or "Spam over Internet Telephony" a few times
in the past. Well, now I have a story to share that Dan York shared with me
about SPIT leveraging DDoS (Distributed Denial of Service) attacks to bring down a competitor.
The story begins...
ZZZ Telemarketing (not a real name) is locked in a heated fight with their bitter rival, YYY Telemarketing (also not a real name), to win a very large lead generation contract with Customer X. Customer X has decided to run a test pitting the two companies against each other for a week to see who can generate the most leads. The ZZZ CEO has said to his staff that it is “do or die” for the company. If they fail to win the contract, they will have to shut down - they need to do “whatever it takes” to win over YYY. A ZZZ staffer discovers that part of why YYY has consistently underbid them is because they are using SIP trunks to reduce their PSTN connection costs.
But the staffer also discovers that YYY is using very cheap voice service providers who run over the public Internet with no security. continued...
Let me give you the Cliff Notes on the rest of the story.
- Bots on tens of thousands of zombie PCs are instructed to start slamming the SIP servers at YYY and its providers with enormous numbers of bogus SIP messages
- This "VoIP botnet" attacks and paralyzes YYY’s SIP server preventing calls from going though.
- Company ZZZ wins the contract since Company YYY was unable to make calls.
Fact or fiction?
According to Dan York, an expert on VoIP security, it's FACT
. I didn't include the full story
that appears on Dan's website, since I didn't want to steal his thunder, but go read it
. It's an excellent and thought-provoking read.
Just as scary, Dan told me, "The sample code actually works well... I ran it on a Windows PC connected out to an IRC chat room and then issued commands."
Welcome to the era of "SPIT and Spam DDoS" to bring down your competitors!