[VOIPSEC] Analysis of a VoIP Attack

Klaus Darilion klaus.mailinglists at pernau.at
Thu Oct 23 10:30:13 CDT 2008 


Alex Eckelberry schrieb:
> Klaus, excellent paper. I have been trying to piece together what
> happened, but using Google Translation on German publications has made
> the task a bit difficult ;-)
> 
> I admit I'm a little confused about the motives behind the attack.
> HoneyNor traced their attacks with a motive to get free calls to Malasia
> and Jamaica.  However, you don't seem to draw the same conclusions,

Actually I draw the same conclusions, but in a more general way. PSTN 
termination. I only saw the single INVITE request, thus the final PSTN 
target (Jamaica, Malaysia, .....African destination are also often used) 
was not visible for me. But once the attacker found an "insecure" 
gateway - that means the gateway forwarded the request, the attacker can 
use it for making phone calls into the PSTN.

If you then take a look at typical international charges:
  USA  ~1c/min
  Europe ~2c/min
  some African destination: ~1 EUR/min

This makes clear that once an attacker finds such an "open" gateway the 
prefer to use it for expensive destinations.

Probably I should have stated this more clearly.

> rather that the attackers were simply trying to find insecure gateways.
> One thing I haven't figure out is if they were actually able to get free
> calls placed (assuming this was their motive).

Unfortunately I do not know. That would be interesting - but probably if 
a provider was hacked they rarely admit it as they will loose reputation.

But from personal experience it is really amazing how easily you can 
trick some service providers.

regards
klaus


> 
> Alex
>  
> 
> -----Original Message-----
> From: voipsec-bounces at voipsa.org [mailto:voipsec-bounces at voipsa.org] On
> Behalf Of Hendrik Scholz
> Sent: Thursday, October 23, 2008 9:01 AM
> To: Klaus Darilion
> Cc: Voipsec
> Subject: Re: [VOIPSEC] Analysis of a VoIP Attack
> 
> Hi Klaus!
> 
> I was closely involved in this case when it happend and we came to the
> same conclusions as you.
> 
> A few sidenotes:
> 
> o Did the attackers target VoIP accounts?
> 
>   I believe they did simply attack/flood destinations that
>   most likely have SIP stacks running. Instead of going through
>   proxies to resolve phone numbers to IPs etc they would
>   simply attack the IPs.
> 
> o How did the attackers end up with the range of IP addresses
>   to scan/attack?
> 
>   The attacked DSL access/VoIP providers have IP ranges easily
>   accessible via RIPE. An attacker can simply pull a list of
>   /24's off a website.
> 
> o What kind of preparation was needed?
> 
>   Close to none I guess. Some assumed that the attackers
>   ran through an information gathering phase (i.e. 'UDP ping')
>   all valid IPs and obtain a short list of valid SIP targets.
>   With dynamic IP addresses this list won't be valid for long.
>   The traffic and planning overhead doesn't make sense as
>   in the same time an attacker could simply send out more
>   INVITEs.
> 
> o What devices were targeted?
> 
>   None specific I assume. But it worked well for those
>   that a) did not check the source IP to filter traffic and
>   b) failed to properly check the Contact.
> 
> o returned calls
> 
>   What had to happen did as a matter of fact happen.
>   Some users returned calls but as the signalled A party
>   number did not have leading zeros some people added national
>   or international prefixes.
>   In one interesting case customers started to call
>   the number in the German PSTN. Some DTAG customer ended up
>   getting calls night and day as a result of this.
> 
> Cheers,
>  Hendrik
> 
> --
> Hendrik Scholz <hs at 123.org>
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list