Good Morning Voice OPS Is anyone else experiencing anything like this? If so please share what you have done / or will to make it stop We have a series of smaller SIP trunk customers using Broadsoft trunk groups. By design the trunk groups have a concurrent call limitation based off the customer?s order. These smaller SIP trunks groups when compromised are able to run up HUGE fraud bills even tho they only have 5 or 6 SIP trunks. Needing to know if anyone else is seeing this that has Broadsoft and what was done to protect yourselves? Otherwise Happy NYE J Zak Rupas VoIP Engineer *SimpleSignal* 3600 S Yosemite Suite 150 Denver, CO 80237 One Number Rings All My Phones: 303-242-8606 SimpleSignal.com <http://www.simplesignal.com/> | Blog<http://www.simplesignal.com/blog>| Facebook <http://www.facebook.com/SimpleSignal?ref=ts> | Twitter<http://twitter.com/simplesignal>
Zak, this occurs because their PBX (to which the trunks are connected) gets hacked? The first step is to block International unless the customer requires it. You can set maximum call duration, but that is only an inconvenience to the hackers to make them dial again. You can try to get the customers to use account codes for International. You can set time schedules (this might be tricky and may need to do in the NS). And you need a fraud detection system to alert you when it happens so that you can minimize the damage. Last but not least, you can try and make the customer pay for the usage (that never works). On Fri, Dec 30, 2011 at 11:36 AM, Zak Rupas <zak at simplesignal.com> wrote:
Good Morning Voice OPS
Is anyone else experiencing anything like this? If so please share what you have done / or will to make it stop
We have a series of smaller SIP trunk customers using Broadsoft trunk groups. By design the trunk groups have a concurrent call limitation based off the customer?s order. These smaller SIP trunks groups when compromised are able to run up HUGE fraud bills even tho they only have 5 or 6 SIP trunks. Needing to know if anyone else is seeing this that has Broadsoft and what was done to protect yourselves?
Otherwise Happy NYE J
Zak Rupas VoIP Engineer
*SimpleSignal* 3600 S Yosemite Suite 150
Denver, CO 80237 One Number Rings All My Phones: 303-242-8606
SimpleSignal.com <http://www.simplesignal.com/> | Blog<http://www.simplesignal.com/blog>| Facebook <http://www.facebook.com/SimpleSignal?ref=ts> | Twitter<http://twitter.com/simplesignal>
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
My question still lingers tho. Thanks for the insight! But the million dollar question is how are they getting around Broadsoft?s Concurrent model for SIP trunks? For example I have a 5 user SIP trunk group in Broadsoft. It limits them to only 5 calls domestically, however when the fraud starts they move up to 20 or more concurrent calls for ILD. How is that happening? J Broadsoft should be able to limit the concurrent calls per design I am starting testing on a 1 Concurrent SIP trunk call group and will pass ILD calls to see if it gets around the limitation. I?ll let you know what I located Zak Rupas VoIP Engineer *SimpleSignal* 3600 S Yosemite Suite 150 Denver, CO 80237 One Number Rings All My Phones: 303-242-8606 SimpleSignal.com <http://www.simplesignal.com/> | Blog<http://www.simplesignal.com/blog>| Facebook <http://www.facebook.com/SimpleSignal?ref=ts> | Twitter<http://twitter.com/simplesignal> *From:* PE [mailto:peeip989 at gmail.com] *Sent:* Friday, December 30, 2011 10:07 AM *To:* Zak Rupas *Cc:* voiceops at voiceops.org *Subject:* Re: [VoiceOps] Broadsoft SIP Trunks and ILD Fraud Zak, this occurs because their PBX (to which the trunks are connected) gets hacked? The first step is to block International unless the customer requires it. You can set maximum call duration, but that is only an inconvenience to the hackers to make them dial again. You can try to get the customers to use account codes for International. You can set time schedules (this might be tricky and may need to do in the NS). And you need a fraud detection system to alert you when it happens so that you can minimize the damage. Last but not least, you can try and make the customer pay for the usage (that never works). On Fri, Dec 30, 2011 at 11:36 AM, Zak Rupas <zak at simplesignal.com> wrote: Good Morning Voice OPS Is anyone else experiencing anything like this? If so please share what you have done / or will to make it stop We have a series of smaller SIP trunk customers using Broadsoft trunk groups. By design the trunk groups have a concurrent call limitation based off the customer?s order. These smaller SIP trunks groups when compromised are able to run up HUGE fraud bills even tho they only have 5 or 6 SIP trunks. Needing to know if anyone else is seeing this that has Broadsoft and what was done to protect yourselves? Otherwise Happy NYE J Zak Rupas VoIP Engineer *SimpleSignal* 3600 S Yosemite Suite 150 Denver, CO 80237 One Number Rings All My Phones: 303-242-8606 SimpleSignal.com <http://www.simplesignal.com/> | Blog<http://www.simplesignal.com/blog>| Facebook <http://www.facebook.com/SimpleSignal?ref=ts> | Twitter<http://twitter.com/simplesignal> _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Do you have bursting allowed? I've never seen it allow more than what is configured. On Fri, Dec 30, 2011 at 12:30 PM, Zak Rupas <zak at simplesignal.com> wrote:
My question still lingers tho. Thanks for the insight! But the million dollar question is how are they getting around Broadsoft?s Concurrent model for SIP trunks? For example I have a 5 user SIP trunk group in Broadsoft. It limits them to only 5 calls domestically, however when the fraud starts they move up to 20 or more concurrent calls for ILD. How is that happening? J Broadsoft should be able to limit the concurrent calls per design
I am starting testing on a 1 Concurrent SIP trunk call group and will pass ILD calls to see if it gets around the limitation. I?ll let you know what I located
Zak Rupas VoIP Engineer
*SimpleSignal* 3600 S Yosemite Suite 150
Denver, CO 80237 One Number Rings All My Phones: 303-242-8606
SimpleSignal.com <http://www.simplesignal.com/> | Blog<http://www.simplesignal.com/blog>| Facebook <http://www.facebook.com/SimpleSignal?ref=ts> | Twitter<http://twitter.com/simplesignal>
*From:* PE [mailto:peeip989 at gmail.com] *Sent:* Friday, December 30, 2011 10:07 AM *To:* Zak Rupas *Cc:* voiceops at voiceops.org *Subject:* Re: [VoiceOps] Broadsoft SIP Trunks and ILD Fraud
Zak, this occurs because their PBX (to which the trunks are connected) gets hacked?
