I'm not sure what your requirements are but, we recently blocked all non-ARIN IP space from reaching our registrars. We had something similar happen and this has?essentially?eliminated the fraudulent calls we saw. Thanks, ?Spencer ________________________________ Message: 1 Date: Tue, 17 May 2011 15:53:15 -0700 From: Darren Schreiber <d at d-man.org> To: "VoiceOps at voiceops.org" <VoiceOps at voiceops.org> Subject: [VoiceOps] Fraud fun Message-ID: <C9F84A6B.2097A%d at d-man.org> Content-Type: text/plain; charset="us-ascii" Hi folks, We have been hit twice in the past two days with calls to 011-252-XXXXXXXX (calls to Somalia I believe, and the originating IP is from Pakistan) It's the same user each time, I think he had a weak password, but it cost us over $100, which isn't too bad (we catch it quick) but I'd like to get it closer to $0. :-) Any good recommendations for IP ranges to block from incoming connections? Thanks, Darren Schreiber CEO / Co-Founder 2600hz? |? www.2600hz.com<http://www.2600hz.com/> sip:darren at 2600hz.com tel:415-886-7901
Ghetto, but goes a long way in helping harden individual Asterisk servers on which one has no choice but to leave the SIP call agent open to the public Internet: iptables -A INPUT -p UDP --dport 5060 -m string --string 'friendly-scanner' -j DROP On 05/18/2011 12:42 PM, Spencer wrote:
I'm not sure what your requirements are but, we recently blocked all non-ARIN IP space from reaching our registrars. We had something similar happen and this has essentiallyeliminated the fraudulent calls we saw.
Thanks, Spencer
------------------------------------------------------------------------ Message: 1 Date: Tue, 17 May 2011 15:53:15 -0700 From: Darren Schreiber <d at d-man.org <mailto:d at d-man.org>> To: "VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org>" <VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org>> Subject: [VoiceOps] Fraud fun Message-ID: <C9F84A6B.2097A%d at d-man.org <mailto:d at d-man.org>> Content-Type: text/plain; charset="us-ascii"
Hi folks, We have been hit twice in the past two days with calls to 011-252-XXXXXXXX (calls to Somalia I believe, and the originating IP is from Pakistan)
It's the same user each time, I think he had a weak password, but it cost us over $100, which isn't too bad (we catch it quick) but I'd like to get it closer to $0. :-)
Any good recommendations for IP ranges to block from incoming connections?
Thanks,
Darren Schreiber CEO / Co-Founder
2600hz | www.2600hz.com <http://www.2600hz.com><http://www.2600hz.com/> sip:darren at 2600hz.com <mailto:darren at 2600hz.com> tel:415-886-7901
Cool use if iptables. There's definitely short-term tactical value in taking advantage of the signature "friend-scanner" -- But we also know that the SIPvicious user population is getting more sophisticated. -- At our clients, they've slowed their scanning rate so they're not longer causing overload attacks. -- It's just a matter of time before they remove the string "friendly-scanner" from their SIP messages. mark at ecg.co | +1-229-316-0013 | http://ecg.co/lindsey On May 18, 2011, at 12:46 PM, Alex Balashov wrote:
Ghetto, but goes a long way in helping harden individual Asterisk servers on which one has no choice but to leave the SIP call agent open to the public Internet:
iptables -A INPUT -p UDP --dport 5060 -m string --string 'friendly-scanner' -j DROP
On 05/18/2011 12:42 PM, Spencer wrote:
I'm not sure what your requirements are but, we recently blocked all non-ARIN IP space from reaching our registrars. We had something similar happen and this has essentiallyeliminated the fraudulent calls we saw.
Thanks, Spencer
------------------------------------------------------------------------ Message: 1 Date: Tue, 17 May 2011 15:53:15 -0700 From: Darren Schreiber <d at d-man.org <mailto:d at d-man.org>> To: "VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org>" <VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org>> Subject: [VoiceOps] Fraud fun Message-ID: <C9F84A6B.2097A%d at d-man.org <mailto:d at d-man.org>> Content-Type: text/plain; charset="us-ascii"
Hi folks, We have been hit twice in the past two days with calls to 011-252-XXXXXXXX (calls to Somalia I believe, and the originating IP is from Pakistan)
It's the same user each time, I think he had a weak password, but it cost us over $100, which isn't too bad (we catch it quick) but I'd like to get it closer to $0. :-)
Any good recommendations for IP ranges to block from incoming connections?
Thanks,
Darren Schreiber CEO / Co-Founder
2600hz | www.2600hz.com <http://www.2600hz.com><http://www.2600hz.com/> sip:darren at 2600hz.com <mailto:darren at 2600hz.com> tel:415-886-7901
On 05/18/2011 01:34 PM, Mark R Lindsey wrote:
Cool use if iptables. There's definitely short-term tactical value in taking advantage of the signature "friend-scanner"
It really is limited. Packet payload inspection is orders of magnitude slower than the evaluation of most firewall rules, which operate solely on network and transport layer headers, and utilise the hash & tree structures with which the netfilter is extensively optimised. That is why constraining that check to the SIP service port--as opposed to all inbound packets, or all inbound UDP--is quite important. Still, for a lonely PBX it's a decent short-term way to deal with SIPvicious.
-- It's just a matter of time before they remove the string "friendly-scanner" from their SIP messages.
Absolutely true. -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/
-- It's just a matter of time before they remove the string "friendly- scanner" from their SIP messages.
They already have - I saw it at my previous employer. They changed the UA string to "suny" or "sunny", maybe "happy" something or other, don't remember the exact string and have no access to the systems any more. I am surprised no one else has seen it??? Robert Dawson
-----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops- bounces at voiceops.org] On Behalf Of Mark R Lindsey Sent: Wednesday, May 18, 2011 1:35 PM To: Alex Balashov Cc: voiceops at voiceops.org Subject: Re: [VoiceOps] Fraud fun
Cool use if iptables. There's definitely short-term tactical value in taking advantage of the signature "friend-scanner" --
But we also know that the SIPvicious user population is getting more sophisticated.
-- At our clients, they've slowed their scanning rate so they're not longer causing overload attacks.
-- It's just a matter of time before they remove the string "friendly- scanner" from their SIP messages.
mark at ecg.co | +1-229-316-0013 | http://ecg.co/lindsey
On May 18, 2011, at 12:46 PM, Alex Balashov wrote:
Ghetto, but goes a long way in helping harden individual Asterisk servers on which one has no choice but to leave the SIP call agent open to the public Internet:
iptables -A INPUT -p UDP --dport 5060 -m string --string 'friendly- scanner' -j DROP
On 05/18/2011 12:42 PM, Spencer wrote:
I'm not sure what your requirements are but, we recently blocked all non-ARIN IP space from reaching our registrars. We had something similar happen and this has essentiallyeliminated the fraudulent calls we saw.
Thanks, Spencer
--------------------------------------------------------------------
Message: 1 Date: Tue, 17 May 2011 15:53:15 -0700 From: Darren Schreiber <d at d-man.org <mailto:d at d-man.org>> To: "VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org>" <VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org>> Subject: [VoiceOps] Fraud fun Message-ID: <C9F84A6B.2097A%d at d-man.org <mailto:d at d-man.org>> Content-Type: text/plain; charset="us-ascii"
Hi folks, We have been hit twice in the past two days with calls to 011-252-XXXXXXXX (calls to Somalia I believe, and the originating IP is from Pakistan)
It's the same user each time, I think he had a weak password, but it cost us over $100, which isn't too bad (we catch it quick) but I'd like to get it closer to $0. :-)
Any good recommendations for IP ranges to block from incoming connections?
Thanks,
Darren Schreiber CEO / Co-Founder
2600hz | www.2600hz.com <http://www.2600hz.com><http://www.2600hz.com/> sip:darren at 2600hz.com <mailto:darren at 2600hz.com> tel:415-886-7901
On 05/19/2011 02:41 PM, Robert Dawson wrote:
-- It's just a matter of time before they remove the string "friendly- scanner" from their SIP messages.
They already have
Well, yeah. In the long run, there are other high-speed SIP scanners besides SIPvicious, and trying to fingerprint the UA is not a good DoS or intrusion prevention strategy. -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/
Someone (sorry, don't have the email handy) previously mentioned that they monitor the output from their acme and then blacklist IP's. Very interesting idea -- how are you determining who the "bad guys" are? From the "friendly-scanner" agent field? In what field is this? Are you doing this from the RADIUS CDRs? Thanks, Pete
Automated way to block IP via ACLs using Acme CDRs/syslogs, sure would be good. We get DDOS SNMP Traps identifying IPs that are running REGISTER scans...But as someone said, these abusers are getting smarter and scaling back their register scan rates so as not to show up on the radar. Its an ever-evolving battle. I know they are on this list as well...:) -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Peter Eisengrein Sent: Thursday, May 19, 2011 1:59 PM To: voiceops at voiceops.org Subject: Re: [VoiceOps] Fraud fun Someone (sorry, don't have the email handy) previously mentioned that they monitor the output from their acme and then blacklist IP's. Very interesting idea -- how are you determining who the "bad guys" are? From the "friendly-scanner" agent field? In what field is this? Are you doing this from the RADIUS CDRs? Thanks, Pete _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Was probably me you're referring to. I do this primarily off of syslog data since my process is based off of the acme trust demotion messages. Every time the SD demotes an endpoint to the deny trust level it produces a syslog message, which I write into sql. I then have a process that parses these messages, extracts the IP addresses and generates counts of the number of times an address has been blacklisted in given timeframes, so while at this level the SD is actually protecting the network from the "bad" traffic, it still needs to see X messages before the demotion policy takes effect and the demotion is relatively short term. This short-term blacklist is where my process picks up, and looks for larger trends scoring bad behavior across wider time ranges, and across different SD's and using that data to determine if a given address needs a heavier handed response at the router, so we can preserve SD cpu cycles. -anorexicpoodle On Thu, 2011-05-19 at 15:59 -0400, Peter Eisengrein wrote:
Someone (sorry, don't have the email handy) previously mentioned that they monitor the output from their acme and then blacklist IP's. Very interesting idea -- how are you determining who the "bad guys" are? From the "friendly-scanner" agent field? In what field is this? Are you doing this from the RADIUS CDRs?
Thanks, Pete
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Along those lines ? since most of these Sipviscious REGISTER scans originate from Compromised servers out there??it makes sense to look at REGISTER scans and then actual Traffic (INVITEs) and then correlate data to make ACL Deny decisions. I have been told Palladion has something like this and its flexible enough to change detection parameters. However, implementing the automated Blocking piece is what needs to be figured out in conjunction with product. *From:* voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] *On Behalf Of *anorexicpoodle *Sent:* Thursday, May 19, 2011 2:34 PM *To:* Peter Eisengrein *Cc:* voiceops at voiceops.org *Subject:* Re: [VoiceOps] Fraud fun Was probably me you're referring to. I do this primarily off of syslog data since my process is based off of the acme trust demotion messages. Every time the SD demotes an endpoint to the deny trust level it produces a syslog message, which I write into sql. I then have a process that parses these messages, extracts the IP addresses and generates counts of the number of times an address has been blacklisted in given timeframes, so while at this level the SD is actually protecting the network from the "bad" traffic, it still needs to see X messages before the demotion policy takes effect and the demotion is relatively short term. This short-term blacklist is where my process picks up, and looks for larger trends scoring bad behavior across wider time ranges, and across different SD's and using that data to determine if a given address needs a heavier handed response at the router, so we can preserve SD cpu cycles. -anorexicpoodle On Thu, 2011-05-19 at 15:59 -0400, Peter Eisengrein wrote: Someone (sorry, don't have the email handy) previously mentioned that they monitor the output from their acme and then blacklist IP's. Very interesting idea -- how are you determining who the "bad guys" are?
From the "friendly-scanner" agent field? In what field is this? Are you doing this from the RADIUS CDRs?
Thanks, Pete _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
participants (7)
-
abalashov@evaristesys.com -
anorexicpoodle@gmail.com -
l_mysterioso@yahoo.com -
lindsey@e-c-group.com -
peisengrein@evolveip.net -
RDawson@alliedtelecom.net -
ujjval@simplesignal.com