looking for advice on international fraud that took place via an Edgemarc 200EW with FXO line installed
Hi all, I had some toll fraud to Grenada last night which we stopped as soon as we became aware of it. Example numbers being dialed were: 1-473-405-0085 1-473-405-0084 1-473-405-0088 Normally I can track down how it happened to figure out who was at fault. But this time I am having a hard time. The customer has two types of service from us. Yealink phones connected to our Broadsoft system with an Edgemarc 200EW installed at the customer premise. They also have some POTS line with us for faxing. One of those POTS lines is connected to the Edgemarc 200EW via the built in FXO port for "Survivability". Meaning if the WAN ethernet port on the Edgemarc has a failure they can at least have one line to dial out on in case of an emergency. That is about the only time it would ever be used except for faxing. The toll fraud CPN just happens to be that POTS line connected to the Edgemarc. That POTS line is also connected to a very basic fax machine. In the Edgemarc for that FXO port two stage dialing is disabled in both directions. We had incoming calls on the FXO line being forward to a Yealink phone but that would never function properly due to the customer having a fax line picking up first. Just leftover config during the install where we made an assumption the customer might want it. The Yealink phones are behind the Edgemarc (NAT) and not reachable via the internet. The Edgemarc is using radius for user auth and has strong passwords set. I cannot find any config in Broadsoft where a user had call forwarding setup or whatever that would cause this. I cannot find any settings in the Edgemarc that would allow this to take place. As in a config mistake. The Edgemarc is running code Version 11.6.19. The Yealink phones are also up2date with the newest code from the vendor's website. I do not think this fraud was done on site via physical means. It is a school and I just cannot picture a student or faculty having a need to call Grenada. The Edgemarc does have port 5060 open to the world but it is just a ?proxy? I was under the impression that one cannot brute force an account on a proxy device that has no config as such like an asterisk box would. You would be basically brute forcing against Broadsoft in that case? Either way I am still digging into things but I thought by sending this email someone might have some advice to clue me into something I am missing when it comes to Edgemarc and FXO security. Thanks, matt at g4.net
Do you have the 'read only' user password changed on the Edgemarc? I've seen interesting problems occur when the 'read only' account is vulnerable. Keith On Fri, Nov 1, 2013 at 9:30 AM, Matt Yaklin <myaklin at g4.net> wrote:
Hi all,
I had some toll fraud to Grenada last night which we stopped as soon as we became aware of it. Example numbers being dialed were:
1-473-405-0085 1-473-405-0084 1-473-405-0088
Normally I can track down how it happened to figure out who was at fault. But this time I am having a hard time.
The customer has two types of service from us. Yealink phones connected to our Broadsoft system with an Edgemarc 200EW installed at the customer premise. They also have some POTS line with us for faxing. One of those POTS lines is connected to the Edgemarc 200EW via the built in FXO port for "Survivability". Meaning if the WAN ethernet port on the Edgemarc has a failure they can at least have one line to dial out on in case of an emergency. That is about the only time it would ever be used except for faxing.
The toll fraud CPN just happens to be that POTS line connected to the Edgemarc. That POTS line is also connected to a very basic fax machine.
In the Edgemarc for that FXO port two stage dialing is disabled in both directions. We had incoming calls on the FXO line being forward to a Yealink phone but that would never function properly due to the customer having a fax line picking up first. Just leftover config during the install where we made an assumption the customer might want it.
The Yealink phones are behind the Edgemarc (NAT) and not reachable via the internet. The Edgemarc is using radius for user auth and has strong passwords set. I cannot find any config in Broadsoft where a user had call forwarding setup or whatever that would cause this. I cannot find any settings in the Edgemarc that would allow this to take place. As in a config mistake.
The Edgemarc is running code Version 11.6.19. The Yealink phones are also up2date with the newest code from the vendor's website.
I do not think this fraud was done on site via physical means. It is a school and I just cannot picture a student or faculty having a need to call Grenada.
The Edgemarc does have port 5060 open to the world but it is just a ?proxy? I was under the impression that one cannot brute force an account on a proxy device that has no config as such like an asterisk box would. You would be basically brute forcing against Broadsoft in that case?
Either way I am still digging into things but I thought by sending this email someone might have some advice to clue me into something I am missing when it comes to Edgemarc and FXO security.
Thanks,
matt at g4.net
______________________________**_________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/**mailman/listinfo/voiceops<https://puck.nether.net/mailman/listinfo/voiceops>
Keith, Since radius server authentication is enabled any attempt to login as rouser would go via that method. My radius server does not have a rouser. Only when the Edgemarc cannot reach the radius server or when the radius secret password is incorrect would it fall back to local auth. But yes we changed it during the initial config. It is not a very strong password though since we are limited to 6-8 characters by the software. I just think the attacker never had a chance to use it since the device has been online and reachable via our network. matt at g4.net On Fri, 1 Nov 2013, Keith Croxford wrote:
Do you have the 'read only' user password changed on the Edgemarc? I've seen interesting problems occur when the 'read only' account is vulnerable.
Keith
On Fri, Nov 1, 2013 at 9:30 AM, Matt Yaklin <myaklin at g4.net> wrote:
Hi all,
I had some toll fraud to Grenada last night which we stopped as soon as we became aware of it. Example numbers being dialed were:
1-473-405-0085 1-473-405-0084 1-473-405-0088
Normally I can track down how it happened to figure out who was at fault. But this time I am having a hard time.
The customer has two types of service from us. Yealink phones connected to our Broadsoft system with an Edgemarc 200EW installed at the customer premise. They also have some POTS line with us for faxing. One of those POTS lines is connected to the Edgemarc 200EW via the built in FXO port for "Survivability". Meaning if the WAN ethernet port on the Edgemarc has a failure they can at least have one line to dial out on in case of an emergency. That is about the only time it would ever be used except for faxing.
The toll fraud CPN just happens to be that POTS line connected to the Edgemarc. That POTS line is also connected to a very basic fax machine.
In the Edgemarc for that FXO port two stage dialing is disabled in both directions. We had incoming calls on the FXO line being forward to a Yealink phone but that would never function properly due to the customer having a fax line picking up first. Just leftover config during the install where we made an assumption the customer might want it.
The Yealink phones are behind the Edgemarc (NAT) and not reachable via the internet. The Edgemarc is using radius for user auth and has strong passwords set. I cannot find any config in Broadsoft where a user had call forwarding setup or whatever that would cause this. I cannot find any settings in the Edgemarc that would allow this to take place. As in a config mistake.