The first step is to block International unless the customer requires it. You can set maximum call duration, but that is only an inconvenience to the hackers to make them dial again. You can try to get the customers to use account codes for International. You can set time schedules (this might be tricky and may need to do in the NS). And you need a fraud detection system to alert you when it happens so that you can minimize the damage. Last but not least, you can try and make the customer pay for the usage (that never works).
On Fri, Dec 30, 2011 at 11:36 AM, Zak Rupas <zak at simplesignal.com> wrote:
Good Morning Voice OPS
Is anyone else experiencing anything like this? If so please share what you have done / or will to make it stop
We have a series of smaller SIP trunk customers using Broadsoft trunk groups. By design the trunk groups have a concurrent call limitation based off the customer?s order. These smaller SIP trunks groups when compromised are able to run up HUGE fraud bills even tho they only have 5 or 6 SIP trunks. Needing to know if anyone else is seeing this that has Broadsoft and what was done to protect yourselves?
Otherwise Happy NYE J
Zak Rupas VoIP Engineer
*SimpleSignal* 3600 S Yosemite Suite 150
Denver, CO 80237 One Number Rings All My Phones: 303-242-8606
SimpleSignal.com <http://www.simplesignal.com/> | Blog<http://www.simplesignal.com/blog>| Facebook <http://www.facebook.com/SimpleSignal?ref=ts> | Twitter<http://twitter.com/simplesignal>
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
I just looked at my latest victims profile and Bursting is disabled. What version Broadworks do you run? Zak Rupas VoIP Engineer *SimpleSignal* 3600 S Yosemite Suite 150 Denver, CO 80237 One Number Rings All My Phones: 303-242-8606 SimpleSignal.com <http://www.simplesignal.com/> | Blog<http://www.simplesignal.com/blog>| Facebook <http://www.facebook.com/SimpleSignal?ref=ts> | Twitter<http://twitter.com/simplesignal> *From:* PE [mailto:peeip989 at gmail.com] *Sent:* Friday, December 30, 2011 10:39 AM *To:* Zak Rupas *Cc:* voiceops at voiceops.org *Subject:* Re: [VoiceOps] Broadsoft SIP Trunks and ILD Fraud Do you have bursting allowed? I've never seen it allow more than what is configured. On Fri, Dec 30, 2011 at 12:30 PM, Zak Rupas <zak at simplesignal.com> wrote: My question still lingers tho. Thanks for the insight! But the million dollar question is how are they getting around Broadsoft?s Concurrent model for SIP trunks? For example I have a 5 user SIP trunk group in Broadsoft. It limits them to only 5 calls domestically, however when the fraud starts they move up to 20 or more concurrent calls for ILD. How is that happening? J Broadsoft should be able to limit the concurrent calls per design I am starting testing on a 1 Concurrent SIP trunk call group and will pass ILD calls to see if it gets around the limitation. I?ll let you know what I located Zak Rupas VoIP Engineer *SimpleSignal* 3600 S Yosemite Suite 150 Denver, CO 80237 One Number Rings All My Phones: 303-242-8606 SimpleSignal.com <http://www.simplesignal.com/> | Blog<http://www.simplesignal.com/blog>| Facebook <http://www.facebook.com/SimpleSignal?ref=ts> | Twitter<http://twitter.com/simplesignal> *From:* PE [mailto:peeip989 at gmail.com] *Sent:* Friday, December 30, 2011 10:07 AM *To:* Zak Rupas *Cc:* voiceops at voiceops.org *Subject:* Re: [VoiceOps] Broadsoft SIP Trunks and ILD Fraud Zak, this occurs because their PBX (to which the trunks are connected) gets hacked? The first step is to block International unless the customer requires it. You can set maximum call duration, but that is only an inconvenience to the hackers to make them dial again. You can try to get the customers to use account codes for International. You can set time schedules (this might be tricky and may need to do in the NS). And you need a fraud detection system to alert you when it happens so that you can minimize the damage. Last but not least, you can try and make the customer pay for the usage (that never works). On Fri, Dec 30, 2011 at 11:36 AM, Zak Rupas <zak at simplesignal.com> wrote: Good Morning Voice OPS Is anyone else experiencing anything like this? If so please share what you have done / or will to make it stop We have a series of smaller SIP trunk customers using Broadsoft trunk groups. By design the trunk groups have a concurrent call limitation based off the customer?s order. These smaller SIP trunks groups when compromised are able to run up HUGE fraud bills even tho they only have 5 or 6 SIP trunks. Needing to know if anyone else is seeing this that has Broadsoft and what was done to protect yourselves? Otherwise Happy NYE J Zak Rupas VoIP Engineer *SimpleSignal* 3600 S Yosemite Suite 150 Denver, CO 80237 One Number Rings All My Phones: 303-242-8606 SimpleSignal.com <http://www.simplesignal.com/> | Blog<http://www.simplesignal.com/blog>| Facebook <http://www.facebook.com/SimpleSignal?ref=ts> | Twitter<http://twitter.com/simplesignal> _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
We have 16.0 in production and 16.0 and 17sp4 in lab. On Fri, Dec 30, 2011 at 12:43 PM, Zak Rupas <zak at simplesignal.com> wrote:
I just looked at my latest victims profile and Bursting is disabled. What version Broadworks do you run?
