Sjur Usken

Views on new technologies and business opportunities from Sjur Usken

Citibank UK number was target for a "lawnmower" telephone attack today!


Citibank is or has been under a telephone calling attack latest 12 hours. Here I will explain the attack and how it was done.

Have you seen the movie “lawnmower man”, when in the end, all phones rings in the who city? This was the aim for todays attack on Citibank in UK. The attack was simple, but probably effective when it was active. Send SIP INVITE to open SIP gateways and PBXs, who then will actually use the traditional phonesystem (POTS) to call the target. Suddenly you need DoS protection on your traditional POTS lines….

The SIP INVITE looks like this.

INVITE sip:00442075005000@x SIP/2.0
Via: SIP/2.0/UDP 217.23.7.47:58585;branch=z9hG4bKaergjerugroijrgrg
To: <sip:x>
From: <sip:217.23.7.47:58585>;tag=Zerogij34
Call-ID: 213948958-34384780214-384748@217.23.7.47
CSeq: 1 INVITE
Max-Forwards: 69
Contact: <sip:sip@217.23.7.47:58585;transport=udp>
Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,NOTIFY,REFER,MESSAGE
Content-Type: application/sdp
Content-Length: 520
Session-Expires: 3600;
Allow-Events: refer..
       v=0
       o=sip 2147483647 1 IN IP4 1.1.1.1
       s=sip
       c=IN IP4 1.1.1.1
       t=0 0
       m=audio 29784 RTP/AVP 8 0 4 18 18 18 18 96 3 98
       a=rtpmap:96 telephone-event/8000
       a=sendrecva=ptime:20
       a=rtpmap:18 G729AB/8000
       a=rtpmap:18 G729B/8000
       a=rtpmap:18 G729A/8000
       a=rtpmap:18 G729/8000
       a=rtpmap:4 G723

Lets walk through the SIP packet and see what info we can get from it:

A quick google search on the tag: Zerogij34  reveals that this attack has been around since at least 6th of August.

The IP (217.23.7.47)from this packet should be located in Portugal but the other attacks originate from both UK and Netherlands.
There is no User-Agent listed, so the packet is very likely crafted from tools like sipsak or sipp.
The codec list seems real, but they use an obscure address (1.1.1.1) for the RTP. If they would use their own IP address, it could case a small DoS with RTP traffic for every successful call. The port 29784 is within the range of Cisco units (26 000-32 000)

The other INVITES reveals that the attacker is trying to figure the extension to get a dial-tone:

  • INVITE sip:00442075005000@67.170.104.216 SIP/2.0
  • INVITE sip:011442075005000@67.170.104.216 SIP/2.0
  • INVITE sip:0442075005000@67.170.104.216 SIP/2.0
  • INVITE sip:0000442075005000@67.170.104.216 SIP/2.0
  • INVITE sip:0011442075005000@67.170.104.216 SIP/2.0
  • INVITE sip:900442075005000@67.170.104.216 SIP/2.0
  • INVITE sip:9011442075005000@67.170.104.216 SIP/2.0
  • INVITE sip:90442075005000@67.170.104.216 SIP/2.0
  • INVITE sip:442075005000@67.170.104.216 SIP/2.0
  • and several more…

But is this a DoS attack on Citibank? I doubt it. Why call the Citibank on a Sunday 5 a.m.? This is more likely that Citibank has lots of lines and therefore the SIP INVITES does not generate an error (busy or others). The attacker does not hear any ringtone, but he/she should see the 180 Ringing / 180 Session in Progress. Then he or she knows that he could actually get through to the PSTN on this SIP proxy. If it would be a ringing attack, why does the attacker just send one single SIP INVITE through each gateway that actually calls this destination?

The machines with the attacking IP addresses should be put under surveillance to see who connects to these. They are probably just some bots in a larger network, but they need to relay back which gateways actually responded successfully.

Sad to say, but I believe this is only the small beginning….
[ad]

2 responses to “Citibank UK number was target for a "lawnmower" telephone attack today!

  1. MTA October 21, 2009 at 1:59 pm

    Great Blog

    The same thing happened to our network in Asia where a lot of calls were made on the Citibank number.

    I am a VoIP noob so I noticed that IPs from one of our entire IP pool made calls on the Citibank number. Do you think the hacker misused them for making calls (most of these IPs were not even live)

    • sjur October 21, 2009 at 6:57 pm

      Hi,

      There was several customers hit that used to call that number. I still have not understood what the real purpose behind the attack was. I have no knowledge of your IP network, so I can not answer how they actually routed the calls. You should do a throughly security check of your network.

      regards
      sjur

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: