Norwegian blog
Citibank UK number was target for a “lawnmower” telephone attack today!
Citibank is or has been under a telephone calling attack latest 12 hours. Here I will explain the attack and how it was done.
Have you seen the movie “lawnmower man”, when in the end, all phones rings in the who city? This was the aim for todays attack on Citibank in UK. The attack was simple, but probably effective when it was active. Send SIP INVITE to open SIP gateways and PBXs, who then will actually use the traditional phonesystem (POTS) to call the target. Suddenly you need DoS protection on your traditional POTS lines….
The SIP INVITE looks like this.
INVITE sip:00442075005000@x SIP/2.0 Via: SIP/2.0/UDP 217.23.7.47:58585;branch=z9hG4bKaergjerugroijrgrg To: <sip:x> From: <sip:217.23.7.47:58585>;tag=Zerogij34 Call-ID: 213948958-34384780214-384748@217.23.7.47 CSeq: 1 INVITE Max-Forwards: 69 Contact: <sip:sip@217.23.7.47:58585;transport=udp> Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,NOTIFY,REFER,MESSAGE Content-Type: application/sdp Content-Length: 520 Session-Expires: 3600; Allow-Events: refer.. v=0 o=sip 2147483647 1 IN IP4 1.1.1.1 s=sip c=IN IP4 1.1.1.1 t=0 0 m=audio 29784 RTP/AVP 8 0 4 18 18 18 18 96 3 98 a=rtpmap:96 telephone-event/8000 a=sendrecva=ptime:20 a=rtpmap:18 G729AB/8000 a=rtpmap:18 G729B/8000 a=rtpmap:18 G729A/8000 a=rtpmap:18 G729/8000 a=rtpmap:4 G723Lets walk through the SIP packet and see what info we can get from it:
A quick google search on the tag: Zerogij34 reveals that this attack has been around since at least 6th of August.
The IP (217.23.7.47)from this packet should be located in Portugal but the other attacks originate from both UK and Netherlands.
There is no User-Agent listed, so the packet is very likely crafted from toosl like sipsak or sipp.
The codec list seems real, but they use an obscure address (1.1.1.1) for the RTP. If they would use their own IP address, it could case a small DoS with RTP traffic for every successful call.)The port 29784 is within the range of Cisco units (26 000-32 000)
The other INVITES reveals that the attacker is trying to figure the extension to get a dial-tone:
- INVITE sip:00442075005000@67.170.104.216 SIP/2.0
- INVITE sip:011442075005000@67.170.104.216 SIP/2.0
- INVITE sip:0442075005000@67.170.104.216 SIP/2.0
- INVITE sip:0000442075005000@67.170.104.216 SIP/2.0
- INVITE sip:0011442075005000@67.170.104.216 SIP/2.0
- INVITE sip:900442075005000@67.170.104.216 SIP/2.0
- INVITE sip:9011442075005000@67.170.104.216 SIP/2.0
- INVITE sip:90442075005000@67.170.104.216 SIP/2.0
- INVITE sip:442075005000@67.170.104.216 SIP/2.0
- and several more…
But is this a DoS attack on Citibank? I doubt it. Why call the Citibank on a Sunday 5 a.m.? This is more likely that Citibank has lots of lines and therefore the SIP INVITES does not generate an error (busy or others). The attacker does not hear any ringtone, but he/she should see the 180 Ringing / 180 Session in Progress. Then he or she knows that he could actually get through to the PSTN on this SIP proxy. If it would be a ringing attack, why does the attacker just send one single SIP INVITE through each gateway that actually calls this destination?
The machines with the attacking IP addresses should be put under surveillance to see who connects to these. They are probably just some bots in a larger network, but they need to relay back which gateways actually responded successfully.
Sad to say, but I believe this is only the small beginning….
Honeypots and privacy
Even though Norway is not a member of the EU, many directives do still apply to us, and if they don’t, they still can provide useful insight. For instance, article 5 of the Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) [1] states;
Member states shall [..] prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users [..]“
On a general basis one may emphasize that the end user (the receiving or sending party of the electronic communications) can always do whatever he/she wants to with the data being received (or sent). That includes logging the traffic data or recording the contents. The privacy regulation only sets limits to these actions when they are being performed by third parties.
The EU directive mentioned above may be interpreted in a way that the right to record one’s own traffic (and to participate in electronic communications) is assumed to be such a basic right that it doesn’t even need to be explicitly granted. One should be much more concerned about unauthorized third parties tapping the communications.
A reader pointed out to us that the Finnish legislation 516/2008 section 8 [2] is much more explicit in this regard:
“The sender and intended recipient of a message are entitled to handle their own messages and the identification data associated with these messages [..]“.
If you’re running a honeypot, that makes you a second party of (”unicast”) electronic communication, thus giving you all the rights of the participant. One could also argue that you are the in fact the intended recipient of that communication. It was the attacker that initiated the conversation; you didn’t fool him to do anything nor did you lure him to initiate the traffic under the false pretext. The honeypot is passively waiting for someone to first probe for any of its services and then start recording when it’s being attacked, most likely by a person wanting illegitimate access to this machine.
1. http://europa.eu/eur-lex/pri/en/oj/dat/2002/l_201/l_20120020731en00370047.pdf
2. http://www.finlex.fi/en/laki/kaannokset/2004/en20040516.pdf