<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style>
<!--
@font-face
{font-family:Wingdings}
@font-face
{font-family:Wingdings}
@font-face
{font-family:Calibri}
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif"}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif"}
span.EmailStyle17
{font-family:"Calibri","sans-serif";
color:#002060}
@page WordSection1
{margin:72.0pt 72.0pt 72.0pt 72.0pt}
ol
{margin-bottom:0cm}
ul
{margin-bottom:0cm}
-->
</style><style type="text/css" id="owaParaStyle"></style>
</head>
<body lang="EN-AU" link="blue" vlink="purple" fpstyle="1" ocsi="0">
<div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 13px;">
<div style=""><br>
</div>
<div style="">As far as blocking destinations goes - the attackers seem to have cottoned on to this as of late - the last two attacks we've seen that got as far as pushing calls through were pushing them to France and the UK.</div>
<div style=""><br>
</div>
<div style="">We've found that all the successful attacks we've had to deal with have fallen into one of two categories</div>
<div style=""><br>
</div>
<div style="">1. Client-set stupid passwords (password blank or same as extension number)</div>
<div style="">or</div>
<div style="">2. Calls coming from a legitimate source such as a wholesale client who has had their VOIP system compromised.</div>
<div style=""><br>
</div>
<div style="">1 is fairly straightforward to deal with - our web interface now enforces strong passwords. 2 is a bit harder but is best dealt with by monitoring at the billing level - setting say a minimum-spend-per-hour for a client, and create alerts or
block international calls completely if it goes above an appropriate level for a certain client.</div>
<div style=""><br>
</div>
<div style="">We've also found that blocking all non-Australian IP's virtually eliminates 1.</div>
<div style=""><br>
</div>
<div>
<div class="BodyFragment"><font size="2">
<div class="PlainText">Regards,<br>
Richard Stephens<br>
<br>
Neural Networks<br>
The way information moves.<br>
ACN 124 535 075<br>
<br>
Phone: (07) 3123 - 5311<br>
Fax: (07) 3319 - 6095<br>
Mobile: 0410 - 111 - 570<br>
E-Mail: richard.stephens@neural.com.au</div>
</font></div>
</div>
<div style="font-family: Times New Roman; color: #000000; font-size: 16px">
<hr tabindex="-1">
<div id="divRpF590081" style="direction: ltr; "><font face="Tahoma" size="2" color="#000000"><b>From:</b> ausnog-bounces@lists.ausnog.net [ausnog-bounces@lists.ausnog.net] on behalf of Skeeve Stevens [Skeeve@eintellego.net]<br>
<b>Sent:</b> Tuesday, 28 September 2010 12:13 AM<br>
<b>To:</b> ausnog@ausnog.net List<br>
<b>Subject:</b> [AusNOG] VoIP Hack Attempts<br>
</font><br>
</div>
<div></div>
<div>
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#002060">Hey all,</span></p>
<p class="MsoNormal"><span style="color:#002060"> </span></p>
<p class="MsoNormal"><span style="color:#002060">I’ve got a few customers who have noticed a large recent jump in SIP scans against their networks.</span></p>
<p class="MsoNormal"><span style="color:#002060"> </span></p>
<p class="MsoNormal"><span style="color:#002060">Null routing helps the response but doesn’t stop the registration initiation – loading up servers with registrations.</span></p>
<p class="MsoNormal"><span style="color:#002060"> </span></p>
<p class="MsoNormal"><span style="color:#002060">This is easy to stop on closed VoIP systems, but not on hosted Voice platforms which users come from other ISP’s/networks, this seems to be very difficult.</span></p>
<p class="MsoNormal"><span style="color:#002060"> </span></p>
<p class="MsoNormal"><span style="color:#002060">Does anyone have any ideas – we are fresh out at the moment, apart from beefing up security on the VoIP servers themselves using fail2ban or other things that detect rapid registrations and then firewalls them.</span></p>
<p class="MsoNormal"><span style="color:#002060"> </span></p>
<p class="MsoNormal"><span style="color:#002060">Having a normal server hacked is one thing but VoIP hacking has taken on a new intensity as the hackers can make a LARGE amount of money by comprising a VoIP system.</span></p>
<p class="MsoNormal"><span style="color:#002060"> </span></p>
