Sunday, November 18, 2007

AT&T Allows Denial of Service

I've been using AT&T for 4 months. What I saw is that you must pay if you're phoning but also if you receive calls. You must pay also if you 'try' to phone, and you must pay if you decide to not answer. Well, you must pay every time !
Is it right ? Maybe Yes, if your mind thinks to "communications" or it seems wrong if your mind thinks to "services". So, what I know is that AT&T is a "communication oriented" provider instead others European networks providers are "service oriented".  But what about security ?  If I'm using a "service oriented" network provider, like EU architecture, I'll pay only if some one answers to me. So the following scenario could be assumed as safe:

A call V
network does...... TU...TU...TU...TU
V doesn't answer.
network does....... TU.TU.TU.TU 
A has spent nothing
V has spent nothing

If I'm using a "communication oriented" network provider, I take up the network so I'll spend even though no one answer to me. At the same time also who doesn't answer to me takes up the network and so he will spend money like me. In this way if an attacker wants to make a denial of service on the victim's phone, he could follow this procedure.

for(;;){
Attacker (A) calls Victim(V) (with hidden cell-id)
network does........ TU. (A stops the call)

A has spent $0.x
V has spent $0.x
}

If we assume that Attacker has more money than Victim, at the end of the day Victim is not able to phone. Both A and V will spend the same amount of money. So if Attacker really wants to make a DoS attack on one or more phones he can.
Maybe "services oriented provider" are more secure under this point of view. 

No comments: