On Fri, Apr 1, 2011 at 2:27 PM, Jason <iknowjason at pobox.com> wrote:
I interpreted the article to imply that DoS was the motive of the "Cyber Terrorists" but in my experience real attackers (VoIP and otherwise) are motivated by financial gain (service abuse) and I fail to connect the dots of some kind of "cyber ransom" note being held to the ITSP threatening DoS - although this author [1] has mentioned it in the past.
In my experience doing authorized penetration testing of SBCs (not PBX servers) for ITSPs, most vulnerabilities enumerated fall into this category for DoS testing: 1. 10,000 mps legitimate INVITE from onset of INVITE Flood, causing no response to legitimate INVITE 2. 10,000 mps spoofed INVITE triggers SBC anti-DoS rule after 5 seconds, error response sent to attacker and to valid SIP users as well 3. 10,000 mps DDoS INVITE Flood from multiple stations causes SBC to drop valid SIP INVITEs. As soon as attack stops, valid SIP INVITEs are once again processed 4. 10,000 mps INVITE Flood causes software bug/fault condition in SBC, system crashes (up to 30 minutes)
Most ITSPs just don't know they are vulnerable because the network is never tested from the outside. To be fair, the moment you can duplicate the issue to them, they will tune the rules/configuration and be mitigated.
Most SBCs that I've tested are vulnerable to this issue but the perceived threat is very low:
1) We never see or hear it happening until once a blue moon when a media outlet sensationalizes a "cyber terrorism" based DoS attack
2) This type of vulnerability really isn't getting actively exploited in the wild, although the vulnerability does exist
3) Attackers are less motivated by DoS and more motivated by financial gain, such as toll fraud. DoS was the collateral impact/damage of another motive/attack (as suggested by J. Oquendo)
Would be interested to know the real motive here.
[1] Network World link: "Call Flooding Attack" (Patrick Park) http://www.networkworld.com/community/node/38458
On 4/1/2011 10:00 AM, Frank Bulk wrote:
http://www.channelpartnersonline.com/news/2011/03/telepacific-network-outage
-cyber-terrorism.aspx?nck=1
Anyone have more information on this? Didn't seem important enough to make this list, if that's any measure.
Frank
Honestly it sounds like a typical SIPVicous attack on a company that wasn't prepared for it. Which then needed to call it a cyber attack to avoid paying out SLAs.