[VOIPSEC] Analysis of a VoIP Attack
klaus.mailinglists at pernau.at
Thu Oct 23 16:18:14 BST 2008
Hendrik Scholz schrieb:
> Hi Klaus!
> I was closely involved in this case when it happend and we came to the
> same conclusions as you.
> A few sidenotes:
> o Did the attackers target VoIP accounts?
> I believe they did simply attack/flood destinations that
> most likely have SIP stacks running. Instead of going through
> proxies to resolve phone numbers to IPs etc they would
> simply attack the IPs.
> o How did the attackers end up with the range of IP addresses
> to scan/attack?
> The attacked DSL access/VoIP providers have IP ranges easily
> accessible via RIPE. An attacker can simply pull a list of
> /24's off a website.
If the attacker explicitly search for IP addresses of DSL accounts then
this would mean that the attacker was looking for home users with
Asterisk installation and a insecure configuration (which can be abused
for PSTN termination). Because attacking "normal" SIP phones is IMO not
a business case for the attacker.
> o What kind of preparation was needed?
> Close to none I guess. Some assumed that the attackers
> ran through an information gathering phase (i.e. 'UDP ping')
> all valid IPs and obtain a short list of valid SIP targets.
> With dynamic IP addresses this list won't be valid for long.
> The traffic and planning overhead doesn't make sense as
> in the same time an attacker could simply send out more
If you try sipvicious in random mode you can easily find your targets
(probably Cisco GWs are a hot attack target)
> o What devices were targeted?
> None specific I assume. But it worked well for those
> that a) did not check the source IP to filter traffic and
> b) failed to properly check the Contact.
> o returned calls
> What had to happen did as a matter of fact happen.
> Some users returned calls but as the signalled A party
> number did not have leading zeros some people added national
> or international prefixes.
> In one interesting case customers started to call
> the number in the German PSTN. Some DTAG customer ended up
> getting calls night and day as a result of this.
Thanks for your comments
More information about the Voipsec