[VOIPSEC] Analysis of a VoIP Attack

[Hendrik Scholz]

Hi Klaus!

I was closely involved in this case when it happend and we came to the
same conclusions as you.

A few sidenotes:

o Did the attackers target VoIP accounts?

  I believe they did simply attack/flood destinations that
  most likely have SIP stacks running. Instead of going through
  proxies to resolve phone numbers to IPs etc they would
  simply attack the IPs.

o How did the attackers end up with the range of IP addresses
  to scan/attack?

  The attacked DSL access/VoIP providers have IP ranges easily
  accessible via RIPE. An attacker can simply pull a list of
  /24's off a website.

o What kind of preparation was needed?

  Close to none I guess. Some assumed that the attackers
  ran through an information gathering phase (i.e. 'UDP ping')
  all valid IPs and obtain a short list of valid SIP targets.
  With dynamic IP addresses this list won't be valid for long.
  The traffic and planning overhead doesn't make sense as
  in the same time an attacker could simply send out more
  INVITEs.

o What devices were targeted?

  None specific I assume. But it worked well for those
  that a) did not check the source IP to filter traffic and
  b) failed to properly check the Contact.

o returned calls

  What had to happen did as a matter of fact happen.
  Some users returned calls but as the signalled A party
  number did not have leading zeros some people added national
  or international prefixes.
  In one interesting case customers started to call
  the number in the German PSTN. Some DTAG customer ended up
  getting calls night and day as a result of this.

Cheers,
 Hendrik

-- 
Hendrik Scholz <hs at 123.org>