The Edgemarc is running code Version 11.6.19. The Yealink phones are also up2date with the newest code from the vendor's website.
I do not think this fraud was done on site via physical means. It is a school and I just cannot picture a student or faculty having a need to call Grenada.
The Edgemarc does have port 5060 open to the world but it is just a ?proxy? I was under the impression that one cannot brute force an account on a proxy device that has no config as such like an asterisk box would. You would be basically brute forcing against Broadsoft in that case?
Either way I am still digging into things but I thought by sending this email someone might have some advice to clue me into something I am missing when it comes to Edgemarc and FXO security.
Thanks,
matt at g4.net
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Hi Matt, Assuming that the accounts associated with the POTS lines are registering users, have you already considered the fact that the attack could've originated somewhere other than the edgemark? Have you checked the auth/pass for the users associated with the POTS lines? Is international calling enabled for these users? Do they have a voice portal? Brad Anouar Sent from my Verizon Wireless 4G LTE Smartphone ----- Reply message ----- From: "Matt Yaklin" <myaklin at g4.net> To: "voiceops at voiceops.org" <voiceops at voiceops.org> Subject: [VoiceOps] looking for advice on international fraud that took place via an Edgemarc 200EW with FXO line installed Date: Fri, Nov 1, 2013 9:31 AM Hi all, I had some toll fraud to Grenada last night which we stopped as soon as we became aware of it. Example numbers being dialed were: 1-473-405-0085 1-473-405-0084 1-473-405-0088 Normally I can track down how it happened to figure out who was at fault. But this time I am having a hard time. The customer has two types of service from us. Yealink phones connected to our Broadsoft system with an Edgemarc 200EW installed at the customer premise. They also have some POTS line with us for faxing. One of those POTS lines is connected to the Edgemarc 200EW via the built in FXO port for "Survivability". Meaning if the WAN ethernet port on the Edgemarc has a failure they can at least have one line to dial out on in case of an emergency. That is about the only time it would ever be used except for faxing. The toll fraud CPN just happens to be that POTS line connected to the Edgemarc. That POTS line is also connected to a very basic fax machine. In the Edgemarc for that FXO port two stage dialing is disabled in both directions. We had incoming calls on the FXO line being forward to a Yealink phone but that would never function properly due to the customer having a fax line picking up first. Just leftover config during the install where we made an assumption the customer might want it. The Yealink phones are behind the Edgemarc (NAT) and not reachable via the internet. The Edgemarc is using radius for user auth and has strong passwords set. I cannot find any config in Broadsoft where a user had call forwarding setup or whatever that would cause this. I cannot find any settings in the Edgemarc that would allow this to take place. As in a config mistake. The Edgemarc is running code Version 11.6.19. The Yealink phones are also up2date with the newest code from the vendor's website. I do not think this fraud was done on site via physical means. It is a school and I just cannot picture a student or faculty having a need to call Grenada. The Edgemarc does have port 5060 open to the world but it is just a ?proxy? I was under the impression that one cannot brute force an account on a proxy device that has no config as such like an asterisk box would. You would be basically brute forcing against Broadsoft in that case? Either way I am still digging into things but I thought by sending this email someone might have some advice to clue me into something I am missing when it comes to Edgemarc and FXO security. Thanks, matt at g4.net _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Hi Brad, On Fri, 1 Nov 2013, Brad Anouar wrote:
Hi Matt,
Assuming that the accounts associated with the POTS lines are registering users, have you already considered the fact that the attack could've originated somewhere other than the edgemark? Have you checked the auth/pass for the users associated with the POTS lines?
If I understood you correctly I think this will answer your question. The POTS line is not SIP at all. It is a POTS line provided out of our legacy Coppercom voice switch. It travels via GR303 to a central office and from there to the customer premise via Pairgain SHDSL gear. That gear muxes up to 6 POTS lines down a single copper pair to the customer premise. A little CPE unmuxes them. My CDR records on my border T7000 switch clearly show the call coming from the Coppercom switch via SS7 trunks and then going out to Level3. All of this is TDM based POTS lines. No SIP at all when discussing the POTS line. So based on that the call had to be generated at the customer premise in some fashion. The Edgemarc is the most likely culprit unless physical access was used to make the calls.
Is international calling enabled for these users?
It was on the Broadsoft system. It is not anymore. Any call the Broadsoft group generates goes out as their main number unless they call 911. The main number is not the POTS line number. Plus I would have seen any Broadsoft generated call come in a different path to our border switch. It was allowed via the dialing rules on the Edgemarc. I have not modified that yet to only allow certain calls. Grenada, sadly, is part of the North American Dialing Plan. No 011 needed in front of the number. Just a 1+xxx-xxx-xxxx. Modifying the dialing plan on the Edgemarc may be painful unless I just allow New Hampshire's area code to start, 911, and 7 digit dialing.
Do they have a voice portal?
Yes they do. It is on Broadsoft. But once again any Broadsoft call would come into my border switch via a different path. I would know if it came from that system. matt at g4.net
Brad Anouar
Sent from my Verizon Wireless 4G LTE Smartphone
----- Reply message ----- From: "Matt Yaklin" <myaklin at g4.net> To: "voiceops at voiceops.org" <voiceops at voiceops.org> Subject: [VoiceOps] looking for advice on international fraud that took place via an Edgemarc 200EW with FXO line installed Date: Fri, Nov 1, 2013 9:31 AM
Hi all,
I had some toll fraud to Grenada last night which we stopped as soon as we became aware of it. Example numbers being dialed were:
1-473-405-0085 1-473-405-0084 1-473-405-0088
Normally I can track down how it happened to figure out who was at fault. But this time I am having a hard time.
The customer has two types of service from us. Yealink phones connected to our Broadsoft system with an Edgemarc 200EW installed at the customer premise. They also have some POTS line with us for faxing. One of those POTS lines is connected to the Edgemarc 200EW via the built in FXO port for "Survivability". Meaning if the WAN ethernet port on the Edgemarc has a failure they can at least have one line to dial out on in case of an emergency. That is about the only time it would ever be used except for faxing.
The toll fraud CPN just happens to be that POTS line connected to the Edgemarc. That POTS line is also connected to a very basic fax machine.
In the Edgemarc for that FXO port two stage dialing is disabled in both directions. We had incoming calls on the FXO line being forward to a Yealink phone but that would never function properly due to the customer having a fax line picking up first. Just leftover config during the install where we made an assumption the customer might want it.
The Yealink phones are behind the Edgemarc (NAT) and not reachable via the internet. The Edgemarc is using radius for user auth and has strong passwords set. I cannot find any config in Broadsoft where a user had call forwarding setup or whatever that would cause this. I cannot find any settings in the Edgemarc that would allow this to take place. As in a config mistake.
The Edgemarc is running code Version 11.6.19. The Yealink phones are also up2date with the newest code from the vendor's website.
I do not think this fraud was done on site via physical means. It is a school and I just cannot picture a student or faculty having a need to call Grenada.
The Edgemarc does have port 5060 open to the world but it is just a ?proxy? I was under the impression that one cannot brute force an account on a proxy device that has no config as such like an asterisk box would. You would be basically brute forcing against Broadsoft in that case?
Either way I am still digging into things but I thought by sending this email someone might have some advice to clue me into something I am missing when it comes to Edgemarc and FXO security.
Thanks,
matt at g4.net
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
How many calls are we talking about here? David Thompson Network Services Support Technician (O) 858.357.8794 (F) 858-225-1882 (E) dthompson at esi-estech.com (W)?www.esi-estech.com -----Original Message----- From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Matt Yaklin Sent: Friday, November 01, 2013 10:20 AM To: Brad Anouar Cc: voiceops at voiceops.org Subject: Re: [VoiceOps] looking for advice on international fraud that took place via an Edgemarc 200EW with FXO line installed Hi Brad, On Fri, 1 Nov 2013, Brad Anouar wrote:
Hi Matt,
Assuming that the accounts associated with the POTS lines are registering users, have you already considered the fact that the attack could've originated somewhere other than the edgemark? Have you checked the auth/pass for the users associated with the POTS lines?
If I understood you correctly I think this will answer your question. The POTS line is not SIP at all. It is a POTS line provided out of our legacy Coppercom voice switch. It travels via GR303 to a central office and from there to the customer premise via Pairgain SHDSL gear. That gear muxes up to 6 POTS lines down a single copper pair to the customer premise. A little CPE unmuxes them. My CDR records on my border T7000 switch clearly show the call coming from the Coppercom switch via SS7 trunks and then going out to Level3. All of this is TDM based POTS lines. No SIP at all when discussing the POTS line. So based on that the call had to be generated at the customer premise in some fashion. The Edgemarc is the most likely culprit unless physical access was used to make the calls.
Is international calling enabled for these users?
It was on the Broadsoft system. It is not anymore. Any call the Broadsoft group generates goes out as their main number unless they call 911. The main number is not the POTS line number. Plus I would have seen any Broadsoft generated call come in a different path to our border switch. It was allowed via the dialing rules on the Edgemarc. I have not modified that yet to only allow certain calls. Grenada, sadly, is part of the North American Dialing Plan. No 011 needed in front of the number. Just a 1+xxx-xxx-xxxx. Modifying the dialing plan on the Edgemarc may be painful unless I just allow New Hampshire's area code to start, 911, and 7 digit dialing.
Do they have a voice portal?
Yes they do. It is on Broadsoft. But once again any Broadsoft call would come into my border switch via a different path. I would know if it came from that system. matt at g4.net
Brad Anouar
Sent from my Verizon Wireless 4G LTE Smartphone
----- Reply message ----- From: "Matt Yaklin" <myaklin at g4.net> To: "voiceops at voiceops.org" <voiceops at voiceops.org> Subject: [VoiceOps] looking for advice on international fraud that took place via an Edgemarc 200EW with FXO line installed Date: Fri, Nov 1, 2013 9:31 AM
Hi all,
I had some toll fraud to Grenada last night which we stopped as soon as we became aware of it. Example numbers being dialed were:
1-473-405-0085 1-473-405-0084 1-473-405-0088
Normally I can track down how it happened to figure out who was at
fault.
But this time I am having a hard time.
The customer has two types of service from us. Yealink phones connected to our Broadsoft system with an Edgemarc 200EW installed at the customer premise. They also have some POTS line with us for faxing. One of those POTS lines is connected to the Edgemarc 200EW via the built in FXO port for "Survivability". Meaning if the WAN ethernet port on the Edgemarc has a failure they can at least have one line to dial out on in case of an emergency. That is about the only time it would ever be used except for faxing.
The toll fraud CPN just happens to be that POTS line connected to the Edgemarc. That POTS line is also connected to a very basic fax machine.
In the Edgemarc for that FXO port two stage dialing is disabled in both directions. We had incoming calls on the FXO line being forward to a Yealink phone but that would never function properly due to the customer having a fax line picking up first. Just leftover config during the install where we made an assumption the customer might want it.
The Yealink phones are behind the Edgemarc (NAT) and not reachable via the internet. The Edgemarc is using radius for user auth and has strong passwords set. I cannot find any config in Broadsoft where a user had call forwarding setup or whatever that would cause this. I cannot find any settings in the Edgemarc that would allow this to take place. As in a config mistake.
The Edgemarc is running code Version 11.6.19. The Yealink phones are also up2date with the newest code from the vendor's website.
I do not think this fraud was done on site via physical means. It is a school and I just cannot picture a student or faculty having a need to call Grenada.
The Edgemarc does have port 5060 open to the world but it is just a ?proxy? I was under the impression that one cannot brute force an account on a proxy device that has no config as such like an asterisk box would. You would be basically brute forcing against Broadsoft in that case?
Either way I am still digging into things but I thought by sending this email someone might have some advice to clue me into something I am missing when it comes to Edgemarc and FXO security.
Thanks,
matt at g4.net
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Approx 60-70 calls. matt at g4.net On Fri, 1 Nov 2013, David Thompson wrote:
How many calls are we talking about here?
David Thompson Network Services Support Technician (O) 858.357.8794 (F) 858-225-1882 (E) dthompson at esi-estech.com (W)?www.esi-estech.com
-----Original Message----- From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Matt Yaklin Sent: Friday, November 01, 2013 10:20 AM To: Brad Anouar Cc: voiceops at voiceops.org Subject: Re: [VoiceOps] looking for advice on international fraud that took place via an Edgemarc 200EW with FXO line installed
Hi Brad,
On Fri, 1 Nov 2013, Brad Anouar wrote:
Hi Matt,
Assuming that the accounts associated with the POTS lines are registering users, have you already considered the fact that the attack could've originated somewhere other than the edgemark? Have you checked the auth/pass for the users associated with the POTS lines?
If I understood you correctly I think this will answer your question. The POTS line is not SIP at all. It is a POTS line provided out of our legacy Coppercom voice switch. It travels via GR303 to a central office and from there to the customer premise via Pairgain SHDSL gear. That gear muxes up to 6 POTS lines down a single copper pair to the customer premise. A little CPE unmuxes them.
My CDR records on my border T7000 switch clearly show the call coming from the Coppercom switch via SS7 trunks and then going out to Level3.
All of this is TDM based POTS lines. No SIP at all when discussing the POTS line.
So based on that the call had to be generated at the customer premise in some fashion. The Edgemarc is the most likely culprit unless physical access was used to make the calls.
Is international calling enabled for these users?
It was on the Broadsoft system. It is not anymore. Any call the Broadsoft group generates goes out as their main number unless they call 911. The main number is not the POTS line number. Plus I would have seen any Broadsoft generated call come in a different path to our border switch.
It was allowed via the dialing rules on the Edgemarc. I have not modified that yet to only allow certain calls. Grenada, sadly, is part of the North American Dialing Plan. No 011 needed in front of the number. Just a 1+xxx-xxx-xxxx. Modifying the dialing plan on the Edgemarc may be painful unless I just allow New Hampshire's area code to start, 911, and 7 digit dialing.
Do they have a voice portal?
Yes they do. It is on Broadsoft. But once again any Broadsoft call would come into my border switch via a different path. I would know if it came from that system.
matt at g4.net
Brad Anouar
Sent from my Verizon Wireless 4G LTE Smartphone
----- Reply message ----- From: "Matt Yaklin" <myaklin at g4.net> To: "voiceops at voiceops.org" <voiceops at voiceops.org> Subject: [VoiceOps] looking for advice on international fraud that took place via an Edgemarc 200EW with FXO line installed Date: Fri, Nov 1, 2013 9:31 AM
Hi all,
I had some toll fraud to Grenada last night which we stopped as soon as we became aware of it. Example numbers being dialed were:
1-473-405-0085 1-473-405-0084 1-473-405-0088
Normally I can track down how it happened to figure out who was at
fault.
But this time I am having a hard time.
The customer has two types of service from us. Yealink phones connected to our Broadsoft system with an Edgemarc 200EW installed at the customer premise. They also have some POTS line with us for faxing. One of those POTS lines is connected to the Edgemarc 200EW via the built in FXO port for "Survivability". Meaning if the WAN ethernet port on the Edgemarc has a failure they can at least have one line to dial out on in case of an emergency. That is about the only time it would ever be used except for faxing.
The toll fraud CPN just happens to be that POTS line connected to the Edgemarc. That POTS line is also connected to a very basic fax machine.
In the Edgemarc for that FXO port two stage dialing is disabled in both directions. We had incoming calls on the FXO line being forward to a Yealink phone but that would never function properly due to the customer having a fax line picking up first. Just leftover config during the install where we made an assumption the customer might want it.
The Yealink phones are behind the Edgemarc (NAT) and not reachable via the internet. The Edgemarc is using radius for user auth and has strong passwords set. I cannot find any config in Broadsoft where a user had call forwarding setup or whatever that would cause this. I cannot find any settings in the Edgemarc that would allow this to take place. As in a config mistake.
The Edgemarc is running code Version 11.6.19. The Yealink phones are also up2date with the newest code from the vendor's website.
I do not think this fraud was done on site via physical means. It is a school and I just cannot picture a student or faculty having a need to call Grenada.
The Edgemarc does have port 5060 open to the world but it is just a ?proxy? I was under the impression that one cannot brute force an account on a proxy device that has no config as such like an asterisk box would. You would be basically brute forcing against Broadsoft in that case?
Either way I am still digging into things but I thought by sending this email someone might have some advice to clue me into something I am missing when it comes to Edgemarc and FXO security.
Thanks,
matt at g4.net
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
On 11/1/13 12:04 PM, Matt Yaklin wrote:
Approx 60-70 calls.
If more than one overlapping you can rule out the physical FXO port. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
They are not over lapping. The attacker finally bit just a bit ago. I only was running tcpdump on port 5060 on the edgemarc but i captured the SIP traffic for what the attacker is doing. I wish I had setup more. I blocked international via an auth code right now... x.x.139.225 = WAN ethernet port of the Edgemarc. I am going through this now and if anyone can help I would greatly appreciate it. I need to find out why this is happening. ----------------------- ----------------------- ----------------------- Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<< 19:18:48.788559 176.58.68.20.10181 > x.x.139.225.5060:
>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:18:52.786472 176.58.68.20.10181 > x.x.139.225.5060:
>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:18:56.794955 176.58.68.20.10181 > x.x.139.225.5060:
>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:19:00.899198 176.58.68.20.10181 > x.x.139.225.5060:
>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:19:04.809371 176.58.68.20.10181 > x.x.139.225.5060:
>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:19:08.831073 176.58.68.20.10181 > x.x.139.225.5060:
>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:19:12.827515 176.58.68.20.10181 > x.x.139.225.5060:
>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:19:16.827669 176.58.68.20.10181 > x.x.139.225.5060:
>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:23:19.307756 176.58.68.20.10189 > x.x.139.225.5060:
>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> BYE sip:14734050085 at x.x.139.225:5060 SIP/2.0 To: <sip:14734050085 at x.x.139.225>;tag=6516fea2 From: <sip:1001 at x.x.139.225>;tag=214bbc47 Via: SIP/2.0/UDP 176.58.68.20:10189;branch=z9hG4bK-d87543-1012476641-1--d87543-;rport Call-ID: 346c8a3823657575 CSeq: 2 BYE Route: <sip:14734050085 at x.x.139.225;lr> Contact: <sip:1001 at 176.58.68.20:10189> Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:23:19.370269 x.x.139.225.5060 > 176.58.68.20.10189:
>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> SIP/2.0 200 OK Via: SIP/2.0/UDP 176.58.68.20:10189;branch=z9hG4bK-d87543-1012476641-1--d87543-;rport=5060 Record-Route: <sip:14734050085 at x.x.139.225;lr> From: <sip:1001 at x.x.139.225>;tag=214bbc47 To: <sip:14734050085 at x.x.139.225>;tag=6516fea2 Call-ID: 346c8a3823657575 CSeq: 2 BYE Contact: <sip:14734050085 at x.x.139.225:5060> User-agent: fxo/1.0 Content-Length: 0
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<< [tos 0xb8] 19:23:31.365141 176.58.68.20.10189 > x.x.139.225.5060:
>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> INVITE sip:14734050088 at x.x.139.225 SIP/2.0 To: <sip:14734050088 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=d909f80a Via: SIP/2.0/UDP 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport Call-ID: 2b6a574f323db602 CSeq: 1 INVITE Contact: <sip:1001 at 176.58.68.20:10189> Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO Content-Type: application/sdp User-Agent: eyeBeam <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:23:31.417251 x.x.139.225.5060 > 176.58.68.20.10189:
>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> SIP/2.0 100 Trying Via: SIP/2.0/UDP 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060 From: <sip:1001 at x.x.139.225>;tag=d909f80a To: <sip:14734050088 at x.x.139.225>;tag=51a346d4 Call-ID: 2b6a574f323db602 CSeq: 1 INVITE User-agent: fxo/1.0 Content-Length: 0
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<< [tos 0xb8] 19:23:36.793012 x.x.139.225.5060 > 176.58.68.20.10189:
>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> SIP/2.0 180 Ringing Via: SIP/2.0/UDP 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060 Record-Route: <sip:14734050088 at x.x.139.225;lr> From: <sip:1001 at x.x.139.225>;tag=d909f80a To: <sip:14734050088 at x.x.139.225>;tag=51a346d4 Call-ID: 2b6a574f323db602 CSeq: 1 INVITE Contact: <sip:14734050088 at x.x.139.225:5060> User-agent: fxo/1.0 Content-Length: 0
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<< [tos 0xb8] 19:23:36.833967 x.x.139.225.5060 > 176.58.68.20.10189:
>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> SIP/2.0 200 OK Via: SIP/2.0/UDP 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060 Record-Route: <sip:14734050088 at x.x.139.225;lr> From: <sip:1001 at x.x.139.225>;tag=d909f80a To: <sip:14734050088 at x.x.139.225>;tag=51a346d4 Call-ID: 2b6a574f323db602 CSeq: 1 INVITE Contact: <sip:14734050088 at x.x.139.225:5060> User-agent: fxo/1.0 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE Content-Type: application/sdp Content-Leng <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<< [tos 0xb8] 19:23:37.060875 176.58.68.20.10189 > x.x.139.225.5060: >>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> ACK sip:14734050088 at x.x.139.225:5060 SIP/2.0 To: <sip:14734050088 at x.x.139.225>;tag=51a346d4 From: <sip:1001 at x.x.139.225>;tag=d909f80a Via: SIP/2.0/UDP 176.58.68.20:10189;branch=z9hG4bK-d87543-154025872-1--d87543-;rport Call-ID: 2b6a574f323db602 CSeq: 1 ACK Route: <sip:14734050088 at x.x.139.225;lr> Contact: <sip:1001 at 176.58.68.20:10189> Max-Forwards: 70 User-Agent: eyeBeam release 3007n stamp 17816 Content-Length: 0
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<< --------------- -------------- ------------ On Fri, 1 Nov 2013, Jay Hennigan wrote:
On 11/1/13 12:04 PM, Matt Yaklin wrote:
Approx 60-70 calls.
If more than one overlapping you can rule out the physical FXO port.
-- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
An embedded and charset-unspecified text was scrubbed... Name: not available URL: <https://puck.nether.net/pipermail/voiceops/attachments/20131101/4ded0c9d/att...>
I think you are on the right track. I was reading the manual just now trying to figure out how or where 1001 comes from. Perhaps that does not even matter. You could make up anything. I am just not seeing how I tell this edgemarc box to stop allowing it yet short of using a firewall feature that this box does not have like the newest 13.x firmware does. Maybe it is hidden or people used the pass through rule set. matt On Fri, 1 Nov 2013, Paul Timmins wrote:
Have you tried tossing an unauthenticated call at the edgemarc from outside using a from address of 1001 at edgemarcip? looks like that's what this guy is doing. You're ignoring his registers but you may be allowing invites from an unregistered device.
On Fri, 11/01/2013 03:33 PM, Matt?Yaklin?<myaklin at g4.net> wrote: They are not over lapping.
The attacker finally bit just a bit ago. I only was running tcpdump on port 5060 on the edgemarc but i captured the SIP traffic for what the attacker is doing. I wish I had setup more.
I blocked international via an auth code right now...
x.x.139.225 = WAN ethernet port of the Edgemarc.
I am going through this now and if anyone can help I would greatly appreciate it. I need to find out why this is happening.
----------------------- ----------------------- ----------------------- Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:18:48.788559 176.58.68.20.10181 > x.x.139.225.5060: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:18:52.786472 176.58.68.20.10181 > x.x.139.225.5060: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:18:56.794955 176.58.68.20.10181 > x.x.139.225.5060: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:19:00.899198 176.58.68.20.10181 > x.x.139.225.5060: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:19:04.809371 176.58.68.20.10181 > x.x.139.225.5060: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:19:08.831073 176.58.68.20.10181 > x.x.139.225.5060: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:19:12.827515 176.58.68.20.10181 > x.x.139.225.5060: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:19:16.827669 176.58.68.20.10181 > x.x.139.225.5060: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:23:19.307756 176.58.68.20.10189 > x.x.139.225.5060: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> BYE sip:14734050085 at x.x.139.225:5060 SIP/2.0 To: <sip:14734050085 at x.x.139.225>;tag=6516fea2 From: <sip:1001 at x.x.139.225>;tag=214bbc47 Via: SIP/2.0/UDP 176.58.68.20:10189;branch=z9hG4bK-d87543-1012476641-1--d87543-;rport Call-ID: 346c8a3823657575 CSeq: 2 BYE Route: <sip:14734050085 at x.x.139.225;lr> Contact: <sip:1001 at 176.58.68.20:10189> Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:23:19.370269 x.x.139.225.5060 > 176.58.68.20.10189: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> SIP/2.0 200 OK Via: SIP/2.0/UDP 176.58.68.20:10189;branch=z9hG4bK-d87543-1012476641-1--d87543-;rport=5060 Record-Route: <sip:14734050085 at x.x.139.225;lr> From: <sip:1001 at x.x.139.225>;tag=214bbc47 To: <sip:14734050085 at x.x.139.225>;tag=6516fea2 Call-ID: 346c8a3823657575 CSeq: 2 BYE Contact: <sip:14734050085 at x.x.139.225:5060> User-agent: fxo/1.0 Content-Length: 0
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<< [tos 0xb8] 19:23:31.365141 176.58.68.20.10189 > x.x.139.225.5060: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> INVITE sip:14734050088 at x.x.139.225 SIP/2.0 To: <sip:14734050088 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=d909f80a Via: SIP/2.0/UDP 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport Call-ID: 2b6a574f323db602 CSeq: 1 INVITE Contact: <sip:1001 at 176.58.68.20:10189> Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO Content-Type: application/sdp User-Agent: eyeBeam <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:23:31.417251 x.x.139.225.5060 > 176.58.68.20.10189: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> SIP/2.0 100 Trying Via: SIP/2.0/UDP 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060 From: <sip:1001 at x.x.139.225>;tag=d909f80a To: <sip:14734050088 at x.x.139.225>;tag=51a346d4 Call-ID: 2b6a574f323db602 CSeq: 1 INVITE User-agent: fxo/1.0 Content-Length: 0
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<< [tos 0xb8] 19:23:36.793012 x.x.139.225.5060 > 176.58.68.20.10189: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> SIP/2.0 180 Ringing Via: SIP/2.0/UDP 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060 Record-Route: <sip:14734050088 at x.x.139.225;lr> From: <sip:1001 at x.x.139.225>;tag=d909f80a To: <sip:14734050088 at x.x.139.225>;tag=51a346d4 Call-ID: 2b6a574f323db602 CSeq: 1 INVITE Contact: <sip:14734050088 at x.x.139.225:5060> User-agent: fxo/1.0 Content-Length: 0
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<< [tos 0xb8] 19:23:36.833967 x.x.139.225.5060 > 176.58.68.20.10189: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> SIP/2.0 200 OK Via: SIP/2.0/UDP 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060 Record-Route: <sip:14734050088 at x.x.139.225;lr> From: <sip:1001 at x.x.139.225>;tag=d909f80a To: <sip:14734050088 at x.x.139.225>;tag=51a346d4 Call-ID: 2b6a574f323db602 CSeq: 1 INVITE Contact: <sip:14734050088 at x.x.139.225:5060> User-agent: fxo/1.0 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE Content-Type: application/sdp Content-Leng <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<< [tos 0xb8] 19:23:37.060875 176.58.68.20.10189 > x.x.139.225.5060: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> ACK sip:14734050088 at x.x.139.225:5060 SIP/2.0 To: <sip:14734050088 at x.x.139.225>;tag=51a346d4 From: <sip:1001 at x.x.139.225>;tag=d909f80a Via: SIP/2.0/UDP 176.58.68.20:10189;branch=z9hG4bK-d87543-154025872-1--d87543-;rport Call-ID: 2b6a574f323db602 CSeq: 1 ACK Route: <sip:14734050088 at x.x.139.225;lr> Contact: <sip:1001 at 176.58.68.20:10189> Max-Forwards: 70 User-Agent: eyeBeam release 3007n stamp 17816 Content-Length: 0
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
--------------- -------------- ------------
On Fri, 1 Nov 2013, Jay Hennigan wrote:
> On 11/1/13 12:04 PM, Matt Yaklin wrote: >> >> Approx 60-70 calls. > > If more than one overlapping you can rule out the physical FXO port. > > -- > Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net > Impulse Internet Service - http://www.impulse.net/ > Your local telephone and internet company - 805 884-6323 - WB6RDV > _______________________________________________ > VoiceOps mailing list > VoiceOps at voiceops.org > https://puck.nether.net/mailman/listinfo/voiceops > _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
List, The problem was I missing a check box labeled: "Limit Inbound to listed Proxies / SIP Servers" Under the SIP settings page. This was my first Edgemarc that had the survivability license with it so it took some playing around to get everything to work. I must have unchecked it while trying to fix an issue during setup and never came back to it. No problem found. Operator error that probably cost G4 $300 bucks easy on toll charges. Thank you all for responding. Now I just need a way to get revenge on the hacker. Anyone have any contacts in the Gaza Strip? :-( I know this has been discussed here before but why in the world would a Palestinian be calling Grenada? How does one make money off that situation. Sigh... matt at g4.net On Fri, 1 Nov 2013, Matt Yaklin wrote:
I think you are on the right track.
I was reading the manual just now trying to figure out how or where 1001 comes from. Perhaps that does not even matter. You could make up anything.
I am just not seeing how I tell this edgemarc box to stop allowing it yet short of using a firewall feature that this box does not have like the newest 13.x firmware does. Maybe it is hidden or people used the pass through rule set.
matt
On Fri, 1 Nov 2013, Paul Timmins wrote:
Have you tried tossing an unauthenticated call at the edgemarc from outside using a from address of 1001 at edgemarcip? looks like that's what this guy is doing. You're ignoring his registers but you may be allowing invites from an unregistered device.
On Fri, 11/01/2013 03:33 PM, Matt?Yaklin?<myaklin at g4.net> wrote: They are not over lapping.
The attacker finally bit just a bit ago. I only was running tcpdump on port 5060 on the edgemarc but i captured the SIP traffic for what the attacker is doing. I wish I had setup more.
I blocked international via an auth code right now...
x.x.139.225 = WAN ethernet port of the Edgemarc.
I am going through this now and if anyone can help I would greatly appreciate it. I need to find out why this is happening.
