Dear all, According to: w w w .honeynor.no/2009/09/20/citibank-uk-number-was-target-for-a-lawnmower-telephone-attack-today/ Citibankhas been under a telephone calling attack in 20th september. Does anyone in asterisk community got any CDRs or logging of similar attacks as the one above mentioned ? Any one ?with logging of it or future information about the case ? Identified more detaills in this "attack" ? ------------ Citibank is or has been under a telephone calling attack latest 12 hours. Here I will explain the attack and how it was done. Have you seen the movie ?lawnmower man?, when in the end, all phones rings in the who city? This was the aim for todays attack on Citibank in UK. The attack was simple, but probably effective when it was active. Send SIP INVITE to open SIP gateways and PBXs, who then will actually use the traditional phonesystem (POTS) to call the target. Suddenly you need DoS protection on your traditional POTS lines?. The SIP INVITE looks like this. INVITE sip:00442075005000 at x SIP/2.0 Via: SIP/2.0/UDP 217.23.7.47:58585;branch=z9hG4bKaergjerugroijrgrg To: <sip:x> From: <sip:217.23.7.47:58585>;tag=Zerogij34 Call-ID: 213948958-34384780214-384748 at 217.23.7.47 CSeq: 1 INVITE Max-Forwards: 69 Contact: <sip:sip at 217.23.7.47:58585;transport=udp> Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,NOTIFY,REFER,MESSAGE Content-Type: application/sdp Content-Length: 520 Session-Expires: 3600; Allow-Events: refer.. ? ? ? v=0 ? ? ? o=sip 2147483647 1 IN IP4 1.1.1.1 ? ? ? s=sip ? ? ? c=IN IP4 1.1.1.1 ? ? ? t=0 0 ? ? ? m=audio 29784 RTP/AVP 8 0 4 18 18 18 18 96 3 98 ? ? ? a=rtpmap:96 telephone-event/8000 ? ? ? a=sendrecva=ptime:20 ? ? ? a=rtpmap:18 G729AB/8000 ? ? ? a=rtpmap:18 G729B/8000 ? ? ? a=rtpmap:18 G729A/8000 ? ? ? a=rtpmap:18 G729/8000 ? ? ? a=rtpmap:4 G723 Lets walk through the SIP packet and see what info we can get from it: A quick google search on the tag: Zerogij34 reveals that this attack has been around since at least 6th of August. The IP (217.23.7.47)from this packet should be located in Portugal but the other attacks originate from both UK and Netherlands. There is no User-Agent listed, so the packet is very likely crafted from toosl like sipsak or sipp. The codec list seems real, but they use an obscure address (1.1.1.1) for the RTP. If they would use their own IP address, it could case a small DoS with RTP traffic for every successful call.)The port 29784 is within the range of Cisco units (26 000-32 000) The other INVITES reveals that the attacker is trying to figure the extension to get a dial-tone: ? ?* INVITE sip:00442075005000 at 67.170.104.216 SIP/2.0 ? ?* INVITE sip:011442075005000 at 67.170.104.216 SIP/2.0 ? ?* INVITE sip:0442075005000 at 67.170.104.216 SIP/2.0 ? ?* INVITE sip:0000442075005000 at 67.170.104.216 SIP/2.0 ? ?* INVITE sip:0011442075005000 at 67.170.104.216 SIP/2.0 ? ?* INVITE sip:900442075005000 at 67.170.104.216 SIP/2.0 ? ?* INVITE sip:9011442075005000 at 67.170.104.216 SIP/2.0 ? ?* INVITE sip:90442075005000 at 67.170.104.216 SIP/2.0 ? ?* INVITE sip:442075005000 at 67.170.104.216 SIP/2.0 ? ?* and several more? But is this a DoS attack on Citibank? I doubt it. Why call the Citibank on a Sunday 5 a.m.? This is more likely that Citibank has lots of lines and therefore the SIP INVITES does not generate an error (busy or others). The attacker does not hear any ringtone, but he/she should see the 180 Ringing / 180 Session in Progress. Then he or she knows that he could actually get through to the PSTN on this SIP proxy. If it would be a ringing attack, why does the attacker just send one single SIP INVITE through each gateway that actually calls this destination? The machines with the attacking IP addresses should be put under surveillance to see who connects to these. They are probably just some bots in a larger network, but they need to relay back which gateways actually responded successfully. Sad to say, but I believe this is only the small beginning?. ---------------------------- Looking forward to hearing from you guys ;) Cheers, -- Marco Mouta