"TelePacific Network Outage: Cyber-Terrorism?"
http://www.channelpartnersonline.com/news/2011/03/telepacific-network-outage -cyber-terrorism.aspx?nck=1 Anyone have more information on this? Didn't seem important enough to make this list, if that's any measure. Frank
Read about it. Was wondering too why it didn't make any list. Some sort of malicious attack as per their Twitter page. Never seen attackers take down a switch, they usually like to steal/Toll fraud and move on... Would be good for the ITSP industry if someone could share more detail. -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Frank Bulk Sent: Friday, April 01, 2011 9:00 AM To: voiceops at voiceops.org Subject: [VoiceOps] "TelePacific Network Outage: Cyber-Terrorism?" http://www.channelpartnersonline.com/news/2011/03/telepacific-network-outage -cyber-terrorism.aspx?nck=1 Anyone have more information on this? Didn't seem important enough to make this list, if that's any measure. Frank _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
sounds like a denial of service attack on SBCs that were not configured properly or the attacker found a way to hammer them even with best practices setup. Maybe using very little traffic too. also one would think that attacker would spoof his source IP address and never want a response back so tracking down who did this is a huge pain. or maybe they flooded the whole pipe going to the SBC the old fashioned way. just guessing... normally the old ways of hurting an ISP work the best... terrorism to me is putting a bomb in the rack. cyber-terrorism to me is wanting page hits by a news company. m On Fri, 1 Apr 2011, Frank Bulk wrote:
http://www.channelpartnersonline.com/news/2011/03/telepacific-network-outage -cyber-terrorism.aspx?nck=1
Anyone have more information on this? Didn't seem important enough to make this list, if that's any measure.
Frank
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
INSERT INTO 'voiceops' SET rant='rambling' WHERE day='friday' "TelePacific Network Outage: Cyber-Terrorism?" ... Translates into nothing more than a typical Denial of Service attack. According to the article description: "cyber attack choked our servers and resulted in a significant loss of service to customers ? in most cases an inability to make and receive calls." But the attack did not impact customers' Internet or data services. " now according to my experience, this is likely an attacker or attackers, simply doing routine SIP account enumeration and registration attempts a-la SIPVicious. Recently (three days ago to be exact), I had one of my Internet facing PBXs experience the same exact symptoms: No calls in, no calls out. The system you see was being hammered by an American webhosting company. After firewalling the culprits via the PBX, calls coming in were coming in sporadically when the attacker packet count was on the low side (remember I said Internet facing, so I could not block all packets as I normally would.) This was likely because, although blocked, the attacker was still sending data that needed to be processed (remember the firewall needs to check the incoming data against firewall rules and make a decision: allow, drop or reject). After blocking them, I then - via LinkedIn - decided to "speed up" the abuse reporting process. Now, because abuse desks are almost as useful as a public lost and found desk in the middle of NYC, after sending the message to the hosting company, I then contacted the or VP of the relevant department at the hosting company (via LinkedIn) who was gracious enough to pass the information along... right back to his abuse department. Six hours after LinkedIn, 18 or so hours into the attack, when abuse desk staff decided to check slash resolve the issue, they asked for the address of the server being attacked, so they could report it to the attacker: "Hey Mr. Attacker, you've been attacking address 2.3.4.5 so we cut you off", no thanks I replied to the hosting company. If they needed a packet capture for their own analysis, so be it, but there would be no way I would effectively point the finger at my managed PBX and allow the attacker to attack from elsewhere. (Mind you, the address was included in the initial report anyway, but hey, who reads those). Anyhow, enough of this. Nothing to see here (terrorism)... Move along. Then again, I guess in the interest of fairness, maybe I should call the FBI as well every time something computer related comes along. Not that they'll respond, but I'm starting to wonder, was that just some organized crime group trying to perform toll-fraud or was it an act of terrorism. Yipes, my servers are to be beheaded via evil packets. Maybe I can get them to respond to some of the "syndicate carriers" who terrorize me with their bills when they promised: "oh sure, we can catch and halt that fraud for you..." ; -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
I'm always amazed at what people will classify as terrorism. -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Matt Yaklin Sent: Friday, April 01, 2011 11:18 AM To: Frank Bulk Cc: voiceops at voiceops.org Subject: Re: [VoiceOps] "TelePacific Network Outage: Cyber-Terrorism?" sounds like a denial of service attack on SBCs that were not configured properly or the attacker found a way to hammer them even with best practices setup. Maybe using very little traffic too. also one would think that attacker would spoof his source IP address and never want a response back so tracking down who did this is a huge pain. or maybe they flooded the whole pipe going to the SBC the old fashioned way. just guessing... normally the old ways of hurting an ISP work the best... terrorism to me is putting a bomb in the rack. cyber-terrorism to me is wanting page hits by a news company. m On Fri, 1 Apr 2011, Frank Bulk wrote:
http://www.channelpartnersonline.com/news/2011/03/telepacific-network-outage -cyber-terrorism.aspx?nck=1
Anyone have more information on this? Didn't seem important enough to make this list, if that's any measure.
Frank
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
May want to consider joining: http://www.infragard.net/index.php?mn=0 David Hiers CCIE (R/S, V), CISSP ADP Dealer Services 2525 SW 1st Ave. Suite 300W Portland, OR 97201 o: 503-205-4467 f: 503-402-3277 -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Frank Bulk Sent: Friday, April 01, 2011 8:00 AM To: voiceops at voiceops.org Subject: [VoiceOps] "TelePacific Network Outage: Cyber-Terrorism?" http://www.channelpartnersonline.com/news/2011/03/telepacific-network-outage -cyber-terrorism.aspx?nck=1 Anyone have more information on this? Didn't seem important enough to make this list, if that's any measure. Frank _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
Frank, I've not seen more info... I posted about this issue on Wednesday but haven't seen any other comments appear since (often, I do, after a post): http://voipsa.org/blog/2011/03/30/is-telepacifics-smartvoice-outage-a-result... I agree that it would be helpful to ITSPs and the industry in general if they would explain a bit more of how they were attacked. They have said they would be doing so... let's hope that they do. Regards, Dan On Apr 1, 2011, at 11:00 AM, Frank Bulk wrote:
http://www.channelpartnersonline.com/news/2011/03/telepacific-network-outage -cyber-terrorism.aspx?nck=1
Anyone have more information on this? Didn't seem important enough to make this list, if that's any measure.
Frank
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
-- Dan York, Director of Conversations Voxeo Corporation http://www.voxeo.com dyork at voxeo.com Phone: +1-407-455-5859 Skype: danyork Join the Voxeo conversation: Blogs: http://blogs.voxeo.com Twitter: http://twitter.com/voxeo http://twitter.com/danyork Facebook: http://www.facebook.com/voxeo
I interpreted the article to imply that DoS was the motive of the "Cyber Terrorists" but in my experience real attackers (VoIP and otherwise) are motivated by financial gain (service abuse) and I fail to connect the dots of some kind of "cyber ransom" note being held to the ITSP threatening DoS - although this author [1] has mentioned it in the past. In my experience doing authorized penetration testing of SBCs (not PBX servers) for ITSPs, most vulnerabilities enumerated fall into this category for DoS testing: 1. 10,000 mps legitimate INVITE from onset of INVITE Flood, causing no response to legitimate INVITE 2. 10,000 mps spoofed INVITE triggers SBC anti-DoS rule after 5 seconds, error response sent to attacker and to valid SIP users as well 3. 10,000 mps DDoS INVITE Flood from multiple stations causes SBC to drop valid SIP INVITEs. As soon as attack stops, valid SIP INVITEs are once again processed 4. 10,000 mps INVITE Flood causes software bug/fault condition in SBC, system crashes (up to 30 minutes) Most ITSPs just don't know they are vulnerable because the network is never tested from the outside. To be fair, the moment you can duplicate the issue to them, they will tune the rules/configuration and be mitigated. Most SBCs that I've tested are vulnerable to this issue but the perceived threat is very low: 1) We never see or hear it happening until once a blue moon when a media outlet sensationalizes a "cyber terrorism" based DoS attack 2) This type of vulnerability really isn't getting actively exploited in the wild, although the vulnerability does exist 3) Attackers are less motivated by DoS and more motivated by financial gain, such as toll fraud. DoS was the collateral impact/damage of another motive/attack (as suggested by J. Oquendo) Would be interested to know the real motive here. [1] Network World link: "Call Flooding Attack" (Patrick Park) http://www.networkworld.com/community/node/38458 On 4/1/2011 10:00 AM, Frank Bulk wrote:
http://www.channelpartnersonline.com/news/2011/03/telepacific-network-outage -cyber-terrorism.aspx?nck=1
Anyone have more information on this? Didn't seem important enough to make this list, if that's any measure.
Frank
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
On Fri, Apr 1, 2011 at 2:27 PM, Jason <iknowjason at pobox.com> wrote:
I interpreted the article to imply that DoS was the motive of the "Cyber Terrorists" but in my experience real attackers (VoIP and otherwise) are motivated by financial gain (service abuse) and I fail to connect the dots of some kind of "cyber ransom" note being held to the ITSP threatening DoS - although this author [1] has mentioned it in the past.
In my experience doing authorized penetration testing of SBCs (not PBX servers) for ITSPs, most vulnerabilities enumerated fall into this category for DoS testing: 1. 10,000 mps legitimate INVITE from onset of INVITE Flood, causing no response to legitimate INVITE 2. 10,000 mps spoofed INVITE triggers SBC anti-DoS rule after 5 seconds, error response sent to attacker and to valid SIP users as well 3. 10,000 mps DDoS INVITE Flood from multiple stations causes SBC to drop valid SIP INVITEs. As soon as attack stops, valid SIP INVITEs are once again processed 4. 10,000 mps INVITE Flood causes software bug/fault condition in SBC, system crashes (up to 30 minutes)
Most ITSPs just don't know they are vulnerable because the network is never tested from the outside. To be fair, the moment you can duplicate the issue to them, they will tune the rules/configuration and be mitigated.
Most SBCs that I've tested are vulnerable to this issue but the perceived threat is very low:
1) We never see or hear it happening until once a blue moon when a media outlet sensationalizes a "cyber terrorism" based DoS attack
2) This type of vulnerability really isn't getting actively exploited in the wild, although the vulnerability does exist
3) Attackers are less motivated by DoS and more motivated by financial gain, such as toll fraud. DoS was the collateral impact/damage of another motive/attack (as suggested by J. Oquendo)
Would be interested to know the real motive here.
[1] Network World link: "Call Flooding Attack" (Patrick Park) http://www.networkworld.com/community/node/38458
On 4/1/2011 10:00 AM, Frank Bulk wrote:
http://www.channelpartnersonline.com/news/2011/03/telepacific-network-outage
-cyber-terrorism.aspx?nck=1
Anyone have more information on this? Didn't seem important enough to make this list, if that's any measure.
Frank
Honestly it sounds like a typical SIPVicous attack on a company that wasn't prepared for it. Which then needed to call it a cyber attack to avoid paying out SLAs.
participants (9)
-
David_Hiers@adp.com -
dyork@voxeo.com -
frnkblk@iname.com -
iknowjason@pobox.com -
jared@compuwizz.net -
jjackson@aninetworks.net -
myaklin@g4.net -
sil@infiltrated.net -
ujjval@simplesignal.com