On Fri, 21 Feb 2014, D'Arcy J.M. Cain wrote:

...

Second field, one can set up a triggering mechanism. (Pseudo code)

if [ number == 2125551212 ] then do something (send_email || generate_phonecall done fi

Not sure what you mean here. If the IP is already blocked then what are we checking?

Blocking an IP will ONLY block the attacker from doing malice from that host. If by chance someone made it onto one of your machines, you could set a trigger that says: Hey if you see an account trying to dial this KNOWN_TO_BE_BAD number that is listed, send me an e-mail, or lookup what OTHER IP is now trying to call that number and block them too.

Not sure about this. What if I want to weight the reports based on who submitted them. There may be members that I completely trust and would block based on their report. For others I may want to see multiple reports before I block.

I don't disagree however, I am taking my malware analysis and DFIR experience here. The reason (IMHO) we companies still get compromised six ways from Sunday is, many don't share data for various reasons: 1) they don't want the public/others to know "they've been had," 2) data submitted may be relevant to an ongoing law enforcement related investigation 3) good old fashioned chest thumping. Chest thumping. I have seen many companies take the approach that attacker data is some holy grail. "We were the first and only to see this!" All the while others could have been given a green light on an attack source.

What about non-free email? It seems to me that a tighter vetting process is needed. I wouldn't accept any email that was not attached to an actual VoIP provider. I realize that that takes more work though.

There are VoIP providers, ITSPs, Carriers, but you're leaving out the small businesses, and smaller non carrier like shops who can also disclose attack sources.

I am not totally opposed to the idea. Not sure how useful it might be. What sort of attacks are you thinking about? I already block IPs based on failures to register and no one can dial without being registered. It's all automatic.

I am thinking the whole gamut of attacks. Registrations, actual calls, anything related to VoIP. Web based exploit of a PBX. Anything that is relevant to IP PBX telephony systems. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF