[VOIPSEC] Voipsec Digest, Vol 46, Issue 11

Frank Leonhardt F.Leonhardt at uel.ac.uk
Sat Oct 25 10:03:28 CDT 2008 

>Dustin D. Trammell writes:
>> Consider the scenario where an attacker wants to DoS Bob specifically.
>> Rather than attack the endpoint technology, or even the VoIP
>infrastructure,
>> it's far easier to simply attack the user themselves.
>> Send a call once every 2-5 minutes.
<snip>
>
>Geoff Devine replied:
>This is why users have access to a malicious call trace feature.  In the
>good 'ol days, the network always knew the identity of the caller.  With
>VoIP, it's now possible to spoof your identity and the network at the VoIP
>to TDM boundary does not enforce any kind of identity checking.  In
>particular, 'calling party number' on a Primary Rate ISDN SETUP message
>isn't checked by anybody I've ever experimented with and I've been around
>Primary Rate for 20 years.  This never used to be a problem since all PRI
>interfaces had a contract between a corporation (for their PBX) and a
>service provider.  I've never had the opportunity to experiment on a live
>SS#7 network but the same problem exists there.  That interface is now being
>used to bridge VoIP to the PSTN.  I view this as a public policy issue.  If
>you are a VoIP service provider, malicious call trace has to work.  If you
>allow your customers to spoof their identity, the FCC should be empowered to
>pull the plug on your interface to the PSTN.  If that means that as a VoIP
>service provider, you need to give every customer a piece of hardware to
>create a digital certificate that validates their identity before making a
>phone call, so be it.

The idea that a malicious caller can be traced is attractive, but I'm sad to
say it too far behind the times.

In England it's been illegal to bother someone on the telephone for some
time. You can register your number for 'no cold calling' and anyone doing so
could end up in hot water if they went ahead and called you anyway - fines,
disconnection so on. This is enforced by publishing a Telephone Preference
Service (TPS) block-list which is used by calling equipment to prevent
inadvertent contravention on the rules. Leaving aside the effectiveness of
the watchdog enforcing it, this is a good system.

You can also opt to have any calls blocked where there's no CLI. Although
with spoofing is theoretically ineffective, in practice it works.

Incidentally, European law is much tougher on this kind of thing than
America, where the spammers seem to be protected by the first amendment. Here
it's illegal to spam and the spammers have to prove you might reasonably have
welcomed their approach.

Back to telephones: what have the telemarketers done about the ban? Simple -
they moved off-shore to some lawless state where the local government is
unwilling or unable to do anything about it. Florida appears the current
destination of choice - perhaps because of the weather. The current cost of
wholesale international trunking is next to nothing these days.

Now, even if the USA decided to act on locals breaking foreign laws in
principle, I can see several technical and legal challenges that would
prevent this from working in practice.

So, even if it was technically possible to trace the source of a call, it
wouldn't do you any good at stopping all but the most inept nuisance caller.

Frank Leonhardt.

More information about the Voipsec mailing list