[VoiceOps] "TelePacific Network Outage: Cyber-Terrorism?"

Jared Geiger jared at compuwizz.net
Fri Apr 1 14:53:52 EDT 2011 

On Fri, Apr 1, 2011 at 2:27 PM, Jason <iknowjason at pobox.com> wrote:

>
> I interpreted the article to imply that DoS was the motive of the "Cyber
> Terrorists" but in my experience real attackers (VoIP and otherwise) are
> motivated by financial gain (service abuse) and I fail to connect the
> dots of some kind of "cyber ransom" note being held to the ITSP
> threatening DoS - although this author [1] has mentioned it in the past.
>
> In my experience doing authorized penetration testing of SBCs (not PBX
> servers) for ITSPs, most vulnerabilities enumerated fall into this
> category for DoS testing:
> 1.  10,000 mps legitimate INVITE from onset of INVITE Flood, causing no
> response to legitimate INVITE
> 2.  10,000 mps spoofed INVITE triggers SBC anti-DoS rule after 5
> seconds, error response sent to attacker and to valid SIP users as well
> 3.  10,000 mps DDoS INVITE Flood from multiple stations causes SBC to
> drop valid SIP INVITEs.  As soon as attack stops, valid SIP INVITEs are
> once again processed
> 4.  10,000 mps INVITE Flood causes software bug/fault condition in SBC,
> system crashes (up to 30 minutes)
>
> Most ITSPs just don't know they are vulnerable because the network is
> never tested from the outside.  To be fair, the moment you can duplicate
> the issue to them, they will tune the rules/configuration and be mitigated.
>
> Most SBCs that I've tested are vulnerable to this issue but the
> perceived threat is very low:
>
> 1) We never see or hear it happening until once a blue moon when a media
> outlet sensationalizes a "cyber terrorism" based DoS attack
>
> 2) This type of vulnerability really isn't getting actively exploited in
> the wild, although the vulnerability does exist
>
> 3) Attackers are less motivated by DoS and more motivated by financial
> gain, such as toll fraud.  DoS was the collateral impact/damage of
> another motive/attack (as suggested by J. Oquendo)
>
> Would be interested to know the real motive here.
>
> [1] Network World link: "Call Flooding Attack" (Patrick Park)
> http://www.networkworld.com/community/node/38458
>
> On 4/1/2011 10:00 AM, Frank Bulk wrote:
> >
> http://www.channelpartnersonline.com/news/2011/03/telepacific-network-outage
> > -cyber-terrorism.aspx?nck=1
> >
> > Anyone have more information on this?  Didn't seem important enough to
> make
> > this list, if that's any measure.
> >
> > Frank
> >
>

Honestly it sounds like a typical SIPVicous attack on a company that wasn't
prepared for it. Which then needed to call it a cyber attack to avoid paying
out SLAs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20110401/138b16d1/attachment.html>

More information about the VoiceOps mailing list