[VOIPSEC] Cellphone Botnets, Blackmailing VOIP & a Healthy Cybercrime Economy - Desktop Security News Analysis - Dark Reading (UNCLASSIFIED)

Dustin D. Trammell dtrammell at bpointsys.com
Thu Oct 23 14:41:01 CDT 2008 

On Thu, 2008-10-23 at 21:35 +0300, Ari Takanen wrote:
> Slow rate or not, all this discussion (and the other one regarding the
> recent VoIP attacks) just reminds me of war dialling. 

Odd you should bring that up, as wardialing is currently my primary
research topic in the area of VoIP (:  Stay tuned...

> One could assume that using VoIP protocols, it takes very little
> resources (or time) to make a call to say, several million subscribers
> of any VoIP service, or even a PSTN service provided you do not keep
> calling the same target organization at the same time and DDoS his
> local voice switch or any of the VoIP-PSTN gateways. Well little
> resources at least considering what it used to take to make
> e.g. 10,000 calls in the old times. Annoyance per user is
> minimal. Very few organizations would even detect it. Very few user
> agents would have even time to say "buzz" before you would already
> hang up.

You're right, it's extremely easy to wardial large blocks of numbers
quickly using VoIP given the right provider, and most providers that
I've tested either don't notice, or simply don't care (hey, they're
getting paid, right?).  Unfortunately annoyance to the end-user isn't
quite as minimal as it would seem, because if you're attempting to find
answering modems, you do still have to wait for the destination to ring,
answer, and then connect if it's not a human.  At the point of
determining that the answering party is *not* a machine, you've already
achieved the annoyance of bothering a human.

> Use case? No idea... But that might be what we see people doing,
> although we only see the failed attempts. The real scans go
> undetected.

The use case would be simply much, much faster wardialing than has been
traditionally available, even with large modem banks.

The benefits for wardialing over VoIP are primarily cost (we've heard
that one before right?), scalability (as you've mentioned), a fairly
reliable level of anonymity (you can get VoIP service with a pre-paid
credit card and use it fairly anonymously), you can reliably set your
Caller-ID, and most VoIP providers either don't notice or just don't
care what you do or who you call as long as they're getting paid for the
calls.

The primary detriment is that many providers currently only support
G.711 which is not all that great for getting a modem carrier through
(I've only been able to achieve about a 2400bps carrier in many cases).

-- 
Dustin D. Trammell
Security Researcher
BreakingPoint Systems, Inc.

More information about the Voipsec mailing list