
will affect ALL as opposed to one particular vendor.
 
> Again, a good VoIP system (which are not very many) is much more
> resistant to this than any PSTN system (which is not tested for such
> packets). I often see that a test actually crashes something
> completely unexpected in the Voice infrastructure.

Sorry to say... I don't know what environments you're playing with.
If I launched an attack on your systems they'd be toast. You have
to keep in mind that many attack vectors and tools are never even
disclosed for whatever reason. I have a tool I sent to Cisco, Foundry,
Juniper, Sun, etc., about 2 years ago and there has been no resolve
to figure out just why oh why does it do what it does. Guess what?
It's protocol based, it affects them all. Would I release it, no.
I've been critized on this before publicly and after speaking with
the critics - if their credentials held weight in the industry, I
would show and tell without hesitation just to have them hush it
down and I've done so on many occasions.

So I seriously don't what kind of lab/research you're involved in
but I could shatter what you said whenever you'd like me to. Be it
VoIP vs. the PSTN and vice versa. Personally, I would never make
that claim just because I've been fortunate enough to meet so many
knowledgeable people in the industry. Hell I know off the top of
my head at least 20 people that would snicker at that comment
(VoIP being more resilient).

> The entire article seemed to be scaremongering, and looking for fame
> (i.e. marketing). Security threats are the marketing tool for security
> people. Security resilience is the marketing tool for vendors. Fix
> your VoIP equipment finally, and talk about it. I would be happy to
> help in the process.

I don't think I would want to help. I have little time to dabble
with RFC-ground-up rebuilding of broken protocols. I liken myself
to a chef in the sense that I go in the kitchen, cook some form
of what I call a masterpiece, then leave it to the staff to clean
up the mess ;)


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"Each player must accept the cards life deals him
or her: but once they are in hand, he or she alone
must decide how to play the cards in order to win
the game." Voltaire

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB