[AusNOG] VoIP Hack Attempts

craig at askings.com.au craig at askings.com.au
Tue Sep 28 09:18:12 EST 2010


> On 28/09/10 12:13 AM, "Skeeve Stevens" <Skeeve at eintellego.net> wrote:
>
>>I¹ve got a few customers who have noticed a large recent jump in SIP
>>scans against their networks.
>>
>>Null routing helps the response but doesn¹t stop the registration
>>initiation ­ loading up servers with registrations.

It does if you do the following to your upstream transit ports, if you are
running Cisco. I don't think the Juniper equivalent command can be made
quite so specific.

ip verify unicast source reachable-via any allow-default allow-self-ping

> I've seen a lot of it recently as well. A few weeks ago I was seeing ~10k
> registration attempts per second directed towards a single server which
> had to be stopped using an ACL - like you said, null routing doesn't help.
>
> I also know of two parties running CCME who have had their systems
> 'hijacked' in recent times all because the person who set it up didn't put
> in the appropriate dial peer to block unauthenticated calls.
>

Where I work we have some measures in place to catch abnormal traffic from
our clients.

We had one incident where a client's pbx (not managed by us) was hacked
and it started making calls to random overseas destinations (globstar sat
phones etc). Our systems picked it up within twenty minutes and shut them
down while we attempted to get in contact with them.

Despite all that and us offering to have them cover only our wholesale out
of pocket costs. They took us to the TIO complaining that we cut off their
access and they lost revenue etc...

I would hate to think the physical size of the itemized bill at the end of
the month if they were on a Telstra/Optus/Primus/etc ISDN 30.

Craig.




More information about the AusNOG mailing list