[VOIPSEC] Cellphone Botnets

Geoff Devine Geoff at GeoffDevine.com
Fri Oct 24 06:47:59 CDT 2008 

Dustin D. Trammell writes:
> Consider the scenario where an attacker wants to DoS Bob specifically.
> Rather than attack the endpoint technology, or even the VoIP
infrastructure,
> it's far easier to simply attack the user themselves.
> Send a call once every 2-5 minutes.  This is likely low-rate enough to
avoid
> triggering any (D)DoS protections in place, and fits the rate model of
> perfectly legitimate voice traffic behavior.  When Bob answers, just hang
> up.  After a short while, he'll be really irritated at these calls and
> probably either take the phone off-hook or turn the ringer off, denying
> himself service by his own action.  The beauty of this attack is that it
> also doesn't require any special tech to launch.  With a little
persistence,
> an attacker can manually call Bob every couple of minutes and hang up with
> little effort.

This is why users have access to a malicious call trace feature.  In the
good 'ol days, the network always knew the identity of the caller.  With
VoIP, it's now possible to spoof your identity and the network at the VoIP
to TDM boundary does not enforce any kind of identity checking.  In
particular, 'calling party number' on a Primary Rate ISDN SETUP message
isn't checked by anybody I've ever experimented with and I've been around
Primary Rate for 20 years.  This never used to be a problem since all PRI
interfaces had a contract between a corporation (for their PBX) and a
service provider.  I've never had the opportunity to experiment on a live
SS#7 network but the same problem exists there.  That interface is now being
used to bridge VoIP to the PSTN.  I view this as a public policy issue.  If
you are a VoIP service provider, malicious call trace has to work.  If you
allow your customers to spoof their identity, the FCC should be empowered to
pull the plug on your interface to the PSTN.  If that means that as a VoIP
service provider, you need to give every customer a piece of hardware to
create a digital certificate that validates their identity before making a
phone call, so be it.

Geoff Devine

More information about the Voipsec mailing list