VoIP Abuse Project Followups
Hey all, thanks to everyone whose mailed me both on and off-list in regards to the VoIP Abuse Project. Before things spiral out of control, I decided to make things a bit more detailed and easier to access as well as adding all addresses of attackers, not only ARIN addressing. There are seven sections in which I will try to keep as current as possible: Addresses: These are the IP addresses of bruteforcing hosts Netblocks: These are the netblocks of attacking hosts Numbers Called: These are the numbers called by attackers from my honeypots E-mails Sent: These are the e-mails sent to abuse desks Responses Received: These are the responses (if any) received in response to my e-mails Attack logs: These are the logs of attacks Defensive suggestions: IPF/IPTables/PF based script for Asterisk PBX's Submissions Removals: Information on submissions and removals Any recommendations and or feedback is greatly appreciated. I believe the "Numbers called" section would interest investigators in determining the potential identification of an attacker. This is based upon one and a half years of monitoring, correlating and studying attack patterns. The page is self explanatory on my theories. For admins and engineers under attack, the defensive suggestions may assist in minimizing attacks. And finally, "A Simple Asterisk Based Toll Fraud Prevention Script" (http://www.infiltrated.net/asterisk-ips.html) This document led to the framework of a honeypot I created and maintain across numerous managed, public-facing, Asterisk PBX servers. For admins, owners and engineers on the list, see removals: Lest I forget to give thanks to those in the industry who've given me ideas and inspiration to pursue this hobby/project: Mark Collier, David Endler (they wrote the book on Hacking VoIP which is a definite must read not only for pentesters, but for admins and engineers), Sandro Gauci for always taking the time to respond to some of my ramblings. David Hiers and the rest of the Voice-Ops list for tolerating me. Shawn Merdinger, Dan York and the rest of the VoIPSA list for tolerating my ramblings. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
I applaud the idea of protecting against attacks, and I feel the draw for this kind of function. However, I do have a couple of thoughts to circulate to the group. 1. CPNI. There are all sorts of regulations, laws, and policies that tightly constrain what telephone-related information I can disclose to anyone about anything. 2. Criticality. If a 911 call fails because someone intentionally took an action, bad things can happen. Like every business from banks to hotdog carts, we are all expected act to ensure that our actual losses do not exceed budgeted losses, and that the cost of the controls do not exceed the cost of the loss. My main point is that whatever controls we erect must comport to the (ever-changing) regulatory and societal landscape for phone calls, which can be very different than that of email or other services. In summary, I see this as a very worthwhile effort, even if the rules and expectations that surround it make it different than similar efforts in other fields. Thanks, David Hiers CCIE (R/S, V), CISSP ADP Dealer Services 2525 SW 1st Ave. Suite 300W Portland, OR 97201 o: 503-205-4467 f: 503-402-3277 -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of J. Oquendo Sent: Sunday, September 26, 2010 11:58 AM To: voiceops at voiceops.org Subject: [VoiceOps] VoIP Abuse Project Followups Hey all, thanks to everyone whose mailed me both on and off-list in regards to the VoIP Abuse Project. Before things spiral out of control, I decided to make things a bit more detailed and easier to access as well as adding all addresses of attackers, not only ARIN addressing. There are seven sections in which I will try to keep as current as possible: Addresses: These are the IP addresses of bruteforcing hosts Netblocks: These are the netblocks of attacking hosts Numbers Called: These are the numbers called by attackers from my honeypots E-mails Sent: These are the e-mails sent to abuse desks Responses Received: These are the responses (if any) received in response to my e-mails Attack logs: These are the logs of attacks Defensive suggestions: IPF/IPTables/PF based script for Asterisk PBX's Submissions Removals: Information on submissions and removals Any recommendations and or feedback is greatly appreciated. I believe the "Numbers called" section would interest investigators in determining the potential identification of an attacker. This is based upon one and a half years of monitoring, correlating and studying attack patterns. The page is self explanatory on my theories. For admins and engineers under attack, the defensive suggestions may assist in minimizing attacks. And finally, "A Simple Asterisk Based Toll Fraud Prevention Script" (http://www.infiltrated.net/asterisk-ips.html) This document led to the framework of a honeypot I created and maintain across numerous managed, public-facing, Asterisk PBX servers. For admins, owners and engineers on the list, see removals: Lest I forget to give thanks to those in the industry who've given me ideas and inspiration to pursue this hobby/project: Mark Collier, David Endler (they wrote the book on Hacking VoIP which is a definite must read not only for pentesters, but for admins and engineers), Sandro Gauci for always taking the time to respond to some of my ramblings. David Hiers and the rest of the Voice-Ops list for tolerating me. Shawn Merdinger, Dan York and the rest of the VoIPSA list for tolerating my ramblings. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
Hiers, David wrote:
I applaud the idea of protecting against attacks, and I feel the draw for this kind of function. However, I do have a couple of thoughts to circulate to the group.
