<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#002060;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:2125267376;
mso-list-type:hybrid;
mso-list-template-ids:322179846 -204548590 201916419 201916421 201916417 201916419 201916421 201916417 201916419 201916421;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l0:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-AU link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='color:#1F497D'>Skeeve,<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Whilst I can’t recommend a
solution to stop these VoIP Hack Attempts I can recommend a way of understanding
what may be happening.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Without blatantly plugging our solutions
or services there are a number of robustness testing solutions which can not
only do positive testing but negative testing as well highlighting any
potential security holes or flaws. With SIP there are many many known exploits
around and by applying them each one-by-one with an automated test environment the
robustness or problems in the VoIP system under test can be understood.
Furthermore ‘fuzzing’ these exploits can give tens of thousands of
possibilities for the unknown type of exploit. Additionally there are </span><span
style='color:#1F497D'>test suites that also implement Torture Tests based on from
RFC4475 and RFC5118.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Happy to help point you in a testing
direction if need be……<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Regards,</span><span
style='color:#1F497D'><o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<div>
<p class=MsoNormal><b><span lang=EN-US style='font-size:8.0pt;font-family:"Verdana","sans-serif";
color:#333399'>Dom Fitzgibbon<o:p></o:p></span></b></p>
<p class=MsoNormal><b><span lang=EN-US style='font-size:8.0pt;font-family:"Verdana","sans-serif";
color:#333399'>Executive Vice President – Sales & Technical Services<o:p></o:p></span></b></p>
<p class=MsoNormal><span lang=EN-US style='font-size:7.5pt;font-family:"Verdana","sans-serif";
color:#333399;background:white'>Network Testing | Security Solutions |
Workforce Management Solutions<o:p></o:p></span></p>
<p class=MsoNormal><b><span lang=EN-US style='font-size:7.5pt;font-family:"Verdana","sans-serif";
color:#333399'><o:p> </o:p></span></b></p>
<p class=MsoNormal><b><span lang=EN-US style='font-size:7.5pt;font-family:"Verdana","sans-serif";
color:gray'>Matrium Technologies Pty Ltd<o:p></o:p></span></b></p>
<p class=MsoNormal><span lang=EN-US style='font-size:7.5pt;font-family:"Verdana","sans-serif";
color:gray'>a: Unit 26 / 5 Inglewood Place | PO Box 7025 | Baulkham Hills, NSW
2153<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:7.5pt;font-family:"Verdana","sans-serif";
color:gray'>d: +61 2 8818 3217 | p: +61 2 8818 3200 | f: +61 2 8818 3211 | m:
+61 418 673 947<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:7.5pt;font-family:"Verdana","sans-serif";
color:gray'>e: <a href="mailto:dom.fitzgibbon@matrium.com.au">dom.fitzgibbon@matrium.com.au</a>
| w: <a href="http://www.matrium.com.au/">www.matrium.com.au</a><o:p></o:p></span></p>
</div>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'>
<p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:
"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'> ausnog-bounces@lists.ausnog.net
[mailto:ausnog-bounces@lists.ausnog.net] <b>On Behalf Of </b>Skeeve Stevens<br>
<b>Sent:</b> Tuesday, 28 September 2010 12:14 AM<br>
<b>To:</b> ausnog@ausnog.net List<br>
<b>Subject:</b> [AusNOG] VoIP Hack Attempts<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='color:#002060'>Hey all,<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#002060'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#002060'>I’ve got a few customers
who have noticed a large recent jump in SIP scans against their networks.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#002060'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#002060'>Null routing helps the response
but doesn’t stop the registration initiation – loading up servers
with registrations.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#002060'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#002060'>This is easy to stop on closed
VoIP systems, but not on hosted Voice platforms which users come from other
ISP’s/networks, this seems to be very difficult.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#002060'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#002060'>Does anyone have any ideas
– we are fresh out at the moment, apart from beefing up security on the
VoIP servers themselves using fail2ban or other things that detect rapid registrations
and then firewalls them.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#002060'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#002060'>Having a normal server hacked is
one thing but VoIP hacking has taken on a new intensity as the hackers can make
a LARGE amount of money by comprising a VoIP system.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#002060'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#002060'>Recently, we’ve been
brought in to clean up the mess in several incidents where a couple of VoIP
systems have been compromised in incidents totalling over AU$100,000.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#002060'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#002060'>And the carriers are rarely
sympathetic.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#002060'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#002060'>If it isn’t obvious as to
how/why they’re doing this – the hackers get in, open a SIP account
so their VoIP system can register, and then they channel certain calls via the
comprised system. This has the effect of them charging the end user and
making money, while not paying for the calls to be delivered to the
destination.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#002060'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#002060'>Advice:<o:p></o:p></span></p>
<p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo2'><![if !supportLists]><span
style='color:#002060'><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><span style='color:#002060'>Block destinations
to obscure places that your customers are unlikely to call, and only unblock
them if they request<o:p></o:p></span></p>
<p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo2'><![if !supportLists]><span
style='color:#002060'><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><span style='color:#002060'>Watch billing to
certain locations and if there is a massive jump, do something<o:p></o:p></span></p>
<p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo2'><![if !supportLists]><span
style='color:#002060'><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><span style='color:#002060'>Watch your customers
and if their billing jumps by a massive amount, alert them as fast as you can
– or you just might be liable<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt;color:#002060'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>...Skeeve<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt;color:#002060'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;color:#002060'>--<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;color:#002060'>Skeeve Stevens,
CEO<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;color:#002060'>eintellego Pty
Ltd - The Networking Specialists<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;color:#002060'>skeeve@eintellego.net
/ www.eintellego.net<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;color:#002060'>Phone: 1300 753
383, Fax: (+612) 8572 9954<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;color:#002060'>Cell +61 (0)414
753 383 / skype://skeeve<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;color:#002060'>www.linkedin.com/in/skeeve
; facebook.com/eintellego<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;color:#002060'>--<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;color:#002060'>eintellego -
The Experts that the Experts call<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;color:#002060'>- Juniper - HP
Networking - Cisco - Arista -<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#002060'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:8.0pt;color:#002060'>Disclaimer:
Limits of Liability and Disclaimer: This message is for the named person's use
only. It may contain sensitive and private proprietary or legally privileged
information. You must not, directly or indirectly, use, disclose, distribute,
print, or copy any part of this message if you are not the intended recipient.
eintellego Pty Ltd and each legal entity in the Tefilah Pty Ltd group of
companies reserve the right to monitor all e-mail communications through its
networks. Any views expressed in this message are those of the individual
sender, except where the message states otherwise and the sender is authorised
to state them to be the views of any such entity. Any reference to costs, fee
quotations, contractual transactions and variations to contract terms is
subject to separate confirmation in writing signed by an authorised
representative of eintellego. Whilst all efforts are made to safeguard inbound
and outbound e-mails, we cannot guarantee that attachments are virus-free or
compatible with your systems and do not accept any liability in respect of
viruses or computer problems experienced.<o:p></o:p></span></p>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>