A story: ZZZ Telemarketing (not a real name) is locked in a heated fight with their bitter rival, YYY Telemarketing (also not a real name), to win a very large lead generation contract with Customer X. Customer X has decided to run a test pitting the two companies against each other for a week to see who can generate the most leads. The ZZZ CEO has said to his staff that it is "do or die" for the company. If they fail to win the contract, they will have to shut down — they need to do "whatever it takes" to win over YYY. A ZZZ staffer discovers that part of why YYY has consistently underbid them is because they are using SIP trunks to reduce their PSTN connection costs. But the staffer also discovers that YYY is using very cheap voice service providers who run over the public Internet with no security.
Discreet inquiries are made in the dark corners of the Internet. A large sum of money is exchanged through third-parties. The test begins on Monday and both firms are off in their own buildings rapidly calling. But at a designated time on Tuesday, a bot-herder somewhere out on the Internet connects to an IRC chat room and enters a line of text. Moments after the Enter key is pressed, "bots" on tens of thousands of zombie PCs wake up and start slamming the SIP servers at YYY and its providers with enormous numbers of bogus SIP messages, each of which require processing. Effectively all outbound (and inbound) PSTN connections grind to a halt. YYY IT staff try desperately to stop the attack but don't have any real knowledge of how to defend against these attacks. Because the attacks paralyzed YYY's SIP server but left their Internet connection still usable, their ISP won't help and says it is a problem for their telephony providers. Those providers, of course, are preoccupied trying to fight off the attack themselves. Meanwhile, hidden out on the net, the bot-herder watches the attempts and simply brings more botnets online as some nodes are successfully shut down or blocked.
Late on Wednesday at a designated time, the bot-herder enters the IRC room again and enters another command. All bots immediately cease their attacks. YYY can now make calls, but in their desperate attempts to restore connectivity the YYY IT staff has made such a mess of their network that it takes them until extremely late in the evening to return full service. Thursday morning YYY is back in full operation, but it's too late to overtake ZZZ's head start. ZZZ wins the test and the contract. (And YYY's lawyers desperately search for some way to pin this on ZZZ.)
Is this just a piece of creative fiction? (or a nightmare?)
Today, probably yes… but last week the first steps toward bringing about the reality appeared in the VOIPSEC mailing list when a group of academic researchers announced the availability of a "VoIP bot" for testing automated attacks against VoIP systems that use the SIP protocol. While the researchers indicated they were making it available to aid in the efforts to develop effective tools to prevent attacks, the cold, hard reality is that the same tool and code can be used for attacks by those out operating botnets for malicious purposes. Deploy it on hundreds (or thousands) of zombie computers and an attacker potentially has a great way to execute a distributed denial of service (DDOS) against a company with, for example, a SIP trunk across the public Internet. Thereby potentially shutting down that company's access to the PSTN. No inbound or outbound phone calls for the duration of the attack.
Welcome to the era of VoIP botnets.
With all the VoIP security tools out there, we knew it was only a matter of time before this occurred, but now the proverbial genie has been let out of the bottle. (or is it "bot-tle"?)
REALITY CHECK #1 - Now, before anyone cues the song "It's the End of the World as We Know It" and starts to rip out their VoIP deployment, let's be clear that this bot only affects systems using the SIP protocol. Given that the vast majority of corporate/enterprise VoIP deployments today occur with proprietary protocols (and this is true of all the main VoIP vendors), this news has little immediate impact on that segment of the market. However, most all enterprise vendors are now supporting SIP phones and/or SIP trunks - and so this definitely will be a concern in the future. In the PSTN line replacement market, though, there certainly are a good number of service providers offering SIP connections/trunks. If they are doing that across the public Internet (versus their own network where they can better control traffic) then this is definitely something of concern to them.
REALITY CHECK #2 - Let's also be clear that there is no massive botnet out there right now out there waiting to kill all your SIP trunks or SIP sets (that we know of). What was released was a "proof-of-concept" that showed in a very basic way what could be done. The real threat is that attackers could modify the code, improve/tweak it, and start to deploy it out there in larger botnets. If we don't look at ways to address the issues raised here, it will, though, become a more serious issue.
With those statements out of the way, let's look at what this proof-of-concept bot does. First, as shown on the README page, you connect to an IRC server and create a chat room/channel. You then install the software onto a PC and run it (it's a Java JAR file), providing the name of the IRC server and channel to which you are connected. You then simply start executing SIP attack commands. If you start up several instances of the bot connecting to the same IRC channel, you can issue commands that are implemented by all your bots.
Simple. Easy. (Scared yet?)
So what does it do? Well, here are the commands:
A limited command set today, but the researchers indicate they will be refining it - and the source code is now out there for anyone to obtain and modify. And for something like a DOS (or DDOS) this could be effective. I only installed one bot on my test network, but I did see that it did generate a large number of packets against a SIP server I have running here. You could see the power of multiplying that.
So with the genie out of the bottle, what do we as VoIP security professionals do about it?
I'll offer several suggestions (and certainly welcome more as comments to the post):
Going back to my story at the top, YYY might not have had the problems if their SIP server were set to reject all packets that did not originate from their service providers… or if they had required encryption with mutual authentication so that spoofed IP addresses couldn't affect things… or if…
The reality is that there are solutions out there today that will go far in blunting the effect of these type of attacks. We just need to be sure that we are using and improving those solutions… if we don't… well… then we will be cueing up that song!
Other comments or suggestions?
This article has been featured here with kind permission from the Voice over IP Security Alliance (VOIPSA).
By Dan York, Author and Speaker on Internet technologies. Dan is employed as a Senior Content Strategist with the Internet Society but opinions posted on CircleID are entirely his own. Visit the blog maintained by Dan York here.
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Minds + Machines
Neustar DDoS Protection
Neustar DNS Services