Denial of Service attacks are nothing new to people in the IT and computer security world. DoS attacks are a very simplistic form of attack which aim to flood the target (whether it be a computer, mobile device, or phone line) with traffic so that it cannot process legitimate traffic. While being simple simple to perform, DoS attacks are often difficult to defend against without significant downtime.
Today I’m going to show you how to perform a DoS attack on a phone line. This process is simple, quick to perform, and very illegal. Before we get started, I’d just like to remind you that this article is for educational purposes only! All the code I’m putting into this article is python, and should work on any system with python 2.4+.
Now, in order to follow along you will need 3 main things:
- An Asterisk PBX system (our favorite open source PBX) set up and running,
- A lot of phone lines. We’ll need a lot of phone lines because we’ll need to place a lot of simultaneous calls. If you don’t have hard lines, get a VoIP line (I prefer this method) as they are really cheap and quick to setup.
- The last thing you’ll need is my pycall python library. This is a library I wrote which allows us to create Asterisk call files quickly and easily in python.
For those of you unfamiliar with Asterisk, I’d highly recommend reading the PDF book Asterisk: The Future of Telephony, which is a great guide to getting started with Asterisk.
The pycall python library mentioned above is a project I created a month or so ago which makes placing calls through Asterisk a simple task for python developers. Call files are specially formatted text files which Asterisk processes and performs actions on. pycall simplifies and abstracts a great deal of the call file creation process as call files have many small quirks which make them difficult to work with. Using pycall greatly reduces the amount of code we’ll need to write and ensures that all call files are created in a secure, efficient manner. For this article, we’ll be using my pycall library as a medium for quickly making calls through Asterisk without digging into the details. If you want to know more about pycall check out the Why pycall? document on the project’s wiki page.
The good news is that pycall installs simply (it’s a portable python module) and will work out of the box with no modifications to your system what-so-ever (as long as you are running some form of linux).
To make things even easier, I’ve created a small shell script which you can run that will download and install pycall, then delete itself:
You can download the script above and run it to install the library on any linux system quickly.
Next, we’ll write a simple application which will call your cell phone in order to make sure everything is working. Here is the source.
NOTE: You will need to modify this code and fill in the appropriate details for your system. The user field (which seems a little ambiguous) refers to the user account that Asterisk is running under. If you want to create the call file as whatever user you are currently logged in as, you can remove that field all together.
If you can’t get that working, you may be messing something up, so feel free to comment on this post and I’d be happy to help out (or send me an email, whatever works). If you did get this working, then you’re good to go and it is time to move on to bigger, and better things.
A quick note to non-telephony people. The above code generates a text file (call file) which is then moved to the Asterisk spooling directory: /var/spool/asterisk/outgoing. Asterisk aggressively monitors the spooling directory for call files (like the ones we are creating), parses them, and performs the actions specified by the call file. In this case, we are telling Asterisk call our cell phone, and once we pick up, play a sound file that says “hello world” and then hang up. In case you are wondering, Asterisk contains the “hello world” sound file by default, which is why we don’t need anything else to make this work.
Now that we have our tools ready to go, let’s discuss our strategy for disabling the target phone line.
The goal of the attack is to prevent the target phone number from placing and receiving calls. As you can probably imagine, this is completely devastating to businesses and other communication-dependent organizations, as it completely breaks down communications. Many companies in particular rely on telephone service (think pizza places and call centers) for their primary revenue stream. Imagine the effect a 24-hour DoS attack can have on a business who relies on phone service… It can be very impacting.
Our strategy is simple, to call the target phone number more times than they have phone lines.
You might be thinking: This is really easy, all I have to do is pick up my phone, and keep dialing the target number over and over again to keep their phone line tied up. In reality, this does sometimes work. A great example is the 2002 New Hampshire Senate election phone jamming scandal. You can read the article here. Basically, “the NHGOP hired GOP Marketplace, based in Northern Virginia, to jam another phone bank being used by the state Democratic Party and the firefighters’ union for efforts to turn out voters on behalf of then-governor Jeanne Shaheen on Election Day.” And just in case you are wondering, yes, he went to jail 🙂
In reality, most businesses and other places have more than a single phone line that is connected to their phone number. PRIs, T1s, and VoIP are all common now, which means that in order to completely prevent one of those phone lines from placing calls, you will need to be generating an upwards of 23 simultaneous calls to completely disable the target.
