API tools faq
paste
scaredkys

VoIP Connection DoS PoC

scaredkys
Nov 15th, 2019
1,152
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.19 KB | None | 0 0
raw download clone embed print report
  1. [Research & Proof of Concept]
  2. [SmallDoink#0666]
  3. [FuckBinary]
  4. [ScaredKYS]
  5. [VoIP DDoS Attack PoC]
  6. --
  7. VoIP AMP & NonAMP (D)DoS Attack
  8. --
  9. 1.1.1.1 = Target IP
  10. Abusing the many public APIs and servers for free VoIP services (Easily Patch-able [Not for VPN])
  11. -- START PROCESS --
  12. (Data)
  13. Attacker --- 1.1.1.1 ---> VoIP API/Server
  14. VoIP API/Server --- 1.1.1.1 ---> 1.1.1.1 (Target Server)
  15. 1.1.1.1 --- NO ---> VoIP API/Server
  16. -- END PROCESS --
  17. Above is the example of a basic DoS using the VoIP protocol and public servers.
  18. Below is an example of a mass attack using the VoIP protocol and many servers.
  19. By creating a temporary (AnyCast) network by having a manager server broadcast the same request to a list of voip servers, it allows easier and faster usage of the attack.
  20. -- START PROCESS --
  21. Attacker --- BROADCAST 1.1.1.1 ---> Broadcast Server
  22. Broadcast Server --- CONN 1.1.1.1 ---> VoIP Server(s)/API(s)
  23. VoIP Server(s)/API(s) --- CONN ---> 1.1.1.1 [On a mass scale, handling 100x VoIP connections will kill a server]
  24. [VPNs cannot block VoIP, or customers will have to not use the VPN ]
  25. 1.1.1.1 --- NO NO NO ---> VoIP Server(s)/API(s) [Forcing a return with NO or DENY will increase bandwidth, if a malicious VoIP server is used, we can decline the deny or no requests and spam connections without any cost on our server]
  26. -- END PROCESS --
  27.  
  28. I will NOT be posting a list of VoIP servers anywhere, as this attack method will be replicated and abused by (D)Dos for hire services, such as web stressers. Upon testing, I could instantly kill a Google Cloud, OVH SAS, NFO, and Hydra that all had the default firewall.
  29. This being said, nobody has this attack method patched. If you wish to patch the attack, find me on discord or twitter
  30. Discord: SmallDoink#0666 | Twitter: FuckBinary
  31. ---
  32. ---
  33. 75% of the time, there is application data or normal data inside of a VoIP packet. If you see null VoIP packets, it's either an attack or a normal connection. The difficulty with patching this attack comes from their being no HEX characters to patch as it is legitimate connection requests being sent to the server.
  34. [Research & Proof of Concept]
  35. [SmallDoink#0666]
  36. [FuckBinary]
  37. [ScaredKYS]
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!