Chapter 14: SPAM over Internet Telephony (SPIT)

Previous page
Table of content
Next page

I don't know what is worse . Digging through my voicemail and deleting all the SPAM or getting 25 calls a day trying to sell me Viagra. I think I am going to just turn this stupid phone off.
User reaction to SPIT

Overview

Anyone using a PC is familiar with email SPAM. Anyone with an email address is familiar with the constant barrage of irritating messages, trying to sell you mortgages, sexual enhancement products, replica watches , gambling opportunities, and so on. Those of us who do not use SPAM filters often receive well over 100 SPAM messages a day. Even when using SPAM filters, some SPAM still gets through, or worse yet, some number of valid messages are identified as SPAM and deleted or sent to a junk mailbox. Plus, as SPAM filters improve, the spammers find new ways to sneak messages through.

Voice SPAM or SPAM over Internet Telephony (SPIT) is a similar problem that will affect VoIP. SPIT, in this context, refers to bulk, automatically generated, unsolicited calls. We don't consider traditional telemarketing to be SPIT. Telemarketing is certainly annoying and is often at least partially automated. Telemarketers employ "auto-dialers," which dial numbers trying to find a human who will answer the phone. When a human answers and is identified, the call is transferred to another human, who begins the sales pitch. These auto-dialers are pretty good about differentiating a human voice from an answering machine or voicemail system. Some telemarketers use automated messages, but considering the cost of making calls, most will use humans to do the talking.

SPIT is like telemarketing on steroids. You can expect SPIT to occur with a frequency similar to email SPAM. Telemarketing is annoying, but the rate of calls, at least compared to email SPAM, is very low. Compare the number of telemarketing calls you get on an average day, to the number of email SPAM messages you get. Consider getting calls all day for the "products" illustrated in Figure 14-1.

image from book
Figure 14-1: SPIT call product examples

Also, at least for now, it still costs money to make calls. Telemarketers can't afford to make enormous numbers of calls. This is in contrast to sending email messages, which costs virtually nothing. Making large numbers of calls is expensive for the following reasons:

  • You need a PBX, sized to the number of concurrent calls you want to make. You need the PBX itself, some number of T1 access cards, and auto-dialing software (it really isn't practical to have humans making the calls). You will also need some number of phones for the humans taking the calls when a human answers them. If the telemarketer wants to make 100 concurrent calls and have 10 phones available, an estimate for the equipment is $25,000.

  • You need expensive circuit-switched infrastructure to make a lot of concurrent calls. For example, if you want to generate 100 concurrent calls, you need at least five T1s (which have 23 or 24 channels each). The cost of the T1 varies, but averages around $500 per month.

  • Long distance calls average around 2 cents a minute. Assuming the telemarketer is making 100 concurrent long-distance calls, the cost per minute is $2.00.

    Assuming the telemarketer operates 8 hours a day (a very conservative estimate), that is 480 minutes or about $1,000 (assuming again 100 percent utilization). Actual utilization will be lower, because many calls are not answered .

  • The other cost to consider is that of the humans who make the calls or pick them up when auto-dialing software determines that a human answers the call. In traditional telemarketing, humans are considered essential, considering the cost of calls, and the desire to have an acceptable "hit" rate.

Keep in mind that a small percentage of the calls made are actually answered by a human (many go to voicemail). Assuming a 10 percent hit ratio and 10 available telemarketers, only 10 total concurrent telemarketing calls can be handled. This is arguably inefficient, considering the investment in equipment, T1 access lines, long distance charges, and personnel.

With VoIP, these costs are greatly reduced, which is why SPIT will resemble email SPAM more than telemarketing. Due to the possible volume, the hit rate percentage can be a lot lower, eliminating the need for humans to make the calls. The attacker still needs humans to answer calls for the people who respond to the SPIT calls, but these are more likely than a "cold" initial telemarketing call to result in a sale.

With VoIP, the cost of setting up a PBX is also lower. A commercial PBX could be used or the attacker could use a freeware system, such as Asterisk, and be up and running for about the cost of a decent PC. Because the network access is VoIP (most likely SIP), expensive circuit-switched T1 access cards are not required. The attacker will still need some number of phones, but fewer than would be needed for a traditional telemarketer. Softphones are also an option, but they only make sense if the telemarketers are already using PCs.

With broadband access and a VoIP/SIP connection to the network, the attacker can generate many simultaneous calls. For example, an attacker with a T1 and 1.5MB of bandwidth, and assuming a SIP INVITE message requiring only 1K, could generate approximately 150 call attempts per second. A successful call would require a few more SIP messages and the audio rate depends on the codec used. With G.711 and depending on the quality of service (QoS) provided, about 20 simultaneous calls can be generated. With a lower bandwidth codec, such as G.729 or G.723, over 100 simultaneous calls can be generated. This assumes that the VoIP access provider does not throttle the number of simultaneous calls.

VoIP is also expected to reduce the cost of making calls. At the current time, most VoIP calls terminate onto the Public Switched Telephone Network (PSTN), meaning the calls cost about the same as straight circuit-switched calls. More and more VoIP calls do not terminate on the PSTN. Over time, these end-to-end VoIP calls are expected to cost less and less, eventually perhaps being free. This, more than anything, will make SPIT very attractive, especially for international calls that are prohibitively expensive to make now. With VoIP, this will change, making it economical to generate international SPIT.

Even now, there are quite a few "free VoIP" services that advertise free VoIP or even VoIP-PSTN calls. Just type free voip calls into Google and you will find a long list of companies providing this service. Certainly some of these services could be used as a basis to transport SPIT. Even better, there are services that "anonymize" sources, making it difficult to trace back to the person generating the SPIT.


Previous page
Table of content
Next page
Hacking Exposed VoIP. Voice Over IP Security Secrets & Solutions
Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions
ISBN: 0072263644
EAN: 2147483647
Year: 2004
Pages: 158
Authors: David Endler, Mark Collier
BUY ON AMAZON
SQL Tips & Techniques (Miscellaneous)
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
Cisco IOS Cookbook (Cookbooks (OReilly))
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
Web Systems Design and Online Consumer Behavior
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy