Previous | Home | Next
Phil Wolff
More by Author

Using Skype for a POTS Denial of Service Attack

April 25, 2005 03:21 AM

Topics: Developer Zone | Security | counterpoints | software

Andrew Ferguson is a disturbed young man. Brilliant, but disturbed. Funny and innovative. But disturbed.

You know the email spam you get that says, please call this bloke in Africa to send him money to (fill in the appeal here) in the wake of (insert natural or national disaster)? Well Andrew decided to call. Using SkypeOut. Interminably. At odd hours. Tying up the con-man's phone line.

Aside from the dark pleasure of petty revenge, what's going on here?

Skype's design favors offensive tactics

First, there's an imbalance in our cost of calling. As a Westerner, he can afford 10 Euros for 10 hours of calls. If he buys more, the rate falls even further. As a percent of disposable income, this is small potatoes to Andrew.

Second, there's an asymmetry in the opportunity cost of tying up the spammer's phone line. Others aren't getting through to the spammer, so every hour the line is tied up is a sucker missed and money foregone.

Third, Skype calls can be automated. So you can program a thorough barrage of short calls scattered throughout the day. And night. This optimizes your use of your SkypeOut minutes since there is not per-call charge, just a charge for the time. It also exploits the spammer's need to answer each time the phone rings or never talk to another sucker. So every call both increases the effort needed to capture a sucker, since for each sucker there are dozens or hundreds or thousands of fake calls. With little effort (one programmer coded this in 20 minutes) you can make it pointless for a spammer to keep a given number.

Take this a step further: decentralize. Create a spam filter that looks for, say, new Nigerian phone numbers in your email spam bin. Automatically grab them, and post to a listserve, sharing targets. Then have your Skype run the attacks against multiple targets, randomly selected by you and others. This decentralizes the work, aggregates your SkypeOut minutes, buying power, and exposure (if someone tries to find out who you are) among many Skypers. Putting the Power of Many to use.

This is a hoot.

Until the number being attacked is a fire department, or a hospital, or your home. Or air traffic control, or a credit card processing center. Or your mobile phone, where you have to pay high rates for every call, even one lasting just a few seconds.

What can you do about a telephonic denial of service attack?

Other than changing your number?

Maybe we can adapt defenses against flooding attacks in other media, like email and DNS. Maybe not; much of the information used on the Internet isn't available with POTS.

Can you detect an attack building up?

How about a distributed DOS attack?

Who would you call for help?

After the fact, which laws would apply? When would Skype cooperate with law enforcement or civil litigators to provide SkypeOut logs connecting calls to SkypeOut user accounts? Would Skype provide billing data?

And could we blame it on Andrew? Or his Doctor from Nigeria?

Post | Email | Print | Comments (3) | TrackBack (4)



Trackback Pings

TrackBack URL for this entry:
http://www.skypejournal.com/cgi-bin/mt/mt-tb.cgi/1076

Posts linking to Using Skype for a POTS Denial of Service Attack:

» Die Rache per Skype - Telefonspam gegen Mailspam from Banedon's - Cyber-Junk
Das Skype Journal berichtet unter dem Titel Using Skype for a POTS Denial of Service Attack von einem jungen Mann, der auf die Idee kam aus Spammails die Telefonnummern zu klauen und per Script via SkypeOut dort anzurufen...... [Read More]

Tracked on April 26, 2005 4:34 PM

» The Spam Fight Continues from Moore's Lore
A few weeks ago we were bombarded with news items claiming spam isn't all that bad, that we don't care about it anymore. Not everyone has given up the fight. In fact some have escalated it. One such is Andrew... [Read More]

Tracked on April 27, 2005 9:12 AM

» Using Skype for a POTS Denial of Service Attack from Phones
This will be a new phenomenon in the VoIP world: phone denial-of-service attacks. Presumably they could be automated.... [Read More]

Tracked on May 1, 2005 4:37 PM

» AFdN Continues to Get More Publicity from Andrew Ferguson dot NET
... [Read More]

Tracked on May 22, 2005 5:45 PM

Comments

Posted by: Steve Smith at April 25, 2005 4:29 AM

Of course, this can also be done in the SIP/RTP world with any variety of soft phones or Asterisk, combined with a low-cost residential VoIP carrier such as Broadvoice (12 US cents per minute to Nigeria, vs. 9.5 euro cent for Skype). Voice DOS is a feature of edge software telephony, not just Skype.

Posted by: razorshine at April 27, 2005 12:32 AM

of course - just like you can spoof ip addresses you can spoof phone numbers so unless you confirm that the number is actually that of the con man you could be terrifying some random individual...

Posted by: Wartex at July 26, 2005 10:36 AM

...Can't the spammer just block the people who are sending him automated calls?

Post a comment




Remember Me?

(you may use HTML tags for style)





Other Recent Posts

Skype 3.0 Folder Pollution in Life | Products | Skype杂志 | complaints | design | ebay | skype | skypejournal | voip | wishlist on 11/22/06

Skype 3.0 Beta for Windows; bugfix build 137 in General Notices | News | Products | Skype News | Skype杂志 | ebay | skype | skypejournal | voip on 11/22/06

Skype PR Wake Up Call III: The Commentary in Business | Every Post | Ideas & Views | Marketing | Skype News | Skype杂志 | Strategy | ebay | observations | skype | skypejournal | voip on 11/22/06

Wednesday morning scan in Business | Life | Marketing | News | Products | Skype Partner Watch | Skype杂志 | Strategy | Technology | Tips & Tricks | Yahoo | counterpoints | design | ebay | freedom | observations | regulation | skype | skypejournal | voip on 11/22/06

Yes, TalkPlus reverse engineered Skype. in Developers | North America | Skype Partner Watch | Skype杂志 | Strategy | Technology | ebay | skype | skypejournal | voip on 11/21/06

Email to a friend