[VoiceOps] "TelePacific Network Outage: Cyber-Terrorism?"

J. Oquendo sil at infiltrated.net
Fri Apr 1 12:35:17 EDT 2011


INSERT INTO 'voiceops' SET rant='rambling' WHERE day='friday'


"TelePacific Network Outage: Cyber-Terrorism?" ... Translates into
nothing more than a typical Denial of Service attack. According to the
article description: "cyber attack choked our servers and resulted in a
significant loss of service to customers – in most cases an inability to
make and receive calls." But the attack did not impact customers'
Internet or data services. " now according to my experience, this is
likely an attacker or attackers, simply doing routine SIP account
enumeration and registration attempts a-la SIPVicious.

Recently (three days ago to be exact), I had one of my Internet facing
PBXs experience the same exact symptoms: No calls in, no calls out. The
system you see was being hammered by an American webhosting company.
After firewalling the culprits via the PBX, calls coming in were coming
in sporadically when the attacker packet count was on the low side
(remember I said Internet facing, so I could not block all packets as I
normally would.) This was likely because, although blocked, the attacker
was still sending data that needed to be processed (remember the
firewall needs to check the incoming data against firewall rules and
make a decision: allow, drop or reject). After blocking them, I then -
via LinkedIn - decided to "speed up" the abuse reporting process.

Now, because abuse desks are almost as useful as a public lost and found
desk in the middle of NYC, after sending the message to the hosting
company, I then contacted the or VP of the relevant department at the
hosting company (via LinkedIn) who was gracious enough to pass the
information along... right back to his abuse department. Six hours after
LinkedIn, 18 or so hours into the attack, when abuse desk staff decided
to check slash resolve the issue, they asked for the address of the
server being attacked, so they could report it to the attacker: "Hey Mr.
Attacker, you've been attacking address 2.3.4.5 so we cut you off", no
thanks I replied to the hosting company. If they needed a packet capture
for their own analysis, so be it, but there would be no way I would
effectively point the finger at my managed PBX and allow the attacker to
attack from elsewhere. (Mind you, the address was included in the
initial report anyway, but hey, who reads those). Anyhow, enough of this.

Nothing to see here (terrorism)... Move along. Then again, I guess in
the interest of fairness, maybe I should call the FBI as well every time
something computer related comes along. Not that they'll respond, but
I'm starting to wonder, was that just some organized crime group trying
to perform toll-fraud or was it an act of terrorism. Yipes, my servers
are to be beheaded via evil packets. Maybe I can get them to respond to
some of the "syndicate carriers" who terrorize me with their bills when
they promised: "oh sure, we can catch and halt that fraud for you..."

;

-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF



More information about the VoiceOps mailing list