[VOIPSEC] Analysis of a VoIP Attack

Klaus Darilion klaus.mailinglists at pernau.at
Thu Oct 23 10:18:14 CDT 2008 


Hendrik Scholz schrieb:
> Hi Klaus!
> 
> I was closely involved in this case when it happend and we came to the
> same conclusions as you.
> 
> A few sidenotes:
> 
> o Did the attackers target VoIP accounts?
> 
>   I believe they did simply attack/flood destinations that
>   most likely have SIP stacks running. Instead of going through
>   proxies to resolve phone numbers to IPs etc they would
>   simply attack the IPs.

Yes

> o How did the attackers end up with the range of IP addresses
>   to scan/attack?
> 
>   The attacked DSL access/VoIP providers have IP ranges easily
>   accessible via RIPE. An attacker can simply pull a list of
>   /24's off a website.

If the attacker explicitly search for IP addresses of DSL accounts then 
this would mean that the attacker was looking for home users with 
Asterisk installation and a insecure configuration (which can be abused 
for PSTN termination). Because attacking "normal" SIP phones is IMO not 
a business case for the attacker.

> o What kind of preparation was needed?
> 
>   Close to none I guess. Some assumed that the attackers
>   ran through an information gathering phase (i.e. 'UDP ping')
>   all valid IPs and obtain a short list of valid SIP targets.
>   With dynamic IP addresses this list won't be valid for long.
>   The traffic and planning overhead doesn't make sense as
>   in the same time an attacker could simply send out more
>   INVITEs.

If you try sipvicious in random mode you can easily find your targets 
(probably Cisco GWs are a hot attack target)

> 
> o What devices were targeted?
> 
>   None specific I assume. But it worked well for those
>   that a) did not check the source IP to filter traffic and
>   b) failed to properly check the Contact.
> 
> o returned calls
> 
>   What had to happen did as a matter of fact happen.
>   Some users returned calls but as the signalled A party
>   number did not have leading zeros some people added national
>   or international prefixes.
>   In one interesting case customers started to call
>   the number in the German PSTN. Some DTAG customer ended up
>   getting calls night and day as a result of this.

Funny.

Thanks for your comments
klaus

More information about the Voipsec mailing list