Zak Rupas VoIP Engineer
*SimpleSignal* 3600 S Yosemite Suite 150
Denver, CO 80237 One Number Rings All My Phones: 303-242-8606
SimpleSignal.com <http://www.simplesignal.com/> | Blog<http://www.simplesignal.com/blog>| Facebook <http://www.facebook.com/SimpleSignal?ref=ts> | Twitter<http://twitter.com/simplesignal>
*From:* PE [mailto:peeip989 at gmail.com] *Sent:* Friday, December 30, 2011 10:39 AM
*To:* Zak Rupas *Cc:* voiceops at voiceops.org *Subject:* Re: [VoiceOps] Broadsoft SIP Trunks and ILD Fraud
Do you have bursting allowed? I've never seen it allow more than what is configured.
On Fri, Dec 30, 2011 at 12:30 PM, Zak Rupas <zak at simplesignal.com> wrote:
My question still lingers tho. Thanks for the insight! But the million dollar question is how are they getting around Broadsoft?s Concurrent model for SIP trunks? For example I have a 5 user SIP trunk group in Broadsoft. It limits them to only 5 calls domestically, however when the fraud starts they move up to 20 or more concurrent calls for ILD. How is that happening? J Broadsoft should be able to limit the concurrent calls per design
I am starting testing on a 1 Concurrent SIP trunk call group and will pass ILD calls to see if it gets around the limitation. I?ll let you know what I located
Zak Rupas VoIP Engineer
*SimpleSignal* 3600 S Yosemite Suite 150
Denver, CO 80237 One Number Rings All My Phones: 303-242-8606
SimpleSignal.com <http://www.simplesignal.com/> | Blog<http://www.simplesignal.com/blog>| Facebook <http://www.facebook.com/SimpleSignal?ref=ts> | Twitter<http://twitter.com/simplesignal>
*From:* PE [mailto:peeip989 at gmail.com] *Sent:* Friday, December 30, 2011 10:07 AM *To:* Zak Rupas *Cc:* voiceops at voiceops.org *Subject:* Re: [VoiceOps] Broadsoft SIP Trunks and ILD Fraud
Zak, this occurs because their PBX (to which the trunks are connected) gets hacked?
The first step is to block International unless the customer requires it. You can set maximum call duration, but that is only an inconvenience to the hackers to make them dial again. You can try to get the customers to use account codes for International. You can set time schedules (this might be tricky and may need to do in the NS). And you need a fraud detection system to alert you when it happens so that you can minimize the damage. Last but not least, you can try and make the customer pay for the usage (that never works).
On Fri, Dec 30, 2011 at 11:36 AM, Zak Rupas <zak at simplesignal.com> wrote:
Good Morning Voice OPS
Is anyone else experiencing anything like this? If so please share what you have done / or will to make it stop
We have a series of smaller SIP trunk customers using Broadsoft trunk groups. By design the trunk groups have a concurrent call limitation based off the customer?s order. These smaller SIP trunks groups when compromised are able to run up HUGE fraud bills even tho they only have 5 or 6 SIP trunks. Needing to know if anyone else is seeing this that has Broadsoft and what was done to protect yourselves?
Otherwise Happy NYE J
Zak Rupas VoIP Engineer
*SimpleSignal* 3600 S Yosemite Suite 150
Denver, CO 80237 One Number Rings All My Phones: 303-242-8606
SimpleSignal.com <http://www.simplesignal.com/> | Blog<http://www.simplesignal.com/blog>| Facebook <http://www.facebook.com/SimpleSignal?ref=ts> | Twitter<http://twitter.com/simplesignal>
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
The IP PBX (or on-prem SBC) should be registering to Broadworks using the Pilot number. The SBC in your core will only allow SIP Invites from the registered device. If you have non-registered SIP Trunks in Broadworks this is very dangerous. On Dec 30, 2011, at 9:36 AM, Zak Rupas wrote:
Good Morning Voice OPS
Is anyone else experiencing anything like this? If so please share what you have done / or will to make it stop
We have a series of smaller SIP trunk customers using Broadsoft trunk groups. By design the trunk groups have a concurrent call limitation based off the customer?s order. These smaller SIP trunks groups when compromised are able to run up HUGE fraud bills even tho they only have 5 or 6 SIP trunks. Needing to know if anyone else is seeing this that has Broadsoft and what was done to protect yourselves?
Otherwise Happy NYE J
Zak Rupas VoIP Engineer
SimpleSignal 3600 S Yosemite Suite 150 Denver, CO 80237 One Number Rings All My Phones: 303-242-8606 <image001.png> SimpleSignal.com | Blog | Facebook | Twitter
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Mark All of SIP trunk customer have to Registers on the network. It?s a requirement we adopted some time ago. I also just checked and Bursting is disabled on my latest account that had the issue. The had 5 SIP trunks but were averaging 20 CC ILD calls. So we may have encountered a Broadsoft bug. I am working on trying to come up with a plan for testing? Zak Rupas VoIP Engineer *SimpleSignal* 3600 S Yosemite Suite 150 Denver, CO 80237 One Number Rings All My Phones: 303-242-8606 SimpleSignal.com <http://www.simplesignal.com/> | Blog<http://www.simplesignal.com/blog>| Facebook <http://www.facebook.com/SimpleSignal?ref=ts> | Twitter<http://twitter.com/simplesignal> *From:* Mark Holloway [mailto:mh at markholloway.com] *Sent:* Friday, December 30, 2011 10:38 AM *To:* Zak Rupas *Cc:* voiceops at voiceops.org *Subject:* Re: [VoiceOps] Broadsoft SIP Trunks and ILD Fraud The IP PBX (or on-prem SBC) should be registering to Broadworks using the Pilot number. The SBC in your core will only allow SIP Invites from the registered device. If you have non-registered SIP Trunks in Broadworks this is very dangerous. On Dec 30, 2011, at 9:36 AM, Zak Rupas wrote: Good Morning Voice OPS Is anyone else experiencing anything like this? If so please share what you have done / or will to make it stop We have a series of smaller SIP trunk customers using Broadsoft trunk groups. By design the trunk groups have a concurrent call limitation based off the customer?s order. These smaller SIP trunks groups when compromised are able to run up HUGE fraud bills even tho they only have 5 or 6 SIP trunks. Needing to know if anyone else is seeing this that has Broadsoft and what was done to protect yourselves? Otherwise Happy NYE J Zak Rupas VoIP Engineer *SimpleSignal* 3600 S Yosemite Suite 150 Denver, CO 80237 One Number Rings All My Phones: 303-242-8606 <image001.png> SimpleSignal.com <http://www.simplesignal.com/> | Blog<http://www.simplesignal.com/blog> | Facebook <http://www.facebook.com/SimpleSignal?ref=ts> | Twitter<http://twitter.com/simplesignal> _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Some items to check: 1) Do you have the voice portal enabled? If yes, are you allowing users to dial into the voice portal and enable call forwarding to a PSTN number? 2) Do you provide open access to the web portal? How is your username/password strength? Once a user account is hacked through the web portal call forwarding is typically enabled for fraud purposes. 3) If you have the voice portal enabled, are you allowing users to obtain outside dial tone to place calls from the voice portal? A best-practice I always observed was to modify the outgoing dial plan for every Group or Enterprise and disable international call forwarding/transfers. It is very rare customers in the U.S. require this and you are better off disabling by default but having your Sales team ask up front when gathering customer requirements if they really need this enabled. On Dec 30, 2011, at 10:44 AM, Zak Rupas wrote:
Mark
All of SIP trunk customer have to Registers on the network. It?s a requirement we adopted some time ago. I also just checked and Bursting is disabled on my latest account that had the issue. The had 5 SIP trunks but were averaging 20 CC ILD calls. So we may have encountered a Broadsoft bug. I am working on trying to come up with a plan for testing?
Zak Rupas VoIP Engineer
SimpleSignal 3600 S Yosemite Suite 150 Denver, CO 80237 One Number Rings All My Phones: 303-242-8606 <image001.png> SimpleSignal.com | Blog | Facebook | Twitter
From: Mark Holloway [mailto:mh at markholloway.com] Sent: Friday, December 30, 2011 10:38 AM To: Zak Rupas Cc: voiceops at voiceops.org Subject: Re: [VoiceOps] Broadsoft SIP Trunks and ILD Fraud
The IP PBX (or on-prem SBC) should be registering to Broadworks using the Pilot number. The SBC in your core will only allow SIP Invites from the registered device. If you have non-registered SIP Trunks in Broadworks this is very dangerous.
On Dec 30, 2011, at 9:36 AM, Zak Rupas wrote:
Good Morning Voice OPS
Is anyone else experiencing anything like this? If so please share what you have done / or will to make it stop
We have a series of smaller SIP trunk customers using Broadsoft trunk groups. By design the trunk groups have a concurrent call limitation based off the customer?s order. These smaller SIP trunks groups when compromised are able to run up HUGE fraud bills even tho they only have 5 or 6 SIP trunks. Needing to know if anyone else is seeing this that has Broadsoft and what was done to protect yourselves?
