[VOIPSEC] Analysis of a VoIP Attack

Alex Eckelberry AlexE at sunbelt-software.com
Thu Oct 23 09:27:18 CDT 2008 

Klaus, excellent paper. I have been trying to piece together what
happened, but using Google Translation on German publications has made
the task a bit difficult ;-)

I admit I'm a little confused about the motives behind the attack.
HoneyNor traced their attacks with a motive to get free calls to Malasia
and Jamaica.  However, you don't seem to draw the same conclusions,
rather that the attackers were simply trying to find insecure gateways.
One thing I haven't figure out is if they were actually able to get free
calls placed (assuming this was their motive). 

Alex
 

-----Original Message-----
From: voipsec-bounces at voipsa.org [mailto:voipsec-bounces at voipsa.org] On
Behalf Of Hendrik Scholz
Sent: Thursday, October 23, 2008 9:01 AM
To: Klaus Darilion
Cc: Voipsec
Subject: Re: [VOIPSEC] Analysis of a VoIP Attack

Hi Klaus!

I was closely involved in this case when it happend and we came to the
same conclusions as you.

A few sidenotes:

o Did the attackers target VoIP accounts?

  I believe they did simply attack/flood destinations that
  most likely have SIP stacks running. Instead of going through
  proxies to resolve phone numbers to IPs etc they would
  simply attack the IPs.

o How did the attackers end up with the range of IP addresses
  to scan/attack?

  The attacked DSL access/VoIP providers have IP ranges easily
  accessible via RIPE. An attacker can simply pull a list of
  /24's off a website.

o What kind of preparation was needed?

  Close to none I guess. Some assumed that the attackers
  ran through an information gathering phase (i.e. 'UDP ping')
  all valid IPs and obtain a short list of valid SIP targets.
  With dynamic IP addresses this list won't be valid for long.
  The traffic and planning overhead doesn't make sense as
  in the same time an attacker could simply send out more
  INVITEs.

o What devices were targeted?

  None specific I assume. But it worked well for those
  that a) did not check the source IP to filter traffic and
  b) failed to properly check the Contact.

o returned calls

  What had to happen did as a matter of fact happen.
  Some users returned calls but as the signalled A party
  number did not have leading zeros some people added national
  or international prefixes.
  In one interesting case customers started to call
  the number in the German PSTN. Some DTAG customer ended up
  getting calls night and day as a result of this.

Cheers,
 Hendrik

--
Hendrik Scholz <hs at 123.org>

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list