[AusNOG] VoIP Hack Attempts

Thu Sep 30 10:50:18 EST 2010

The following notes are based upon my limited experience, assuming the
attackers already have the username and password - did not perform
brute force / dictionary attacks on VoIP System (fail2ban is
ineffective).

The two protections most effective are simply limiting the damage to
your customers - in turn limiting the gain of each attack.

1) Limit monthly bills to something reasonable, for example, if your
customers normal bills are $20/month, perhaps $50 is the limit.
2) Limit the number of calls (perhaps daily)

Of course, these preventions combined with notifying the support team
/ customer for a reasonable response is also suggested - leaving the
account 'suspended' to prevent further attacks the next day / billing
period.

Blocking Non Australian IP Addresses will simply changed the attackers
location from some other country to an Australia compromised/zombie
hosts.

Limiting the monthly call bill may change the attacks from calling
International Numbers to Australian land lines. Limiting the number of
calls reduces the effectiveness of this attack vector.

The idea of these two limits simply encourages the attacker the move
on (or conversely, compromise more accounts - but that has diminishing
returns in itself).

These limits also protect against other attackers and bad
configurations, it ensures customers bills do not get excessive from
daughter Jane calling mobile numbers for too long, or son Jack playing
with SIP or firmware updates causing a bug in signalling.

Of course, the other secondary defences are as already stated:
. Enforcing strong passwords (doesn't protect against reuse / key
loggers / increased service desk load)
. Blocking Non Australian IP Addresses (limits iPhone applications
such as Fring, customers overseas and the obvious - Australias IP
Addresses aren't exactly role models)
. Blocking International Calls by default (highly effective combined
with protection 2 - but fails if the customer requires International
Calls - conversely, perhaps permitting US / UK but blocking expensive
countries like Estonia and the like)
. Some statistical engine monitoring trends in usage on the billing
platform (I would argue the other protections are simpler the deploy
and support - but it is a viable option).

On Wed, Sep 29, 2010 at 10:23 PM, Richard Stephens
<richard.stephens at neural.com.au> wrote:
>
> As far as blocking destinations goes - the attackers seem to have cottoned
> on to this as of late - the last two attacks we've seen that got as far as
> pushing calls through were pushing them to France and the UK.
> We've found that all the successful attacks we've had to deal with have
> fallen into one of two categories
> 1. Client-set stupid passwords (password blank or same as extension number)
> or
> 2. Calls coming from a legitimate source such as a wholesale client who has
> had their VOIP system compromised.
> 1 is fairly straightforward to deal with - our web interface now enforces
> strong passwords.  2 is a bit harder but is best dealt with by monitoring at
> the billing level - setting say a minimum-spend-per-hour for a client, and
> create alerts or block international calls completely if it goes above an
> appropriate level for a certain client.
> We've also found that blocking all non-Australian IP's virtually eliminates
> 1.
> Regards,
> Richard Stephens
>
> Neural Networks
> The way information moves.
> ACN 124 535 075
>
> Phone: (07) 3123 - 5311
> Fax: (07) 3319 - 6095
> Mobile:  0410 - 111 - 570
> E-Mail: richard.stephens at neural.com.au
> ________________________________
> From: ausnog-bounces at lists.ausnog.net [ausnog-bounces at lists.ausnog.net] on
> behalf of Skeeve Stevens [Skeeve at eintellego.net]
> Sent: Tuesday, 28 September 2010 12:13 AM
> To: ausnog at ausnog.net List
> Subject: [AusNOG] VoIP Hack Attempts
>
> Hey all,
>
>
>
> I’ve got a few customers who have noticed a large recent jump in SIP scans
> against their networks.
>
>
>
> Null routing helps the response but doesn’t stop the registration initiation
> – loading up servers with registrations.
>
>
>
> This is easy to stop on closed VoIP systems, but not on hosted Voice
> platforms which users come from other ISP’s/networks, this seems to be very
> difficult.
>
>
>
> Does anyone have any ideas – we are fresh out at the moment, apart from
> beefing up security on the VoIP servers themselves using fail2ban or other
> things that detect rapid registrations and then firewalls them.
>
>
>
> Having a normal server hacked is one thing but VoIP hacking has taken on a
> new intensity as the hackers can make a LARGE amount of money by comprising
> a VoIP system.
>
>
>
> Recently, we’ve been brought in to clean up the mess in several incidents
> where a couple of VoIP systems have been compromised in incidents totalling
> over AU$100,000.
>
>
>
> And the carriers are rarely sympathetic.
>
>
>
> If it isn’t obvious as to how/why they’re doing this – the hackers get in,
> open a SIP account so their VoIP system can register, and then they channel
> certain calls via the comprised system.  This has the effect of them
> charging the end user and making money, while not paying for the calls to be
> delivered to the destination.
>
>
>
> Advice:
>
> -          Block destinations to obscure places that your customers are
> unlikely to call, and only unblock them if they request
>
> -          Watch billing to certain locations and if there is a massive
> jump, do something
>
> -          Watch your customers and if their billing jumps by a massive
> amount, alert them as fast as you can – or you just might be liable
>
>
>
> ...Skeeve
>
>
>
> --
>
> Skeeve Stevens, CEO
>
> eintellego Pty Ltd - The Networking Specialists
>
> skeeve at eintellego.net / www.eintellego.net
>
> Phone: 1300 753 383, Fax: (+612) 8572 9954
>
> Cell +61 (0)414 753 383 / skype://skeeve
>
> www.linkedin.com/in/skeeve ; facebook.com/eintellego
>
> --
>
> eintellego - The Experts that the Experts call
>
> - Juniper - HP Networking - Cisco - Arista -
>
>
>
> Disclaimer: Limits of Liability and Disclaimer: This message is for the
> named person's use only. It may contain sensitive and private proprietary or
> legally privileged information. You must not, directly or indirectly, use,
> disclose, distribute, print, or copy any part of this message if you are not
> the intended recipient. eintellego Pty Ltd and each legal entity in the
> Tefilah Pty Ltd group of companies reserve the right to monitor all e-mail
> communications through its networks.  Any views expressed in this message
> are those of the individual sender, except where the message states
> otherwise and the sender is authorised to state them to be the views of any
> such entity. Any reference to costs, fee quotations, contractual
> transactions and variations to contract terms is subject to separate
> confirmation in writing signed by an authorised representative of
> eintellego. Whilst all efforts are made to safeguard inbound and outbound
> e-mails, we cannot guarantee that attachments are virus-free or compatible
> with your systems and do not accept any liability in respect of viruses or
> computer problems experienced.
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>

-- 
Bradley Falzon
brad at teambrad.net