Otherwise Happy NYE J
Zak Rupas VoIP Engineer
SimpleSignal 3600 S Yosemite Suite 150 Denver, CO 80237 One Number Rings All My Phones: 303-242-8606 <image001.png> SimpleSignal.com | Blog | Facebook | Twitter
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
We block international transfers on ALL accounts and simply do not allow it. As Mark said, it is rarely needed. When a customer says they need it, we require special dispensation from the Pope to make it happen. That and they have to sign a waiver saying they understand the risks and that they will assume all costs if they do get hacked. You could also try limiting it in the IAD (assuming it is yours). I'd be inclined to open a ticket with Broadsoft and have them explain why their "maximum active call" limit isn't working. On Fri, Dec 30, 2011 at 1:08 PM, Mark Holloway <mh at markholloway.com> wrote:
Some items to check:
1) Do you have the voice portal enabled? If yes, are you allowing users to dial into the voice portal and enable call forwarding to a PSTN number? 2) Do you provide open access to the web portal? How is your username/password strength? Once a user account is hacked through the web portal call forwarding is typically enabled for fraud purposes. 3) If you have the voice portal enabled, are you allowing users to obtain outside dial tone to place calls from the voice portal?
A best-practice I always observed was to modify the outgoing dial plan for every Group or Enterprise and disable international call forwarding/transfers. It is very rare customers in the U.S. require this and you are better off disabling by default but having your Sales team ask up front when gathering customer requirements if they really need this enabled.
On Dec 30, 2011, at 10:44 AM, Zak Rupas wrote:
Mark
All of SIP trunk customer have to Registers on the network. It?s a requirement we adopted some time ago. I also just checked and Bursting is disabled on my latest account that had the issue. The had 5 SIP trunks but were averaging 20 CC ILD calls. So we may have encountered a Broadsoft bug. I am working on trying to come up with a plan for testing?
Zak Rupas VoIP Engineer
*SimpleSignal* 3600 S Yosemite Suite 150 Denver, CO 80237 One Number Rings All My Phones: 303-242-8606 <image001.png> SimpleSignal.com <http://www.simplesignal.com/> | Blog<http://www.simplesignal.com/blog> | Facebook <http://www.facebook.com/SimpleSignal?ref=ts> | Twitter<http://twitter.com/simplesignal>
*From:* Mark Holloway [mailto:mh at markholloway.com] *Sent:* Friday, December 30, 2011 10:38 AM *To:* Zak Rupas *Cc:* voiceops at voiceops.org *Subject:* Re: [VoiceOps] Broadsoft SIP Trunks and ILD Fraud
The IP PBX (or on-prem SBC) should be registering to Broadworks using the Pilot number. The SBC in your core will only allow SIP Invites from the registered device. If you have non-registered SIP Trunks in Broadworks this is very dangerous.
On Dec 30, 2011, at 9:36 AM, Zak Rupas wrote:
Good Morning Voice OPS
Is anyone else experiencing anything like this? If so please share what you have done / or will to make it stop
We have a series of smaller SIP trunk customers using Broadsoft trunk groups. By design the trunk groups have a concurrent call limitation based off the customer?s order. These smaller SIP trunks groups when compromised are able to run up HUGE fraud bills even tho they only have 5 or 6 SIP trunks. Needing to know if anyone else is seeing this that has Broadsoft and what was done to protect yourselves?
Otherwise Happy NYE J
Zak Rupas VoIP Engineer
*SimpleSignal* 3600 S Yosemite Suite 150 Denver, CO 80237 One Number Rings All My Phones: 303-242-8606 <image001.png> SimpleSignal.com <http://www.simplesignal.com/> | Blog<http://www.simplesignal.com/blog> | Facebook <http://www.facebook.com/SimpleSignal?ref=ts> | Twitter<http://twitter.com/simplesignal>
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Broadsoft had a fraud prevention best practices document that detailed disabling call forwarding and voice portal dialing through the voice portal. It addressed password hardening as well. You should be able to find it on Xchange. Voice portal calling is dangerous, it can be used to place calls directly but I have also seen it used as a social engineering tool. There are some devious people out there with a lot of time on their hands, if something can be exploited, eventually it will. At my prior employer we did the same thing as Mark suggests - disabling international forwarding/transfers across the board by default and requiring the customer to sign a waiver if the capability was required. Rob From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Mark Holloway Sent: Friday, December 30, 2011 1:09 PM To: Zak Rupas Cc: voiceops at voiceops.org Subject: Re: [VoiceOps] Broadsoft SIP Trunks and ILD Fraud Some items to check: 1) Do you have the voice portal enabled? If yes, are you allowing users to dial into the voice portal and enable call forwarding to a PSTN number? 2) Do you provide open access to the web portal? How is your username/password strength? Once a user account is hacked through the web portal call forwarding is typically enabled for fraud purposes. 3) If you have the voice portal enabled, are you allowing users to obtain outside dial tone to place calls from the voice portal? A best-practice I always observed was to modify the outgoing dial plan for every Group or Enterprise and disable international call forwarding/transfers. It is very rare customers in the U.S. require this and you are better off disabling by default but having your Sales team ask up front when gathering customer requirements if they really need this enabled. On Dec 30, 2011, at 10:44 AM, Zak Rupas wrote: Mark All of SIP trunk customer have to Registers on the network. It's a requirement we adopted some time ago. I also just checked and Bursting is disabled on my latest account that had the issue. The had 5 SIP trunks but were averaging 20 CC ILD calls. So we may have encountered a Broadsoft bug. I am working on trying to come up with a plan for testing? Zak Rupas VoIP Engineer SimpleSignal 3600 S Yosemite Suite 150 Denver, CO 80237 One Number Rings All My Phones: 303-242-8606 <image001.png> SimpleSignal.com<http://www.simplesignal.com/> | Blog<http://www.simplesignal.com/blog> | Facebook<http://www.facebook.com/SimpleSignal?ref=ts> | Twitter<http://twitter.com/simplesignal> From: Mark Holloway [mailto:mh at markholloway.com<mailto:mh at markholloway.com>] Sent: Friday, December 30, 2011 10:38 AM To: Zak Rupas Cc: voiceops at voiceops.org<mailto:voiceops at voiceops.org> Subject: Re: [VoiceOps] Broadsoft SIP Trunks and ILD Fraud The IP PBX (or on-prem SBC) should be registering to Broadworks using the Pilot number. The SBC in your core will only allow SIP Invites from the registered device. If you have non-registered SIP Trunks in Broadworks this is very dangerous. On Dec 30, 2011, at 9:36 AM, Zak Rupas wrote: Good Morning Voice OPS Is anyone else experiencing anything like this? If so please share what you have done / or will to make it stop We have a series of smaller SIP trunk customers using Broadsoft trunk groups. By design the trunk groups have a concurrent call limitation based off the customer's order. These smaller SIP trunks groups when compromised are able to run up HUGE fraud bills even tho they only have 5 or 6 SIP trunks. Needing to know if anyone else is seeing this that has Broadsoft and what was done to protect yourselves? Otherwise Happy NYE :) Zak Rupas VoIP Engineer SimpleSignal 3600 S Yosemite Suite 150 Denver, CO 80237 One Number Rings All My Phones: 303-242-8606 <image001.png> SimpleSignal.com<http://www.simplesignal.com/> | Blog<http://www.simplesignal.com/blog> | Facebook<http://www.facebook.com/SimpleSignal?ref=ts> | Twitter<http://twitter.com/simplesignal> _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org<mailto:VoiceOps at voiceops.org> https://puck.nether.net/mailman/listinfo/voiceops
On 12/30/2011 8:36 AM, Zak Rupas wrote:
Good Morning Voice OPS
Is anyone else experiencing anything like this? If so please share what you have done / or will to make it stop
We have a series of smaller SIP trunk customers using Broadsoft trunk groups. By design the trunk groups have a concurrent call limitation based off the customer's order. These smaller SIP trunks groups when compromised are able to run up HUGE fraud bills even tho they only have 5 or 6 SIP trunks. Needing to know if anyone else is seeing this that has Broadsoft and what was done to protect yourselves?
It all depends on the set-up on the client's end. Most PBXs have the capabilities to drop certain calling patterns (dialplans) but you can also implement PIN based international calling dialplans, block known bad blocks or outright block everyone in and allow ONLY trusted sources (usually your best bet) to register and or place calls through the trunked PBX. I have implemented a wide array of counters to this ranging from blocking country-codes based on pricing, PIN based international calling, "creative firewalling" to full blown reactive honeypot based systems to detect and counter this type of fraud as it occurs. The metrics behind the honeypots are based on a variety of pre-defined variables (who is making the call (what IP), when the call is being made (time of day), the destination party, country code rates) which is the reason for the initial statement: "all depends on the set-up." I noticed that under the managed SIP trunking umbrella, clients had no problem using PINs once they understood "why" and "how much" it would cost them otherwise. You have to spell it out though: "We will implement an as-you-go-based opt-*out* international calling mechanism to deter against toll-fraud. To counter fraud we are implementing X change." Once clients become aware of the need for something like a PIN or time based calling, they're likely to go ahead with the changes as they understand they will be held liable for NOT abiding by the TOS you put forth. Most of the times, this whole issue is sketchy. E.g., you get a new customer, they get "owned" and they owe you say $1000 where you owe YOUR upstream say $800, if they leave, you're still hit with the bill. By creating something that states "YOU WILL ABIDE BY" gives you better legal footing IMHO. But IANAL so double check that ;) Summary: Configure the trunked PBXs properly. If you KNOW international calling is a necessity, then create say a PIN and time based dial plan. You can also restrict the amount of calls placed BY any device registering as well as solely allowing N amount of account registrations. You could also firewall down the PBX. There are plenty of options, hope my rambling helps. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
5 simultaneous calls to Cuba or some African country is still a lots of money. -- *blap* On Fri, Dec 30, 2011 at 17:36, Zak Rupas <zak at simplesignal.com> wrote:
Good Morning Voice OPS
Is anyone else experiencing anything like this? If so please share what you have done / or will to make it stop
We have a series of smaller SIP trunk customers using Broadsoft trunk groups. By design the trunk groups have a concurrent call limitation based off the customer?s order. These smaller SIP trunks groups when compromised are able to run up HUGE fraud bills even tho they only have 5 or 6 SIP trunks. Needing to know if anyone else is seeing this that has Broadsoft and what was done to protect yourselves?
