« Blue Box "Podcasts by Phone" is back up with a new phone number | Main | Blue Box #50: Grand Central anti-SPIT initiative, Cisco and Ironport, Skype and business, VoIP security news and more »

January 29, 2007


Hi Dan and Jonathan,

First of all thanks a lot for the great podcast, I learned a lot around VoIP security since I started listening to your shows whilst commuting into London.

I would like to comment on what you said concerning SPIT and the fact that PSTN lines are SPIT-safe.
If you consider the fact that lots of SIP operators offer free calls to most countries on landlines without even any need to pay a one-off fee(like internetcalls which by the way can be used as a SIP trunk as the details of their SIP proxy is made available) and if you also consider all the SIP call generators on the market allowing to generate thousands of calls through SIP trunks to lists of consecutive numbers you realise that it does not take much to bring a PSTN concentrator down !
The need to pay is not even a problem as you can generate calls with a duration shorter than a second and repeat it forever......for free.....to thousands of number simultaneously....

I have not heard of such attacks but I have myself tried the concept in my company (late in the evening ;) and been amazed to see how easy it was to make 40 telephones ring at the same time !

I don't want to give any bad ideas to anyone but I would be surprised if there had not been problems already (especially when you see cracks for easy to use commercial call generators on all the cracks websites....).

The question is how to solve that?? I suppose PSTN operators can't do anything as these calls come into their network from the media gateways of these SIP trunks operators. I am not sure if there are policies in place allowing SIP operators to track fraudulous use of SIP trunks like limitation of concurrent sessions or call attempts per seconds or any SPIT pattern but I am sure there are things to do in that field.

Thanks again for the great work podcast.

The comments to this entry are closed.

The Obligatory Photo

Contact Information

Full Disclosure

  • Dan York, CISSP, is the Chair of the VOIP Security Alliance (VOIPSA) and Senior Content Strategist for the Internet Society.

    Jonathan Zar is affiliated with Pingalo and is the Secretary of VOIPSA and member of the Board of Directors.

    This is a personal project and neither the Internet Society, Pingalo nor VOIPSA have any formal connection to this podcast. In the interest of transparency we just thought you should know our affiliations.

Why "Blue Box"?

  • We chose the name "Blue Box" primarily as a nod to the era of phone phreaking in part to illustrate that threats to telephony are not new - they just continue to change and evolve. That and admittedly the name just sounded cool.

Promote Blue Box!

  • Add this graphic to your site!