[AusNOG] VoIP Hack Attempts [SEC=UNCLASSIFIED]

Tilley, Alex Alex.Tilley at afp.gov.au
Thu Sep 30 12:59:14 EST 2010


 The Australian Honeynet project has posted some information about SIP scanning.
http://honeynet.org.au/



ALEX TILLEY
TECHNICAL SPECIALIST
HIGH TECH CRIME OPERATIONS
AUSTRALIAN FEDERAL POLICE

Tel +61(0) 3 96077500 Mob +61(0) 411068284
www.afp.gov.au

-----Original Message-----
From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Bradley Falzon
Sent: Thursday, 30 September 2010 10:50 AM
To: ausnog at ausnog.net List
Subject: Re: [AusNOG] VoIP Hack Attempts

The following notes are based upon my limited experience, assuming the attackers already have the username and password - did not perform brute force / dictionary attacks on VoIP System (fail2ban is ineffective).

The two protections most effective are simply limiting the damage to your customers - in turn limiting the gain of each attack.

1) Limit monthly bills to something reasonable, for example, if your customers normal bills are $20/month, perhaps $50 is the limit.
2) Limit the number of calls (perhaps daily)

Of course, these preventions combined with notifying the support team / customer for a reasonable response is also suggested - leaving the account 'suspended' to prevent further attacks the next day / billing period.

Blocking Non Australian IP Addresses will simply changed the attackers location from some other country to an Australia compromised/zombie hosts.

Limiting the monthly call bill may change the attacks from calling International Numbers to Australian land lines. Limiting the number of calls reduces the effectiveness of this attack vector.

The idea of these two limits simply encourages the attacker the move on (or conversely, compromise more accounts - but that has diminishing returns in itself).

These limits also protect against other attackers and bad configurations, it ensures customers bills do not get excessive from daughter Jane calling mobile numbers for too long, or son Jack playing with SIP or firmware updates causing a bug in signalling.

Of course, the other secondary defences are as already stated:
. Enforcing strong passwords (doesn't protect against reuse / key loggers / increased service desk load) . Blocking Non Australian IP Addresses (limits iPhone applications such as Fring, customers overseas and the obvious - Australias IP Addresses aren't exactly role models) . Blocking International Calls by default (highly effective combined with protection 2 - but fails if the customer requires International Calls - conversely, perhaps permitting US / UK but blocking expensive countries like Estonia and the like) . Some statistical engine monitoring trends in usage on the billing platform (I would argue the other protections are simpler the deploy and support - but it is a viable option).