1. CPNI. There are all sorts of regulations, laws, and policies that tightly constrain what telephone-related information I can disclose to anyone about anything.
2. Criticality. If a 911 call fails because someone intentionally took an action, bad things can happen.
Like every business from banks to hotdog carts, we are all expected act to ensure that our actual losses do not exceed budgeted losses, and that the cost of the controls do not exceed the cost of the loss. My main point is that whatever controls we erect must comport to the (ever-changing) regulatory and societal landscape for phone calls, which can be very different than that of email or other services.
In summary, I see this as a very worthwhile effort, even if the rules and expectations that surround it make it different than similar efforts in other fields.
I will try to find a definitive legal answer to these question and post when I find one. In the interim, I'd like to explain my posture on why CPNI is not relevant. 1) Logfiles that are posted contain solely the information of an attacking IP address. Any visible IP addressing, naming conventions, etc., are sanitized from the logs. This is done for two reasons, one to protect the identity of my PBX servers and secondly to avoid having attackers "fire away" at the addresses. There is no visible information for my infrastructure nor clients being posted at any time. 2) Criticality - the only instance I can see this being an issue is if the following occurs: Being an ITSP provider, I manage PBX's and maintain hundreds of trunks for clients who manage their own PBX's. If a client's PBX was compromised, their IP Space would be listed in "the blacklist" which could leave them in a bind if they weren't able to place emergency calls. Emergency calls are a tricky subject as is when it comes to VoIP in the following scenario: As a provider you have a client who does not pay their bill and gets a temporary disconnect. Do you as a VoIP provider STILL place emergency calls for them? There is no visible law relevant to this, I know as I've scoured high and low for something to this tune, maybe if someone at Dash is here, they can correct me on this. As it stands, we as a VoIP carrier have to do nothing when someone doesn't pay their bill. a) AUP's, TOS', SLA's dictate what can or can't happen during the course of a client's use. Therefore if my AUP directs me to disconnect "dirty hosts" the onus is on the client to clean up their act. In today's day and age, just about everyone except me has a cellular. So a 911 argument isn't as strong as it would be say 10 years ago. b) Abuse desks for companies attacking PBX's when located in North America are ALWAYS notified. I give them the opportunity to "right their wrongs" and have been doing so aimlessly for some time. A situation like this would be a true test for a "dirty network" not me as a provider. The legalities fall on them: Offense: "You blocked an emergency call!" Defense: "No we blocked your network from disrupting other networks which has the potential to disrupts hundreds of other networks and PBX's" Defense: "You were warned prior to being blacklisted. Your systems autogenerated a response, months later we were attacked again. Obviously you didn't take the situation serious" Offense: "I object, security costs time and money. Money we don't have..." True it is a touchy subject however, I don't believe there could be legal recourse towards me for posting it, or anyone submitting data - provided that whomever submits data - removes identifiable information. With that said, my approach is to weed out erroneous reports, continue to send a courtesy email to offending netblocks. If they don't respond within a 72 hour period, they will be listed. 3 days is enough to take a look at what is leaving a network and nipping it at the bud. Should companies not see fit to clean up their act, obviously they not only don't care about what leaves their network, they care less about their clients as well. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
participants (2)
-
David_Hiers@adp.com -
sil@infiltrated.net