When Will SPIT be a Problem?

SPIT is not a problem right now because, while there is a fair amount of VoIP deployed and the amount is certainly growing, most of it is present in disconnected internal VoIP deployments. While enterprises have a fair amount of VoIP, it is very uncommon to connect these deployments to others. Circuit-switched access and the PSTN continue to be the primary interconnect between enterprises . For the reasons discussed in the previous section, the PSTN doesn't allow for cost-effective transmission of SPIT.

Over time, more and more enterprises will interconnect themselves via VoIP, most likely through SIP trunks to service providers and/or the Internet. More and more calls will be VoIP end-to-end. More and more users (and attackers ) will have access to VoIP and the cost of making calls will decrease, perhaps to the point where VoIP calls are allbut-free, just like email messages. During this transition, unless the VoIP community takes steps to address it, expect SPIT to grow and grow as an issue.

Caution 

Keep in mind that as this transition takes place, you don't have to use VoIP to receive SPIT. SPIT becomes an issue as attackers have access to VoIP and can easily generate many, inexpensive calls. As long as they can generate many inexpensive calls, it may not matter whether the target is VoIP or TDM. Whether the destination is a SIP URI or a traditional phone number, it is easy for the attacker to generate lists of addresses or numbers and generate SPIT calls.

Attack Generating SPIT

Popularity:

6

Simplicity:

7

Impact:

5

Risk Rating:

6

We developed a SPIT-generation tool called spitter that uses the open -source Asterisk IP PBX as the SPIT-generation platform. There are other tools that could be used for this function, but we found Asterisk to be both easy and flexible to use. The spitter tool is run on the same platform as Asterisk, reads an ASCII file containing information about the calls to be created, and produces separate "call files" that it temporarily places in the /tmp directory, and then moves into Asterisk's outgoing spool folder, /var/spool/asterisk/outgoing/ . Asterisk monitors this directory for files and creates calls almost immediately after the call file is created. The file input to the spitter tool must contain at least one call record, but the upper limit is only a function of the capacity of your storage media. The name of the file really does not matter, but it is good form to provide a meaningful name and append a .call extension. Each file created by the spitter tool has a name of this form:

 spitter_call_<random number>.call 

We set up a second Asterisk IP PBX using IP address 10.1.101.2 to be the SPIT-generation platform and installed the spitter tool on that platform. The primary Asterisk IP PBX remained, using the IP address of 10.1.101.1 and serving four target IP phones. Voicemail was set up on this platform. Figure 14-2 illustrates the configuration we used for our tests.

image from book
Figure 14-2: SPIT test bed

The first step in using the spitter tool is to understand how Asterisk uses the call files to create calls. Each call file contains several attributes that define the call. There are more attributes available than are needed to generate SPITwe just describe the ones you need.

First, define the destination address:

 Channel: <channel> 

Next, set the caller ID of the outgoing call:

 CallerID: Asterisk <800-555-1212> 

Next, if the call is answered , specify where to connect it. The Context field refers to an entry in the Asterisk dialplan.

 Context: <context-name> Extension: <ext> Priority: <priority> 

Finally, set channel variables , which are used to specify the audio file to be played :

 SetVar: SPIT=<audio filename> 

When Asterisk processes a call file, it first dials the destination in accordance with the value of the channel attribute in the call file. The call is identified to the destination in accordance with the value of the CallerID attribute. The easiest way to describe the remaining lines is with an example. The following file is used to target each phone in Domain 1 with the same SPIT message. The audio message (called spam in this case and identified by a channel variable named SPIT ) happened to be included in an Asterisk sounds add-on distribution.

 Channel: IAX2/to-10.1.101.1/6000 CallerID: Your Spouse Context: test_call_spool_spit_outbound Extension: 6000 SetVar: SPIT=spam Priority: 1 Channel: IAX2/to-10.1.101.1/6500 CallerID: Your Best Friend Context: test_call_spool_spit_outbound Extension: 6500 SetVar: SPIT=spam Priority: 1 Channel: IAX2/to-10.1.101.1/7000 CallerID: Your Birth Mother Context: test_call_spool_spit_outbound Extension: 7500 SetVar: SPIT=spam Priority: 1 Channel: IAX2/to-10.1.101.1/7500 CallerID: your girlfriend Context: test_call_spool_spit_outbound Extension: 7500 SetVar: SPIT=spam Priority: 1 

The order of the records isn't relevant, because Asterisk will simultaneously schedule a call for each file. The files target different extensions, but could also target one extension with multiple calls. This example uses a single SPIT message, but it could be different for each call. Each call record could have specified a different sound file in its channel variable assignment:

 SetVar: SPIT=<sound file name> 

In our scenario, each call record requires that its targets be dialed over an IAX channel named:

 to-10.1.101.1 

Because it's an IAX channel, its channel attributes are defined in the Asterisk IP PBX iax.conf configuration file. The channel definition from that configuration file is

 [to-10.1.101.1] type=peer host=10.1.101.1 qualify=yes timezone=America/Chicago 

Here, you see the address of the Asterisk IP PBX in the destination domain (in other words, 10.1.101.1). However, the name of the channel and the destination host could have been assigned symbolic names , and Asterisk would have attempted a DNS operation to resolve the host's name into an IP address. The type, peer, means this channel is used to make outbound calls. For an explanation of the other attributes, refer to Asterisk: The Future of Telephony by Jim Van Meggelen, Jared Smith, and Leif Madsen (O'Reilly 2005).

Note 

Even though we set up an IAX channel for interdomain calls, we could have just as easily set up a SIP channel. SIP channel attributes are found in the Asterisk sip.conf configuration file.

After Asterisk dials the call in accordance with the call file attributes, call control then proceeds in accordance with the dialplan context stipulated in the call file:

 test_call_spool_spit_outbound 

Control starts at the step stipulated by the value of the call file's Priority attribute (in other words, step 1). The context name is not required to be meaningful, but it is usually good form. The dialplan context needs to be defined before the spitter tool is executed. The dialplan is contained within Asterisk's extensions.conf configuration file. Here is that context definition:

 [test_call_spool_spit_outbound] ; extensions to 10.1.101.1 domain exten => _[67]XXX,1,Answer() exten => _[67]XXX,2,Wait(2) exten => _[67]XXX,3,Playback(${SPIT}) exten => _[67]XXX,4,Hangup() 

We have a dialplan script that executes in sequential steps beginning with step (in other words, Priority ) 1. The priority of each step (the second parameter in each extension line) defines the order of execution when the dialed extension (from the call file) matches the extension pattern defined in the first parameter of each extension line. In this instance, each extension match pattern is identical within the context. For a match to exist, the extension dialed must be exactly four digits in length beginning with a 6 or a 7. The pattern defines a range of phone extensions from 6000 through 7999. When matched, the script begins with the step whose priority is equal to 1.

Step 1 executes the Answer() application. While this seems out of place, the Asterisk documentation suggests it is good form to employ the Answer() application. Answer() is a NOP (no operation) when it's not needed. As it turns out, the Answer() application is required for the SPIT calls to execute successfully. When the destination answers, Asterisk performs a two-second wait, and then audio in the sound file identified by the channel variable, SPIT , is played. Recall that, in the call record, the SPIT variable was set equal to the name of the sound file, spam . The default location for sound files is

 /var/lib/asterisk/sounds/ 

If there happened to be multiple files named spam in the sounds folder (for example, spam.gsm , spam.wav ), Asterisk selects the file whose codec poses the smallest computational burden automatically. The GSM codec is the preferred Asterisk codec. All of the sound files supplied with Asterisk are .gsm files.

Is a two-second wait sufficient? If voicemail answers, two seconds is probably insufficient for the voicemail to annunciate its greeting and obligatory beep. We'd expect the beginning of the spam audio to be lost. There are Asterisk dialplan applications (for example, WaitForSilence() and BackgroundDetect() ) and strategies for using them that can be applied to attempt to discriminate between a typically short human greeting (Hello?) and the typically longer voicemail greetingalthough human greetings might also be lengthy (for example, business receptionists and service/call centers). Note that you can also "work around" this by building a short delay into the audio file that you specify.

The final step in the dialplan script instructs the Asterisk IP PBX to hang up the call after the sound file is played (in other words, unless the destination disconnects earlier). The spam audio provided in the Asterisk sounds add-on distribution actually requests the callee to press keypad buttons if they're interested in a particular aspect of the message. The dialplan context could have been written to accept keypad button presses and route the call appropriately.

There are several options to the spitter tool invocation. One allows the tool to operate in a test mode that doesn't require an Asterisk installation. One permits the output of the tool (dropping call files into Asterisk's outgoing folder) to be throttled (limited). Here is the actual command-line usage:

 Usage: ./spitter call_file l t v -h Usage Example: ./spitter SPIT_calls Mandatory: call_file - file of spit call records Optional: -l limit on max # spitter's calls in asterisk's outgoing folder.  spitter can be throttled by this optional parm. (e.g. -l 10 means 10  concurrent spit calls) [default = 0 = unlimited] Note: this is the limit on  spitter's contribution, not a limit on the total # of outgoing calls! -t test mode (e.g. skips check that asterisk is running and presumes you have a tmp folder and an outgoing folder in your current directory). -v verbose output mode (from -v up to -vvv) -h help & explanation 

Before each call record is processed , if the limit option was entered on the command line, Asterisk's outgoing spool folder is searched for the number of files matching the filter: spitter_call* . If the number of files found is greater than or equal to the limit option, the spitter tool stalls. It checks the number of files every ten seconds. It occasionally warns the user of the stalled condition. Please note that the design of the spitter tool does not take into account other concurrently executing instances of the tool. However, it does take into account the fact that call files produced by a prior invocation of the spitter tool may still exist in Asterisk's outgoing spool folder. When the number of call files in the outgoing folder drops below the optional limit, the spitter tool resumes dropping call files until call records in the input file are exhausted or the outgoing folder is saturated with call files once again. Use of the limit option is highly recommended.