----------------------- ----------------------- ----------------------- Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:18:48.788559 176.58.68.20.10181 > x.x.139.225.5060: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:18:52.786472 176.58.68.20.10181 > x.x.139.225.5060: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:18:56.794955 176.58.68.20.10181 > x.x.139.225.5060: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:19:00.899198 176.58.68.20.10181 > x.x.139.225.5060: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:19:04.809371 176.58.68.20.10181 > x.x.139.225.5060: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:19:08.831073 176.58.68.20.10181 > x.x.139.225.5060: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:19:12.827515 176.58.68.20.10181 > x.x.139.225.5060: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:19:16.827669 176.58.68.20.10181 > x.x.139.225.5060: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> REGISTER sip:x.x.139.225 SIP/2.0 To: <sip:1001 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=e26e273f Via: SIP/2.0/UDP 176.58.68.20:10181;branch=z9hG4bK-d87543-161690352-1--d87543-;rport Call-ID: b161d8122d506908 CSeq: 1 REGISTER Contact: <sip:1001 at 176.58.68.20:10181> Expires: 3600 Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO User-Agent: eyeBeam release 3007n stamp 17816 Cont <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:23:19.307756 176.58.68.20.10189 > x.x.139.225.5060: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> BYE sip:14734050085 at x.x.139.225:5060 SIP/2.0 To: <sip:14734050085 at x.x.139.225>;tag=6516fea2 From: <sip:1001 at x.x.139.225>;tag=214bbc47 Via: SIP/2.0/UDP 176.58.68.20:10189;branch=z9hG4bK-d87543-1012476641-1--d87543-;rport Call-ID: 346c8a3823657575 CSeq: 2 BYE Route: <sip:14734050085 at x.x.139.225;lr> Contact: <sip:1001 at 176.58.68.20:10189> Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:23:19.370269 x.x.139.225.5060 > 176.58.68.20.10189: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> SIP/2.0 200 OK Via: SIP/2.0/UDP 176.58.68.20:10189;branch=z9hG4bK-d87543-1012476641-1--d87543-;rport=5060 Record-Route: <sip:14734050085 at x.x.139.225;lr> From: <sip:1001 at x.x.139.225>;tag=214bbc47 To: <sip:14734050085 at x.x.139.225>;tag=6516fea2 Call-ID: 346c8a3823657575 CSeq: 2 BYE Contact: <sip:14734050085 at x.x.139.225:5060> User-agent: fxo/1.0 Content-Length: 0
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<< [tos 0xb8] 19:23:31.365141 176.58.68.20.10189 > x.x.139.225.5060: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> INVITE sip:14734050088 at x.x.139.225 SIP/2.0 To: <sip:14734050088 at x.x.139.225> From: <sip:1001 at x.x.139.225>;tag=d909f80a Via: SIP/2.0/UDP 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport Call-ID: 2b6a574f323db602 CSeq: 1 INVITE Contact: <sip:1001 at 176.58.68.20:10189> Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO Content-Type: application/sdp User-Agent: eyeBeam <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
19:23:31.417251 x.x.139.225.5060 > 176.58.68.20.10189: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> SIP/2.0 100 Trying Via: SIP/2.0/UDP 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060 From: <sip:1001 at x.x.139.225>;tag=d909f80a To: <sip:14734050088 at x.x.139.225>;tag=51a346d4 Call-ID: 2b6a574f323db602 CSeq: 1 INVITE User-agent: fxo/1.0 Content-Length: 0
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<< [tos 0xb8] 19:23:36.793012 x.x.139.225.5060 > 176.58.68.20.10189: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> SIP/2.0 180 Ringing Via: SIP/2.0/UDP 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060 Record-Route: <sip:14734050088 at x.x.139.225;lr> From: <sip:1001 at x.x.139.225>;tag=d909f80a To: <sip:14734050088 at x.x.139.225>;tag=51a346d4 Call-ID: 2b6a574f323db602 CSeq: 1 INVITE Contact: <sip:14734050088 at x.x.139.225:5060> User-agent: fxo/1.0 Content-Length: 0
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<< [tos 0xb8] 19:23:36.833967 x.x.139.225.5060 > 176.58.68.20.10189: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> SIP/2.0 200 OK Via: SIP/2.0/UDP 176.58.68.20:10189;branch=z9hG4bK-d87543-292959825-1--d87543-;rport=5060 Record-Route: <sip:14734050088 at x.x.139.225;lr> From: <sip:1001 at x.x.139.225>;tag=d909f80a To: <sip:14734050088 at x.x.139.225>;tag=51a346d4 Call-ID: 2b6a574f323db602 CSeq: 1 INVITE Contact: <sip:14734050088 at x.x.139.225:5060> User-agent: fxo/1.0 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE Content-Type: application/sdp Content-Leng <<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<< [tos 0xb8] 19:23:37.060875 176.58.68.20.10189 > x.x.139.225.5060: >>>>>>>>>>>>>>>sip header start>>>>>>>>>>>>>>>>>>> ACK sip:14734050088 at x.x.139.225:5060 SIP/2.0 To: <sip:14734050088 at x.x.139.225>;tag=51a346d4 From: <sip:1001 at x.x.139.225>;tag=d909f80a Via: SIP/2.0/UDP 176.58.68.20:10189;branch=z9hG4bK-d87543-154025872-1--d87543-;rport Call-ID: 2b6a574f323db602 CSeq: 1 ACK Route: <sip:14734050088 at x.x.139.225;lr> Contact: <sip:1001 at 176.58.68.20:10189> Max-Forwards: 70 User-Agent: eyeBeam release 3007n stamp 17816 Content-Length: 0
<<<<<<<<<<<<<<<sip header stop<<<<<<<<<<<<<<<<<<<<
--------------- -------------- ------------
On Fri, 1 Nov 2013, Jay Hennigan wrote:
> On 11/1/13 12:04 PM, Matt Yaklin wrote: >> >> Approx 60-70 calls. > > If more than one overlapping you can rule out the physical FXO port. > > -- > Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net > Impulse Internet Service - http://www.impulse.net/ > Your local telephone and internet company - 805 884-6323 - WB6RDV > _______________________________________________ > VoiceOps mailing list > VoiceOps at voiceops.org > https://puck.nether.net/mailman/listinfo/voiceops > _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
An embedded and charset-unspecified text was scrubbed... Name: not available URL: <https://puck.nether.net/pipermail/voiceops/attachments/20131101/897028e5/att...>
Hi, interesting puzzle! Just trying to figure out your scenario Have you checked in the CDRs if the originating IP address matches the private IP of the Yealink? If not, the hacker could be guessing wisely the Broadsoft authentication password of the Yealink devices to register its own device from Internet, then making calls to Grenada or wherever destination is allowed. -----Original Message----- From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Matt Yaklin Sent: viernes, 01 de noviembre de 2013 10:31 a.m. To: voiceops at voiceops.org Subject: [VoiceOps] looking for advice on international fraud that took place via an Edgemarc 200EW with FXO line installed Hi all, I had some toll fraud to Grenada last night which we stopped as soon as we became aware of it. Example numbers being dialed were: 1-473-405-0085 1-473-405-0084 1-473-405-0088 Normally I can track down how it happened to figure out who was at fault. But this time I am having a hard time. The customer has two types of service from us. Yealink phones connected to our Broadsoft system with an Edgemarc 200EW installed at the customer premise. They also have some POTS line with us for faxing. One of those POTS lines is connected to the Edgemarc 200EW via the built in FXO port for "Survivability". Meaning if the WAN ethernet port on the Edgemarc has a failure they can at least have one line to dial out on in case of an emergency. That is about the only time it would ever be used except for faxing. The toll