[VoiceOps] "TelePacific Network Outage: Cyber-Terrorism?"

Jason iknowjason at pobox.com
Fri Apr 1 14:27:41 EDT 2011 

I interpreted the article to imply that DoS was the motive of the "Cyber
Terrorists" but in my experience real attackers (VoIP and otherwise) are
motivated by financial gain (service abuse) and I fail to connect the
dots of some kind of "cyber ransom" note being held to the ITSP
threatening DoS - although this author [1] has mentioned it in the past.

In my experience doing authorized penetration testing of SBCs (not PBX
servers) for ITSPs, most vulnerabilities enumerated fall into this
category for DoS testing:
1.  10,000 mps legitimate INVITE from onset of INVITE Flood, causing no
response to legitimate INVITE
2.  10,000 mps spoofed INVITE triggers SBC anti-DoS rule after 5
seconds, error response sent to attacker and to valid SIP users as well
3.  10,000 mps DDoS INVITE Flood from multiple stations causes SBC to
drop valid SIP INVITEs.  As soon as attack stops, valid SIP INVITEs are
once again processed
4.  10,000 mps INVITE Flood causes software bug/fault condition in SBC,
system crashes (up to 30 minutes)

Most ITSPs just don't know they are vulnerable because the network is
never tested from the outside.  To be fair, the moment you can duplicate
the issue to them, they will tune the rules/configuration and be mitigated.

Most SBCs that I've tested are vulnerable to this issue but the
perceived threat is very low:

1) We never see or hear it happening until once a blue moon when a media
outlet sensationalizes a "cyber terrorism" based DoS attack

2) This type of vulnerability really isn't getting actively exploited in
the wild, although the vulnerability does exist

3) Attackers are less motivated by DoS and more motivated by financial
gain, such as toll fraud.  DoS was the collateral impact/damage of
another motive/attack (as suggested by J. Oquendo)

Would be interested to know the real motive here.

[1] Network World link: "Call Flooding Attack" (Patrick Park)
http://www.networkworld.com/community/node/38458

On 4/1/2011 10:00 AM, Frank Bulk wrote:
> http://www.channelpartnersonline.com/news/2011/03/telepacific-network-outage
> -cyber-terrorism.aspx?nck=1 
> 
> Anyone have more information on this?  Didn't seem important enough to make
> this list, if that's any measure.
> 
> Frank
> 
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>

More information about the VoiceOps mailing list