On Wed, Sep 29, 2010 at 10:23 PM, Richard Stephens <richard.stephens at neural.com.au> wrote:
>
> As far as blocking destinations goes - the attackers seem to have 
> cottoned on to this as of late - the last two attacks we've seen that 
> got as far as pushing calls through were pushing them to France and the UK.
> We've found that all the successful attacks we've had to deal with 
> have fallen into one of two categories 1. Client-set stupid passwords 
> (password blank or same as extension number) or 2. Calls coming from a 
> legitimate source such as a wholesale client who has had their VOIP 
> system compromised.
> 1 is fairly straightforward to deal with - our web interface now 
> enforces strong passwords.  2 is a bit harder but is best dealt with 
> by monitoring at the billing level - setting say a 
> minimum-spend-per-hour for a client, and create alerts or block 
> international calls completely if it goes above an appropriate level for a certain client.
> We've also found that blocking all non-Australian IP's virtually 
> eliminates 1.
> Regards,
> Richard Stephens
>
> Neural Networks
> The way information moves.
> ACN 124 535 075
>
> Phone: (07) 3123 - 5311
> Fax: (07) 3319 - 6095
> Mobile:  0410 - 111 - 570
> E-Mail: richard.stephens at neural.com.au 
> ________________________________
> From: ausnog-bounces at lists.ausnog.net 
> [ausnog-bounces at lists.ausnog.net] on behalf of Skeeve Stevens 
> [Skeeve at eintellego.net]
> Sent: Tuesday, 28 September 2010 12:13 AM
> To: ausnog at ausnog.net List
> Subject: [AusNOG] VoIP Hack Attempts
>
> Hey all,
>
>
>
> I've got a few customers who have noticed a large recent jump in SIP 
> scans against their networks.
>
>
>
> Null routing helps the response but doesn't stop the registration 
> initiation - loading up servers with registrations.
>
>
>
> This is easy to stop on closed VoIP systems, but not on hosted Voice 
> platforms which users come from other ISP's/networks, this seems to be 
> very difficult.
>
>
>
> Does anyone have any ideas - we are fresh out at the moment, apart 
> from beefing up security on the VoIP servers themselves using fail2ban 
> or other things that detect rapid registrations and then firewalls them.
>
>
>
> Having a normal server hacked is one thing but VoIP hacking has taken 
> on a new intensity as the hackers can make a LARGE amount of money by 
> comprising a VoIP system.
>
>
>
> Recently, we've been brought in to clean up the mess in several 
> incidents where a couple of VoIP systems have been compromised in 
> incidents totalling over AU$100,000.
>
>
>
> And the carriers are rarely sympathetic.
>
>
>
> If it isn't obvious as to how/why they're doing this - the hackers get 
> in, open a SIP account so their VoIP system can register, and then 
> they channel certain calls via the comprised system.  This has the 
> effect of them charging the end user and making money, while not 
> paying for the calls to be delivered to the destination.
>
>
>
> Advice:
>
> -          Block destinations to obscure places that your customers 
> are unlikely to call, and only unblock them if they request
>
> -          Watch billing to certain locations and if there is a 
> massive jump, do something
>
> -          Watch your customers and if their billing jumps by a 
> massive amount, alert them as fast as you can - or you just might be 
> liable
>
>
>
> ...Skeeve
>
>
>
> --
>
> Skeeve Stevens, CEO
>
> eintellego Pty Ltd - The Networking Specialists
>
> skeeve at eintellego.net / www.eintellego.net
>
> Phone: 1300 753 383, Fax: (+612) 8572 9954
>
> Cell +61 (0)414 753 383 / skype://skeeve
>
> www.linkedin.com/in/skeeve ; facebook.com/eintellego
>
> --
>
> eintellego - The Experts that the Experts call
>
> - Juniper - HP Networking - Cisco - Arista -
>
>
>
> Disclaimer: Limits of Liability and Disclaimer: This message is for 
> the named person's use only. It may contain sensitive and private 
> proprietary or legally privileged information. You must not, directly 
> or indirectly, use, disclose, distribute, print, or copy any part of 
> this message if you are not the intended recipient. eintellego Pty Ltd 
> and each legal entity in the Tefilah Pty Ltd group of companies 
> reserve the right to monitor all e-mail communications through its 
> networks.  Any views expressed in this message are those of the 
> individual sender, except where the message states otherwise and the 
> sender is authorised to state them to be the views of any such entity. 
> Any reference to costs, fee quotations, contractual transactions and 
> variations to contract terms is subject to separate confirmation in 
> writing signed by an authorised representative of eintellego. Whilst 
> all efforts are made to safeguard inbound and outbound e-mails, we 
> cannot guarantee that attachments are virus-free or compatible with 
> your systems and do not accept any liability in respect of viruses or computer problems experienced.
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>



--
Bradley Falzon
brad at teambrad.net
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

**********************************************************************
                                WARNING

This email message and any attached files may contain information
that is confidential and subject of legal privilege intended only for
use by the individual or entity to whom they are addressed.   If you
are not the intended recipient or the person responsible for
delivering the message to the intended recipient be advised that you
have received this message in error and that any use, copying,
circulation, forwarding, printing or publication of this message or
attached files is strictly forbidden, as is the disclosure of the
information contained therein. If you have received this message in
error, please notify the sender immediately and delete it from your
inbox.

AFP Web site: http://www.afp.gov.au
**********************************************************************




More information about the AusNOG mailing list