fraud CPN just happens to be that POTS line connected to the Edgemarc. That POTS line is also connected to a very basic fax machine. In the Edgemarc for that FXO port two stage dialing is disabled in both directions. We had incoming calls on the FXO line being forward to a Yealink phone but that would never function properly due to the customer having a fax line picking up first. Just leftover config during the install where we made an assumption the customer might want it. The Yealink phones are behind the Edgemarc (NAT) and not reachable via the internet. The Edgemarc is using radius for user auth and has strong passwords set. I cannot find any config in Broadsoft where a user had call forwarding setup or whatever that would cause this. I cannot find any settings in the Edgemarc that would allow this to take place. As in a config mistake. The Edgemarc is running code Version 11.6.19. The Yealink phones are also up2date with the newest code from the vendor's website. I do not think this fraud was done on site via physical means. It is a school and I just cannot picture a student or faculty having a need to call Grenada. The Edgemarc does have port 5060 open to the world but it is just a ?proxy? I was under the impression that one cannot brute force an account on a proxy device that has no config as such like an asterisk box would. You would be basically brute forcing against Broadsoft in that case? Either way I am still digging into things but I thought by sending this email someone might have some advice to clue me into something I am missing when it comes to Edgemarc and FXO security. Thanks, matt at g4.net _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ La informaci?n en este correo electr?nico y sus anexos es confidencial y privilegiada. Est? dirigida exclusivamente a sus destinatarios y por lo tanto nadie m?s est? autorizado a tener acceso a ?lla. Si Ud. no es el destinatario, es il?cito imprimirla, reproducirla o distribuirla. Si lo recibi? por error, por favor avise al remitente y borre cualquier registro en sus sistemas. CONFIDENTIALITY NOTICE: This email message and its attachments, if any, are intended only for the person or entity to which it is addressed and contains privileged information. Any use, printing, disclosure, or distribution of such information without the written authorization is prohibited. If you are not the intended recipient, please contact the sender and destroy all copies of the original message. Nuestro aviso de privacidad est? publicado en la p?gina web: http://www.mcmtelecom.com.mx/common/politica_privacidad.htm
On Fri, 1 Nov 2013, Monterrosa Santiago wrote:
Hi, interesting puzzle!
Just trying to figure out your scenario
Have you checked in the CDRs if the originating IP address matches the private IP of the Yealink? If not, the hacker could be guessing wisely the Broadsoft authentication password of the Yealink devices to register its own device from Internet, then making calls to Grenada or wherever destination is allowed.
I know that scenario is not the case because the POTS line is on a legacy voice switch which is TDM based. No SIP. I clearly see the calls coming into my border switch from the legacy switch. That means the calls came from the POTS line for sure. I just put a 8 digit authorization PIN on the POTS for international dialing to stop the problem for now and buy me some time. It really does appear that I am either making a config mistake, the customer has a physical security issue, or the edgemarc has a problem with its software to allow an attacker to use the FXO port in some way... matt at G4.net
-----Original Message----- From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Matt Yaklin Sent: viernes, 01 de noviembre de 2013 10:31 a.m. To: voiceops at voiceops.org Subject: [VoiceOps] looking for advice on international fraud that took place via an Edgemarc 200EW with FXO line installed
Hi all,
I had some toll fraud to Grenada last night which we stopped as soon as we became aware of it. Example numbers being dialed were:
1-473-405-0085 1-473-405-0084 1-473-405-0088
Normally I can track down how it happened to figure out who was at fault. But this time I am having a hard time.
The customer has two types of service from us. Yealink phones connected to our Broadsoft system with an Edgemarc 200EW installed at the customer premise. They also have some POTS line with us for faxing. One of those POTS lines is connected to the Edgemarc 200EW via the built in FXO port for "Survivability". Meaning if the WAN ethernet port on the Edgemarc has a failure they can at least have one line to dial out on in case of an emergency. That is about the only time it would ever be used except for faxing.
The toll fraud CPN just happens to be that POTS line connected to the Edgemarc. That POTS line is also connected to a very basic fax machine.
In the Edgemarc for that FXO port two stage dialing is disabled in both directions. We had incoming calls on the FXO line being forward to a Yealink phone but that would never function properly due to the customer having a fax line picking up first. Just leftover config during the install where we made an assumption the customer might want it.
The Yealink phones are behind the Edgemarc (NAT) and not reachable via the internet. The Edgemarc is using radius for user auth and has strong passwords set. I cannot find any config in Broadsoft where a user had call forwarding setup or whatever that would cause this. I cannot find any settings in the Edgemarc that would allow this to take place. As in a config mistake.
The Edgemarc is running code Version 11.6.19. The Yealink phones are also up2date with the newest code from the vendor's website.
I do not think this fraud was done on site via physical means. It is a school and I just cannot picture a student or faculty having a need to call Grenada.
The Edgemarc does have port 5060 open to the world but it is just a ?proxy? I was under the impression that one cannot brute force an account on a proxy device that has no config as such like an asterisk box would. You would be basically brute forcing against Broadsoft in that case?
Either way I am still digging into things but I thought by sending this email someone might have some advice to clue me into something I am missing when it comes to Edgemarc and FXO security.
Thanks,
matt at g4.net
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ La informaci?n en este correo electr?nico y sus anexos es confidencial y privilegiada. Est? dirigida exclusivamente a sus destinatarios y por lo tanto nadie m?s est? autorizado a tener acceso a ?lla. Si Ud. no es el destinatario, es il?cito imprimirla, reproducirla o distribuirla. Si lo recibi? por error, por favor avise al remitente y borre cualquier registro en sus sistemas.
CONFIDENTIALITY NOTICE: This email message and its attachments, if any, are intended only for the person or entity to which it is addressed and contains privileged information. Any use, printing, disclosure, or distribution of such information without the written authorization is prohibited. If you are not the intended recipient, please contact the sender and destroy all copies of the original message.
Nuestro aviso de privacidad est? publicado en la p?gina web: http://www.mcmtelecom.com.mx/common/politica_privacidad.htm
participants (7)
-
Brad@broadcore.com -
dthompson@esi-estech.com -
jay@west.net -
keith.croxford1@gmail.com -
myaklin@g4.net -
paul@timmins.net -
smonterrosa@mcmtelecom.com.mx