[asterisk-users] lawnmower man "attack" sip tag=Zerogij34 some one else notice this in 20th september or recently?

Marco Mouta marco.mouta at gmail.com
Fri Oct 9 18:12:46 CDT 2009 

Dear all,

According to:

http://www.honeynor.no/2009/09/20/citibank-uk-number-was-target-for-a-lawnmower-telephone-attack-today/

Citibankhas been under a telephone calling attack in 20th september.

Does anyone in asterisk community got any CDRs or logging of similar
attacks as the one above mentioned ?

Any one  with logging of it or future information about the case ?
Identified more detaills in this "attack" ?

------------

Citibank is or has been under a telephone calling attack latest 12
hours. Here I will explain the attack and how it was done.


Have you seen the movie “lawnmower man”, when in the end, all phones
rings in the who city? This was the aim for todays attack on Citibank
in UK. The attack was simple, but probably effective when it was
active. Send SIP INVITE to open SIP gateways and PBXs, who then will
actually use the traditional phonesystem (POTS) to call the target.
Suddenly you need DoS protection on your traditional POTS lines….

The SIP INVITE looks like this.

INVITE sip:00442075005000 at x SIP/2.0
Via: SIP/2.0/UDP 217.23.7.47:58585;branch=z9hG4bKaergjerugroijrgrg
To: <sip:x>
From: <sip:217.23.7.47:58585>;tag=Zerogij34
Call-ID: 213948958-34384780214-384748 at 217.23.7.47
CSeq: 1 INVITE
Max-Forwards: 69
Contact: <sip:sip at 217.23.7.47:58585;transport=udp>
Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,NOTIFY,REFER,MESSAGE
Content-Type: application/sdp
Content-Length: 520
Session-Expires: 3600;
Allow-Events: refer..
      v=0
      o=sip 2147483647 1 IN IP4 1.1.1.1
      s=sip
      c=IN IP4 1.1.1.1
      t=0 0
      m=audio 29784 RTP/AVP 8 0 4 18 18 18 18 96 3 98
      a=rtpmap:96 telephone-event/8000
      a=sendrecva=ptime:20
      a=rtpmap:18 G729AB/8000
      a=rtpmap:18 G729B/8000
      a=rtpmap:18 G729A/8000
      a=rtpmap:18 G729/8000
      a=rtpmap:4 G723

Lets walk through the SIP packet and see what info we can get from it:

A quick google search on the tag: Zerogij34 reveals that this attack
has been around since at least 6th of August.

The IP (217.23.7.47)from this packet should be located in Portugal but
the other attacks originate from both UK and Netherlands.
There is no User-Agent listed, so the packet is very likely crafted
from toosl like sipsak or sipp.
The codec list seems real, but they use an obscure address (1.1.1.1)
for the RTP. If they would use their own IP address, it could case a
small DoS with RTP traffic for every successful call.)The port 29784
is within the range of Cisco units (26 000-32 000)

The other INVITES reveals that the attacker is trying to figure the
extension to get a dial-tone:

   * INVITE sip:00442075005000 at 67.170.104.216 SIP/2.0
   * INVITE sip:011442075005000 at 67.170.104.216 SIP/2.0
   * INVITE sip:0442075005000 at 67.170.104.216 SIP/2.0
   * INVITE sip:0000442075005000 at 67.170.104.216 SIP/2.0
   * INVITE sip:0011442075005000 at 67.170.104.216 SIP/2.0
   * INVITE sip:900442075005000 at 67.170.104.216 SIP/2.0
   * INVITE sip:9011442075005000 at 67.170.104.216 SIP/2.0
   * INVITE sip:90442075005000 at 67.170.104.216 SIP/2.0
   * INVITE sip:442075005000 at 67.170.104.216 SIP/2.0
   * and several more…

But is this a DoS attack on Citibank? I doubt it. Why call the
Citibank on a Sunday 5 a.m.? This is more likely that Citibank has
lots of lines and therefore the SIP INVITES does not generate an error
(busy or others). The attacker does not hear any ringtone, but he/she
should see the 180 Ringing / 180 Session in Progress. Then he or she
knows that he could actually get through to the PSTN on this SIP
proxy. If it would be a ringing attack, why does the attacker just
send one single SIP INVITE through each gateway that actually calls
this destination?

The machines with the attacking IP addresses should be put under
surveillance to see who connects to these. They are probably just some
bots in a larger network, but they need to relay back which gateways
actually responded successfully.

Sad to say, but I believe this is only the small beginning….
----------------------------


Looking forward to hearing from you guys ;)

Cheers,


--
Marco Mouta

More information about the asterisk-users mailing list