If you know anything about your target phone line, then you probably know how many calls you will need to place at any given time to keep them busy. But don’t worry if you don’t know anything about your target! This will be covered later in this article.
Your First DoS
The program below contains the source of a simple flooding application. You will still have to make your original adjustments like you did to the hello-world.py application earlier, but that’s all, I promise!
This small programs (only a few lines!) is able to completely paralyze a target number (considering you have enough lines). It is fairly flexible, and allows you to specify the amount of calls-per-minute that you’d like to place. This works just like described: If you tell it to run with 60 calls per minute, then you’ll immediately place 60 calls. These calls will ring to the target number, and once they pick up the phone, will immediately hang up.
To run this program see the usage:
./simple-flood.py [number] [calls-per-minute] ./simple-flood.py 18002223333 5
The first parameter is the number you want to flood, and the second is the amount of calls per minute that you’d like to place to that number.
Here’s what it should look like running if everything goes smoothly:
[root@blackbox randall]# ./simple-flood.py 18182223333 5 Starting call flood on target: 18182179229. Placing 5 calls per minute. Placing call 1... Placing call 2... Placing call 3... Placing call 4... Placing call 5... Placing call 6... Placing call 7... Placing call 8... Placing call 9... Placing call 10...
A More Advanced DoS Technique
To make it harder for the victim to defend against our simple DoS attack, let’s add caller ID spoofing to the calls as well (will only work if your provider allows it) so that the target can’t blacklist a single number because you are calling them from random numbers!
Not only is doing this simple, it is also highly effective. Imagine being a business owner, and instantly getting 100 calls from 100 different numbers. You’d be confused, unable to do anything except unplug your phone lines (which doesn’t accomplish anything), and unable to receive business.
So here is our program with caller ID spoofing included. It is still used the same way, except MUCH harder to defend against.
Here’s an example of what this program should look like running. Note that it generates a different caller ID for each call >:)
[root@blackbox randall]# ./advanced-flood.py 18182223333 7 Starting call flood on target: 18182223333. Placing 7 calls per minute. Placing call 1 using caller ID 7110992417... Placing call 2 using caller ID 3689407130... Placing call 3 using caller ID 4139439982... Placing call 4 using caller ID 9795095964... Placing call 5 using caller ID 5278670787... Placing call 6 using caller ID 6684773360... Placing call 7 using caller ID 2716775282...
The first tip is for those of you who don’t know how many calls you have to place to disable your target. USE VOIP!
VoIP providers are great for DoS attacks because they:
- Can be purchased online using a fake name / credit card.
- Are cheap (much less expensive than analog lines) and don’t require additional hardware.
- Can place a ton of calls quickly. With hard lines you are limited to very few channels. With most VoIP lines, you are only limited by your bandwidth.
Of the 3 reasons above, reason 3 is particularly important. VoIP calls use either the IAX or SIP protocols to initiate calls. When VoIP calls are made, SIP packets are sent back and fourth from your server to your VoIP provider, who then relays the call to the target. What is special about this is that it uses almost no bandwidth. The only thing being transmitted are IAX or SIP packets (which are small). The actual bulk of bandwidth usage typically associated with VoIP calls comes into play once a call has been answered. Once a call is answered, an RTP stream is opened which then sends large voice packets across your connection, thereby increasing your bandwidth usage immensely.
Why does this matter?
It matters because it gives you a killer advantage that your target does not have. It gives you an easier way to scale your attack. Let’s say a target phone number has 5 lines. Let’s also assume that you are running this DoS from a home computer with an extremely limited internet connection that restricts you to 10KB/s up. That typically wouldn’t be enough for a single VoIP call, so you would never be able to make 5 calls and flood your target. WRONG. Since you call the target and immediately hang up, there are no RTP packets! This means that you can place as many simultaneous calls as you can send SIP invites (a LOT).
With the information and source code provided, you should be able to easily DoS yourself or stress test other phone numbers in no time.
I’ve started development on what will soon be a fully completed Asterisk DoS client with lots of juicy command line options, statistics, and other cool items. If you’re interested in following my progress, feel free to check out the project page for it here: asteriskDoS.
Leave a comment and I’ll get back to you. Or send me an email.