<p class="MsoNormal"><span style="color:#002060">Recently, we’ve been brought in to clean up the mess in several incidents where a couple of VoIP systems have been compromised in incidents totalling over AU$100,000.</span></p>
<p class="MsoNormal"><span style="color:#002060"> </span></p>
<p class="MsoNormal"><span style="color:#002060">And the carriers are rarely sympathetic.</span></p>
<p class="MsoNormal"><span style="color:#002060"> </span></p>
<p class="MsoNormal"><span style="color:#002060">If it isn’t obvious as to how/why they’re doing this – the hackers get in, open a SIP account so their VoIP system can register, and then they channel certain calls via the comprised system. This has the effect
of them charging the end user and making money, while not paying for the calls to be delivered to the destination.</span></p>
<p class="MsoNormal"><span style="color:#002060"> </span></p>
<p class="MsoNormal"><span style="color:#002060">Advice:</span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt"><span style="color:#002060"><span style="">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><span style="color:#002060">Block destinations to obscure places that your customers are unlikely to call, and only unblock them if they request</span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt"><span style="color:#002060"><span style="">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><span style="color:#002060">Watch billing to certain locations and if there is a massive jump, do something</span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt"><span style="color:#002060"><span style="">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><span style="color:#002060">Watch your customers and if their billing jumps by a massive amount, alert them as fast as you can – or you just might be liable</span></p>
<p class="MsoNormal"><span style="font-size:12.0pt; color:#002060"> </span></p>
<p class="MsoNormal"><span style="color:#1F497D">...Skeeve</span></p>
<p class="MsoNormal"><span style="font-size:12.0pt; color:#002060"> </span></p>
<p class="MsoNormal"><span style="font-size:10.0pt; color:#002060">--</span></p>
<p class="MsoNormal"><span style="font-size:10.0pt; color:#002060">Skeeve Stevens, CEO</span></p>
<p class="MsoNormal"><span style="font-size:10.0pt; color:#002060">eintellego Pty Ltd - The Networking Specialists</span></p>
<p class="MsoNormal"><span style="font-size:10.0pt; color:#002060">skeeve@eintellego.net / www.eintellego.net</span></p>
<p class="MsoNormal"><span style="font-size:10.0pt; color:#002060">Phone: 1300 753 383, Fax: (+612) 8572 9954</span></p>
<p class="MsoNormal"><span style="font-size:10.0pt; color:#002060">Cell +61 (0)414 753 383 / skype://skeeve</span></p>
<p class="MsoNormal"><span style="font-size:10.0pt; color:#002060">www.linkedin.com/in/skeeve ; facebook.com/eintellego</span></p>
<p class="MsoNormal"><span style="font-size:10.0pt; color:#002060">--</span></p>
<p class="MsoNormal"><span style="font-size:10.0pt; color:#002060">eintellego - The Experts that the Experts call</span></p>
<p class="MsoNormal"><span style="font-size:10.0pt; color:#002060">- Juniper - HP Networking - Cisco - Arista -</span></p>
<p class="MsoNormal"><span style="color:#002060"> </span></p>
<p class="MsoNormal"><span style="font-size:8.0pt; color:#002060">Disclaimer: Limits of Liability and Disclaimer: This message is for the named person's use only. It may contain sensitive and private proprietary or legally privileged information. You must not,
directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. eintellego Pty Ltd and each legal entity in the Tefilah Pty Ltd group of companies reserve the right to monitor all e-mail communications
through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity. Any reference to costs, fee quotations,
contractual transactions and variations to contract terms is subject to separate confirmation in writing signed by an authorised representative of eintellego. Whilst all efforts are made to safeguard inbound and outbound e-mails, we cannot guarantee that attachments
are virus-free or compatible with your systems and do not accept any liability in respect of viruses or computer problems experienced.</span></p>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
</div>
</body>
</html>