[AusNOG] VoIP Hack Attempts

Scott Howard scott at doc.net.au
Tue Sep 28 02:26:45 EST 2010


fail2ban or similar programs are a great solution to this, although the
configuration will depend a bit on the use case.

The only catch with fail2ban is that entering an incorrect username/password
even once can cause you to be locked out with a default configuration, as
many SIP clients will repeatedly try and register within a very short period
of time, which can be enough to trigger a temporary lockout.

Presuming the clients are pre-configured in some way (and/or initially
configured when they are on a whitelisted network) then this problem goes
away - it's really only when you have users that can't follow instructions
out in the field trying to configure their phones that this becomes a
problem.

If you don't do something, you will get at least attacked.  This is from my
personal Asterisk box, running on an 800Mhz VIA processor at a time I didn't
have fail2ban running on it (or more correctly, running but not working) :

$ grep 'May 22 23:0' m | grep 'Registration from'|wc
  32389  615391 5085073

That's over 50 registration requests PER SECOND!  And the only reason it was
so low was that the CPU on the box was at 100% and it was throwing away
packets.  Based on a network dump I suspect the real rate was at least
double that, probably higher.

  Scott


On Mon, Sep 27, 2010 at 7:13 AM, Skeeve Stevens <Skeeve at eintellego.net>wrote:

>  Hey all,
>
>
>
> I’ve got a few customers who have noticed a large recent jump in SIP scans
> against their networks.
>
>
>
> Null routing helps the response but doesn’t stop the registration
> initiation – loading up servers with registrations.
>
>
>
> This is easy to stop on closed VoIP systems, but not on hosted Voice
> platforms which users come from other ISP’s/networks, this seems to be very
> difficult.
>
>
>
> Does anyone have any ideas – we are fresh out at the moment, apart from
> beefing up security on the VoIP servers themselves using fail2ban or other
> things that detect rapid registrations and then firewalls them.
>
>
>
> Having a normal server hacked is one thing but VoIP hacking has taken on a
> new intensity as the hackers can make a LARGE amount of money by comprising
> a VoIP system.
>
>
>
> Recently, we’ve been brought in to clean up the mess in several incidents
> where a couple of VoIP systems have been compromised in incidents totalling
> over AU$100,000.
>
>
>
> And the carriers are rarely sympathetic.
>
>
>
> If it isn’t obvious as to how/why they’re doing this – the hackers get in,
> open a SIP account so their VoIP system can register, and then they channel
> certain calls via the comprised system.  This has the effect of them
> charging the end user and making money, while not paying for the calls to be
> delivered to the destination.
>
>
>
> Advice:
>
> -          Block destinations to obscure places that your customers are
> unlikely to call, and only unblock them if they request
>
> -          Watch billing to certain locations and if there is a massive
> jump, do something
>
> -          Watch your customers and if their billing jumps by a massive
> amount, alert them as fast as you can – or you just might be liable
>
>
>
> ...Skeeve
>
>
>
> --
>
> Skeeve Stevens, CEO
>
> eintellego Pty Ltd - The Networking Specialists
>
> skeeve at eintellego.net / www.eintellego.net
>
> Phone: 1300 753 383, Fax: (+612) 8572 9954
>
> Cell +61 (0)414 753 383 / skype://skeeve
>
> www.linkedin.com/in/skeeve ; facebook.com/eintellego
>
> --
>
> eintellego - The Experts that the Experts call
>
> - Juniper - HP Networking - Cisco - Arista -
>
>
>
> Disclaimer: Limits of Liability and Disclaimer: This message is for the
> named person's use only. It may contain sensitive and private proprietary or
> legally privileged information. You must not, directly or indirectly, use,
> disclose, distribute, print, or copy any part of this message if you are not
> the intended recipient. eintellego Pty Ltd and each legal entity in the
> Tefilah Pty Ltd group of companies reserve the right to monitor all e-mail
> communications through its networks.  Any views expressed in this message
> are those of the individual sender, except where the message states
> otherwise and the sender is authorised to state them to be the views of any
> such entity. Any reference to costs, fee quotations, contractual
> transactions and variations to contract terms is subject to separate
> confirmation in writing signed by an authorised representative of
> eintellego. Whilst all efforts are made to safeguard inbound and outbound
> e-mails, we cannot guarantee that attachments are virus-free or compatible
> with your systems and do not accept any liability in respect of viruses or
> computer problems experienced.
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20100927/b9c58e82/attachment.html>


More information about the AusNOG mailing list