Have you seen the movie “The Lawnmower Man“? When, in the end, all phones in the whole world is ringing? This was the scenario for several firms in Norway this week. The phones rang every 20 minutes!
Whose fault is it?
And the guilty one? Several are to blame.
First; the Piradius (again…) network doing SIP and H.323 scans on open phones and gateways.
Second; the phone producer not making a secure enough phone.
Third; the people putting such a solution onto the Internet with no security.
What the attacker did
The Piradius network was scanning the network sequential and sending H.323 Call Connect to each IP address. The phones were open to invites from any IP address. The phones then rang, and when answered by some people there were nobody in the other end.
Information about the packet
In the h.323 packet the claim to use Cisco equipment, but I’ve never heard about a “balhophone”. If you do know, please comment! The version does sound too suspicious (1.666666). I’m guessing on an Asterisk….
t35CountryCode: United States (181)
H.221 Manufacturer: Cisco (0xb5000012)
versionId: v 1.666666
The contact information within the H.323 packet for audio so totally different from where the TCP traffic is originated from. It is an unallocated space.
AS | IP | BGP Prefix | CC | Registry | Allocated | AS Name
NA | 126.96.36.199 | NA | | | | NA
The attacker has just used this IP address as a /dev/null for the audio of those that actually answered the phone. This RTP traffic back from mass calling can be a DoS attack in itself. If every packet you send on 1500 bytes generates a continues stream of 0,1Mbit (G711), it could take down the attacker itself….
The called number
Called party number: ’40#5926693444′
I’ve seen that they do include the # in several attacks previously, but this is not used in any part of Scandinavia to make an outbound call. If you know why an attacker is using the #, please let me know.