[AusNOG] VoIP Hack Attempts

Dom Fitzgibbon dom.fitzgibbon at matrium.com.au
Tue Sep 28 17:28:16 EST 2010


Skeeve,

 

Whilst I can't recommend a solution to stop these VoIP Hack Attempts I
can recommend a way of understanding what may be happening.

 

Without blatantly plugging our solutions or services there are a number
of robustness testing solutions which can not only do positive testing
but negative testing as well highlighting any potential security holes
or flaws. With SIP there are many many known exploits around and by
applying them each one-by-one with an automated test environment the
robustness or problems in the VoIP system under test can be understood.
Furthermore 'fuzzing' these exploits can give tens of thousands of
possibilities for the unknown type of exploit. Additionally there are
test suites that also implement Torture Tests based on from RFC4475 and
RFC5118.

 

Happy to help point you in a testing direction if need be......

 

Regards,

 

Dom Fitzgibbon

Executive Vice President - Sales & Technical Services

Network Testing | Security Solutions | Workforce Management Solutions

 

Matrium Technologies Pty Ltd

a: Unit 26 / 5 Inglewood Place | PO Box 7025 | Baulkham Hills, NSW 2153

d: +61 2 8818 3217 | p: +61 2 8818 3200 | f: +61 2 8818 3211 | m: +61
418 673 947

e: dom.fitzgibbon at matrium.com.au | w: www.matrium.com.au
<http://www.matrium.com.au/> 

 

From: ausnog-bounces at lists.ausnog.net
[mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Skeeve Stevens
Sent: Tuesday, 28 September 2010 12:14 AM
To: ausnog at ausnog.net List
Subject: [AusNOG] VoIP Hack Attempts

 

Hey all,

 

I've got a few customers who have noticed a large recent jump in SIP
scans against their networks.

 

Null routing helps the response but doesn't stop the registration
initiation - loading up servers with registrations.

 

This is easy to stop on closed VoIP systems, but not on hosted Voice
platforms which users come from other ISP's/networks, this seems to be
very difficult.

 

Does anyone have any ideas - we are fresh out at the moment, apart from
beefing up security on the VoIP servers themselves using fail2ban or
other things that detect rapid registrations and then firewalls them.

 

Having a normal server hacked is one thing but VoIP hacking has taken on
a new intensity as the hackers can make a LARGE amount of money by
comprising a VoIP system.

 

Recently, we've been brought in to clean up the mess in several
incidents where a couple of VoIP systems have been compromised in
incidents totalling over AU$100,000.

 

And the carriers are rarely sympathetic.

 

If it isn't obvious as to how/why they're doing this - the hackers get
in, open a SIP account so their VoIP system can register, and then they
channel certain calls via the comprised system.  This has the effect of
them charging the end user and making money, while not paying for the
calls to be delivered to the destination.

 

Advice:

-          Block destinations to obscure places that your customers are
unlikely to call, and only unblock them if they request

-          Watch billing to certain locations and if there is a massive
jump, do something

-          Watch your customers and if their billing jumps by a massive
amount, alert them as fast as you can - or you just might be liable

 

...Skeeve

 

--

Skeeve Stevens, CEO

eintellego Pty Ltd - The Networking Specialists

skeeve at eintellego.net / www.eintellego.net

Phone: 1300 753 383, Fax: (+612) 8572 9954

Cell +61 (0)414 753 383 / skype://skeeve

www.linkedin.com/in/skeeve ; facebook.com/eintellego

--

eintellego - The Experts that the Experts call

- Juniper - HP Networking - Cisco - Arista -

 

Disclaimer: Limits of Liability and Disclaimer: This message is for the
named person's use only. It may contain sensitive and private
proprietary or legally privileged information. You must not, directly or
indirectly, use, disclose, distribute, print, or copy any part of this
message if you are not the intended recipient. eintellego Pty Ltd and
each legal entity in the Tefilah Pty Ltd group of companies reserve the
right to monitor all e-mail communications through its networks.  Any
views expressed in this message are those of the individual sender,
except where the message states otherwise and the sender is authorised
to state them to be the views of any such entity. Any reference to
costs, fee quotations, contractual transactions and variations to
contract terms is subject to separate confirmation in writing signed by
an authorised representative of eintellego. Whilst all efforts are made
to safeguard inbound and outbound e-mails, we cannot guarantee that
attachments are virus-free or compatible with your systems and do not
accept any liability in respect of viruses or computer problems
experienced.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20100928/f282703b/attachment.html>


More information about the AusNOG mailing list