To the spitter tool, each call record is simply a series of nonblank lines. Records are separated by a line beginning with the new line character (in other words, \n = 0x0a ). The spitter tool simply creates a separate file for each record, but it does not parse the lines in a record to confirm it is complete or makes sense.

You can use the optional test mode to play with the spitter tool in the absence of an Asterisk installation or simply to test changes you might make to the program. In test mode, you must create a tmp directory and an outgoing directory within your current directory. The spitter tool creates call files in your personal /tmp directory and moves them, contingent on the optional limit, into your personal /outgoing directory. Naturally, if a limit is specified on the command line, you may need to remove previously dropped call files into your personal outgoing directory or the spitter tool may stall.

Here is the invocation of spitter using the test call file provided previously in test mode:

 [root@hacker spitter]# ./spitter test_call_file_domain1_phones t spitter - Version 1.0           August 7, 2006 File of Call Records:           test_call_file_domain1_phones Number of Lines in File:        27 Number of Call Records Found:   4 Limit of concurrent SPIT calls: UNLIMITED Test Mode! This is simulated SPIT! In test mode you must have a /tmp folder and a /outgoing folder present in your current directory. There is no check to confirm Asterisk is running. No call files are sent to Asterisk's actual outgoing folder. Instead, call files are temporarily created in your personal /tmp folder and moved from here to your personal /outgoing folder. The reported % complete relates to the number of call records in the input file for which call files have been produced and dropped into Asterisk's outgoing folder. It is not the % of SPIT calls that the asterisk platform has successfully dialed or completed. This program is done when a call file for each call record in the input file has been dropped into Asterisk's outgoing folder. 100% Complete [root@hacker spitter]# 

At this point there are four call files in your pseudo outgoing folder as a result of running the spitter tool with the test mode option. Naturally, Asterisk won't process and remove files from this folder. So, suppose the spitter tool is executed again in test mode with a limit of six spitter files that may be present in the outgoing folder:

 [root@hacker spitter]# ./spitter test_call_file_domain1_phones -t -l 6 spitter - Version 1.0           August 7, 2006 File of Call Records:           test_call_file_domain1_phones Number of Lines in File:        27 Number of Call Records Found:   4 Limit of concurrent SPIT calls: 6 Test Mode! This is simulated SPIT! In test mode you must have a /tmp folder and a /outgoing folder present in your current directory. There is no check to confirm Asterisk is running. No call files are sent to Asterisk's actual outgoing folder. Instead, call files are temporarily created in your personal /tmp folder and moved from here to your personal /outgoing folder. The reported % complete relates to the number of call records in the input file for which call files have been produced and dropped into Asterisk's outgoing folder. It is not the % of SPIT calls that the asterisk platform has successfully dialed or completed. This program is done when a call file for each call record in the input file has been dropped into Asterisk's outgoing folder. 50% Complete Warning: production of SPIT calls stalled for 1 minutes Warning: production of SPIT calls stalled for 2 minutes Warning: production of SPIT calls stalled for 3 minutes 100% Complete [root@localhost spitter]# 

The spitter tool stalls when 50 percent complete. Based on the number of call records the tool reported were found in the input file (4), this means the spitter tool was only able to process the first two call records from the input file before the number of call files in the outgoing folder reached the limit. The spitter tool then reported a stall warning every minute. After the third warning, we manually deleted two spitter call files from our personal outgoing folder and the tool quickly completed processing the remaining two call records.

Finally, here is the nontest mode, unlimited execution of spitter :

 [root@hacker spitter]# ./spitter test_call_file_domain1_phones spitter - Version 1.0           August 7, 2006 File of Call Records:           test_call_file_domain1_phones Number of Lines in File:        27 Number of Call Records Found:   4 Limit of concurrent SPIT calls: UNLIMITED The reported % complete relates to the number of call records in the input file for which call files have been produced and dropped into Asterisk's outgoing folder. It is not the % of SPIT calls that the Asterisk platform has successfully dialed or completed. This program is done when a call file for each call record in the input file has been dropped into Asterisk's outgoing folder. 100% Complete [root@hacker spitter]# 

Attack Other Tools to Produce SPIT

We found what is reportedly a nice free application that could be abused to produce SPIT: TeleYapper. This tool works in conjunction with trixbox (used to be called Asterisk@Home edition).

It is integrated with a SQL database where call groups can be defined and audio messages can be stored. It recognizes when a call is not answered and can reschedule the call for later attempts. It has many other nice features. At the time of this writing, you could find information about TeleYapper at the following website, but you should also be able to Google TeleYapper for the latest information: http://nerdvittles.com/index.php?p=95.



Hacking Exposed VoIP. Voice Over IP Security Secrets & Solutions
Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions
ISBN: 0072263644
EAN: 2147483647
Year: 2004
Pages: 158

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net