Yesterday I accidentally conducted a denial of service attack on my iPhone, using VOIP call flooding. I failed to turn off the 'call workers' on one instance of a Scalr server farm, and then proceeded to load test it with valid POSTs to queue calls in the database. 50 call workers processes then began to pull call information from the queue - which contained 39,000 records, to make 50 calls simultaneously - to my cell phone. It began to ring. Each time I pushed end call another was there. AT&T managed to deliver 37 simultaneous voicemails. In a couple minutes I managed to shut down the call workers and the flood ceased. Sort of. I kept getting voicemails in blocks of 90 at a time for the rest of the day. The voice was me as 'Vinnie' threatening my life. It was kinda creepy. For a while my service turned off. Checking the logs, it seems that out of 350 or so calls that were made, about 300 got through and were able to leave messages. I find this somewhat impressive, but part of me regrets not spawning 500 call workers instead of 50 to see what the network could really handle. I don't know if this has security implications beyond being humorous, but it is worth noting that every major VoiceXML/VOIP software provider provides developer accounts without much in the way of credentials. These accounts provide free outbound calling minutes for development purposes. It is also trivial to buy minutes in blocks from these same providers. Probably you could use this as a real DOS attack on someone's phone, or on an entire company or government agency's telephone system, if you had enough accounts distributed across providers. I DOS'd My Cell Phone |