[AusNOG] VoIP Hack Attempts

Peter Childs PChilds at internode.com.au
Tue Sep 28 10:25:01 EST 2010 

We use ACME Packet SBCs at the edge, and everything else is in a private network, with some edge security devices for command/control/admin.

The ACMEs have some excellent features in terms of a 'trust' model.   So a successfully registered device moves into a higher trust level, which can do more transactions per second etc.   Non-registered devices have a limited set of transactions.   If you 'break' your limit you get demoted, and if you fall beyond 'untrusted' you get blocked for a configurable period of time.

This prevents brute forcing of passwords etc.

We also limit voice traffic to particular known bad locations, alarm on qtys of calls to suspect locations, alarm on cost thresholds to locations etc, limit qtys of concurrent redirections per subscriber etc..

ACMEs are amazing bits of kit.   The ACMEs handle a lot of the load, remove most of the crap, do registration caching (removing load on your register servers), and do beautiful things like hosted nat traversal.

YMMV.


On 27/09/2010, at 11:43 PM, Skeeve Stevens wrote:

Hey all,

I’ve got a few customers who have noticed a large recent jump in SIP scans against their networks.

Null routing helps the response but doesn’t stop the registration initiation – loading up servers with registrations.

This is easy to stop on closed VoIP systems, but not on hosted Voice platforms which users come from other ISP’s/networks, this seems to be very difficult.

Does anyone have any ideas – we are fresh out at the moment, apart from beefing up security on the VoIP servers themselves using fail2ban or other things that detect rapid registrations and then firewalls them.

Having a normal server hacked is one thing but VoIP hacking has taken on a new intensity as the hackers can make a LARGE amount of money by comprising a VoIP system.

Recently, we’ve been brought in to clean up the mess in several incidents where a couple of VoIP systems have been compromised in incidents totalling over AU$100,000.

And the carriers are rarely sympathetic.

If it isn’t obvious as to how/why they’re doing this – the hackers get in, open a SIP account so their VoIP system can register, and then they channel certain calls via the comprised system.  This has the effect of them charging the end user and making money, while not paying for the calls to be delivered to the destination.

Advice:
-          Block destinations to obscure places that your customers are unlikely to call, and only unblock them if they request
-          Watch billing to certain locations and if there is a massive jump, do something
-          Watch your customers and if their billing jumps by a massive amount, alert them as fast as you can – or you just might be liable

...Skeeve

--
Skeeve Stevens, CEO
eintellego Pty Ltd - The Networking Specialists
skeeve at eintellego.net<mailto:skeeve at eintellego.net> / www.eintellego.net<http://www.eintellego.net>
Phone: 1300 753 383, Fax: (+612) 8572 9954
Cell +61 (0)414 753 383 / skype://skeeve
www.linkedin.com/in/skeeve<http://www.linkedin.com/in/skeeve> ; facebook.com/eintellego<http://facebook.com/eintellego>
--
eintellego - The Experts that the Experts call
- Juniper - HP Networking - Cisco - Arista -

Disclaimer: Limits of Liability and Disclaimer: This message is for the named person's use only. It may contain sensitive and private proprietary or legally privileged information. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. eintellego Pty Ltd and each legal entity in the Tefilah Pty Ltd group of companies reserve the right to monitor all e-mail communications through its networks.  Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity. Any reference to costs, fee quotations, contractual transactions and variations to contract terms is subject to separate confirmation in writing signed by an authorised representative of eintellego. Whilst all efforts are made to safeguard inbound and outbound e-mails, we cannot guarantee that attachments are virus-free or compatible with your systems and do not accept any liability in respect of viruses or computer problems experienced.

<ATT00001..txt>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20100928/5ff2db0a/attachment.html>

More information about the AusNOG mailing list