Otherwise Happy NYE J
Zak Rupas VoIP Engineer
*SimpleSignal* 3600 S Yosemite Suite 150
Denver, CO 80237 One Number Rings All My Phones: 303-242-8606
SimpleSignal.com <http://www.simplesignal.com/> | Blog<http://www.simplesignal.com/blog>| Facebook <http://www.facebook.com/SimpleSignal?ref=ts> | Twitter<http://twitter.com/simplesignal>
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Or Globalstar or Inmarsat. :-) -- This message was painstakingly thumbed out on my mobile, so apologies for brevity, errors, and general sloppiness. Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ On Jan 2, 2012, at 5:17 AM, Danijel <theghost101 at gmail.com> wrote:
5 simultaneous calls to Cuba or some African country is still a lots of money.
-- *blap*
On Fri, Dec 30, 2011 at 17:36, Zak Rupas <zak at simplesignal.com> wrote: Good Morning Voice OPS
Is anyone else experiencing anything like this? If so please share what you have done / or will to make it stop
We have a series of smaller SIP trunk customers using Broadsoft trunk groups. By design the trunk groups have a concurrent call limitation based off the customer?s order. These smaller SIP trunks groups when compromised are able to run up HUGE fraud bills even tho they only have 5 or 6 SIP trunks. Needing to know if anyone else is seeing this that has Broadsoft and what was done to protect yourselves?
Otherwise Happy NYE J
Zak Rupas VoIP Engineer
SimpleSignal 3600 S Yosemite Suite 150
Denver, CO 80237 One Number Rings All My Phones: 303-242-8606
SimpleSignal.com | Blog | Facebook | Twitter
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
That's unblocked only only per customer basis if the customer complains that he can't reach those numbers ;-) -- *blap* On Mon, Jan 2, 2012 at 15:49, Alex Balashov <abalashov at evaristesys.com>wrote:
Or Globalstar or Inmarsat. :-)
-- This message was painstakingly thumbed out on my mobile, so apologies for brevity, errors, and general sloppiness.
Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: <http://www.evaristesys.com/>http://www.evaristesys.com/
On Jan 2, 2012, at 5:17 AM, Danijel <theghost101 at gmail.com> wrote:
5 simultaneous calls to Cuba or some African country is still a lots of money.
-- *blap*
On Fri, Dec 30, 2011 at 17:36, Zak Rupas < <zak at simplesignal.com> zak at simplesignal.com> wrote:
Good Morning Voice OPS
Is anyone else experiencing anything like this? If so please share what you have done / or will to make it stop
We have a series of smaller SIP trunk customers using Broadsoft trunk groups. By design the trunk groups have a concurrent call limitation based off the customer?s order. These smaller SIP trunks groups when compromised are able to run up HUGE fraud bills even tho they only have 5 or 6 SIP trunks. Needing to know if anyone else is seeing this that has Broadsoft and what was done to protect yourselves?
Otherwise Happy NYE J
Zak Rupas VoIP Engineer
*SimpleSignal* 3600 S Yosemite Suite 150
Denver, CO 80237 One Number Rings All My Phones: 303-242-8606
SimpleSignal.com <http://www.simplesignal.com/> | Blog<http://www.simplesignal.com/blog>| Facebook <http://www.facebook.com/SimpleSignal?ref=ts> | Twitter<http://twitter.com/simplesignal>
_______________________________________________ VoiceOps mailing list <VoiceOps at voiceops.org>VoiceOps at voiceops.org <https://puck.nether.net/mailman/listinfo/voiceops> https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
What actually is happening in the case outlined below by Zak Rupas is probably something that everyone should be aware of. It is not about somehow finding a way to exceed the capacity configured for the given BroadWorks trunk group, it's ultimately about originating a call via a BW trunk group and then immediately transferring that call such that it is no longer on the BW trunk group. Scenario goes like this, with four parties involved; Customer PBX with BW trunk, Bad Guy, Expensive International number, and US number. In this scenario, the Bad Guy wants to allow the US Number and Expensive International number to talk on PBX owner's dime. 1. Service Provider provides an authenticated BW SIP trunk to their customer's PBX, with let's say 5 sim calls. 2. Customer's PBX gets compromised somehow, and the Bad Guy now has control of some number of phones/endpoints behind that PBX. 3. ILD originations are allowed by the Service Provider from the PBX, so Bad Guy places a call to Expensive International number. 4. Bad Guy then immediately blind transfers the call to the US number, such that the call is no longer associated with the trunk group and the trunk group's sim call limitations. 5. US number and ILD destination are connected, they talk, with billing going to the PBX owner (as that's who the CDR will show as placing the original call and making the transfer). 6. Bad Guy repeats this many times, getting many calls going simultaneously, fundamentally unrestricted by the capacity of the trunk group. With existing functionality, there are ways to mitigate this situation. 1. Ensure that PBX doesn't get compromised in the first place, but this is hard, and is bound to happen, so this is not sufficient to prevent fraud. 2. In BroadWorks, turn of ILD for all users altogether, and if some users actually do need ILD, only enable it for them explicitly using Comm Barring. 3. In BroadWorks, enforce an Authorization Code when dialing ILD destinations. This can be all ILD, or can be a subset of ILD destinations, using the Comm Barring feature with Auth Code as the action. 4. In BroadWorks, use Call Processing Policies to limit the number of redirected calls allowed by a given trunking user to some small number like 1 or 2. This does not solve the problem entirely, but will reduce the total number of calls that the Bad Guy can get pinned up to one or two time the number of compromised DIDs on the trunk. BroadSoft recommends that all users have such Call Processing Policies enabled and configured. 5. Use some fraud detection system (like Equinox IS Protector or whatever) that alerts you when a strange calling patterns occurs. If this is in place, then even if the system is compromised, you'll be alerted to it soon after it starts and then you can turn off that trunk. For those of you with access to Xchange, there is a document that outlines all the layers of security that should be enabled to harden your networks against fraud. URL below: http://xchange.broadsoft.com/php/xchange/support/broadworks/tac/technical-su... Dag Peak Senior Systems Engineer dpeak at broadsoft.com<mailto:dpeak at broadsoft.com> Twitter @dagpeak From: Danijel [mailto:theghost101 at gmail.com] Sent: Tuesday, January 10, 2012 8:31 AM To: voiceops at voiceops.org Subject: Re: [VoiceOps] Broadsoft SIP Trunks and ILD Fraud That's unblocked only only per customer basis if the customer complains that he can't reach those numbers ;-) -- *blap* On Mon, Jan 2, 2012 at 15:49, Alex Balashov <abalashov at evaristesys.com<mailto:abalashov at evaristesys.com>> wrote: Or Globalstar or Inmarsat. :-) -- This message was painstakingly thumbed out on my mobile, so apologies for brevity, errors, and general sloppiness. Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670<tel:%2B1-678-954-0670> Fax: +1-404-961-1892<tel:%2B1-404-961-1892> Web: http://www.evaristesys.com/ On Jan 2, 2012, at 5:17 AM, Danijel <theghost101 at gmail.com<mailto:theghost101 at gmail.com>> wrote: 5 simultaneous calls to Cuba or some African country is still a lots of money. -- *blap* On Fri, Dec 30, 2011 at 17:36, Zak Rupas <zak at simplesignal.com<mailto:zak at simplesignal.com>> wrote: Good Morning Voice OPS Is anyone else experiencing anything like this? If so please share what you have done / or will to make it stop We have a series of smaller SIP trunk customers using Broadsoft trunk groups. By design the trunk groups have a concurrent call limitation based off the customer's order. These smaller SIP trunks groups when compromised are able to run up HUGE fraud bills even tho they only have 5 or 6 SIP trunks. Needing to know if anyone else is seeing this that has Broadsoft and what was done to protect yourselves? Otherwise Happy NYE :) Zak Rupas VoIP Engineer SimpleSignal 3600 S Yosemite Suite 150 Denver, CO 80237 One Number Rings All My Phones: 303-242-8606<tel:303-242-8606>
TransNexus offers Fraud Detection software that analyzes CDRs to identify traffic pumping by source IP address and called dial code. When suspected fraud is detected an alert can be sent via e-mail or SNMP. Blocking calls from the source device to the dial code in question is also possible. http://www.transnexus.com/index.php/fraud-detection This solution works well with SBCs like Acme Packet that stream RADIUS accounting records in real time. Jim Dalton TransNexus From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Zak Rupas Sent: Friday, December 30, 2011 11:37 AM To: voiceops at voiceops.org Subject: [VoiceOps] Broadsoft SIP Trunks and ILD Fraud Good Morning Voice OPS Is anyone else experiencing anything like this? If so please share what you have done / or will to make it stop We have a series of smaller SIP trunk customers using Broadsoft trunk groups. By design the trunk groups have a concurrent call limitation based off the customer's order. These smaller SIP trunks groups when compromised are able to run up HUGE fraud bills even tho they only have 5 or 6 SIP trunks. Needing to know if anyone else is seeing this that has Broadsoft and what was done to protect yourselves? Otherwise Happy NYE J Zak Rupas VoIP Engineer SimpleSignal 3600 S Yosemite Suite 150 Denver, CO 80237 One Number Rings All My Phones: 303-242-8606 SimpleSignal.com <http://www.simplesignal.com/> | Blog <http://www.simplesignal.com/blog> | Facebook <http://www.facebook.com/SimpleSignal?ref=ts> | Twitter <http://twitter.com/simplesignal>
participants (9)
-
abalashov@evaristesys.com -
dpeak@broadsoft.com -
jim.dalton@transnexus.com -
joquendo@e-fensive.net -
mh@markholloway.com -
peeip989@gmail.com -
RDawson@alliedtelecom.net -
theghost101@gmail.com -
zak@simplesignal.com