[AusNOG] VoIP Hack Attempts

Rob Wise rob at wonk.org
Tue Sep 28 01:48:04 EST 2010


Hi Skeeve,

I'm getting a ton of these on my asterisk server at home  Most commonly they
are trying extension numbers 1-9999 although occasionally they are using
dictionary based or more rarely random [a-z] character scans.  Typically a
single IP will conduct the entire number range scan which should make it
easier to set up filtering based on triggers.  Having a good password policy
on the accounts would also help.

So far this month I have logged 760493 failed SIP logins from 63 IPs.

Cheers,

Rob


On Tue, Sep 28, 2010 at 12:13 AM, Skeeve Stevens <Skeeve at eintellego.net>wrote:

>  Hey all,
>
>
>
> I’ve got a few customers who have noticed a large recent jump in SIP scans
> against their networks.
>
>
>
> Null routing helps the response but doesn’t stop the registration
> initiation – loading up servers with registrations.
>
>
>
> This is easy to stop on closed VoIP systems, but not on hosted Voice
> platforms which users come from other ISP’s/networks, this seems to be very
> difficult.
>
>
>
> Does anyone have any ideas – we are fresh out at the moment, apart from
> beefing up security on the VoIP servers themselves using fail2ban or other
> things that detect rapid registrations and then firewalls them.
>
>
>
> Having a normal server hacked is one thing but VoIP hacking has taken on a
> new intensity as the hackers can make a LARGE amount of money by comprising
> a VoIP system.
>
>
>
> Recently, we’ve been brought in to clean up the mess in several incidents
> where a couple of VoIP systems have been compromised in incidents totalling
> over AU$100,000.
>
>
>
> And the carriers are rarely sympathetic.
>
>
>
> If it isn’t obvious as to how/why they’re doing this – the hackers get in,
> open a SIP account so their VoIP system can register, and then they channel
> certain calls via the comprised system.  This has the effect of them
> charging the end user and making money, while not paying for the calls to be
> delivered to the destination.
>
>
>
> Advice:
>
> -          Block destinations to obscure places that your customers are
> unlikely to call, and only unblock them if they request
>
> -          Watch billing to certain locations and if there is a massive
> jump, do something
>
> -          Watch your customers and if their billing jumps by a massive
> amount, alert them as fast as you can – or you just might be liable
>
>
>
> ...Skeeve
>
>
>
> --
>
> Skeeve Stevens, CEO
>
> eintellego Pty Ltd - The Networking Specialists
>
> skeeve at eintellego.net / www.eintellego.net
>
> Phone: 1300 753 383, Fax: (+612) 8572 9954
>
> Cell +61 (0)414 753 383 / skype://skeeve
>
> www.linkedin.com/in/skeeve ; facebook.com/eintellego
>
> --
>
> eintellego - The Experts that the Experts call
>
> - Juniper - HP Networking - Cisco - Arista -
>
>
>
> Disclaimer: Limits of Liability and Disclaimer: This message is for the
> named person's use only. It may contain sensitive and private proprietary or
> legally privileged information. You must not, directly or indirectly, use,
> disclose, distribute, print, or copy any part of this message if you are not
> the intended recipient. eintellego Pty Ltd and each legal entity in the
> Tefilah Pty Ltd group of companies reserve the right to monitor all e-mail
> communications through its networks.  Any views expressed in this message
> are those of the individual sender, except where the message states
> otherwise and the sender is authorised to state them to be the views of any
> such entity. Any reference to costs, fee quotations, contractual
> transactions and variations to contract terms is subject to separate
> confirmation in writing signed by an authorised representative of
> eintellego. Whilst all efforts are made to safeguard inbound and outbound
> e-mails, we cannot guarantee that attachments are virus-free or compatible
> with your systems and do not accept any liability in respect of viruses or
> computer problems experienced.
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20100928/396b0abc/attachment.html>


More information about the AusNOG mailing list