On 05/18/2011 12:59 PM, J. Oquendo wrote:
On 5/18/2011 12:46 PM, Alex Balashov wrote:
Ghetto, but goes a long way in helping harden individual Asterisk servers on which one has no choice but to leave the SIP call agent open to the public Internet:
http://www.infiltrated.net/scripts/moreghetto.txt
You could also use the VABL to block known idiots:
wget -qO - www.infiltrated.net/vabl.txt | awk '{print "iptables -A INPUT -s "$1" -j DROP" |"sort"}' | uniq | sh
Indeed. I'm a huge fan of http://countries.nerd.dk as a place to get a list of all non-ARIN net block assignments and firewalling those off. -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/
its funny, I have used this approach on several personal servers that got an undeserved amount of attention from APNIC. Originally I followed similar methodology of simply blocking, but after a while I began having fun and using the script to have IP tables NAT all of the attackers back at one of them randomly. Admittedly these were mostly attacks against TCP based services. It was a lot like having an ant farm full of scammers and software pirates. Sorry for getting sorta off-topic.... -anorexicpoodle On Wed, 2011-05-18 at 13:03 -0400, Alex Balashov wrote:
On 05/18/2011 12:59 PM, J. Oquendo wrote:
On 5/18/2011 12:46 PM, Alex Balashov wrote:
Ghetto, but goes a long way in helping harden individual Asterisk servers on which one has no choice but to leave the SIP call agent open to the public Internet:
http://www.infiltrated.net/scripts/moreghetto.txt
You could also use the VABL to block known idiots:
wget -qO - www.infiltrated.net/vabl.txt | awk '{print "iptables -A INPUT -s "$1" -j DROP" |"sort"}' | uniq | sh
Indeed.
I'm a huge fan of http://countries.nerd.dk as a place to get a list of all non-ARIN net block assignments and firewalling those off.
On 5/18/2011 3:55 PM, anorexicpoodle wrote:
its funny, I have used this approach on several personal servers that got an undeserved amount of attention from APNIC. Originally I followed similar methodology of simply blocking, but after a while I began having fun and using the script to have IP tables NAT all of the attackers back at one of them randomly. Admittedly these were mostly attacks against TCP based services.
It was a lot like having an ant farm full of scammers and software pirates.
Sorry for getting sorta off-topic....
-anorexicpoodle
There is the phorensix dialplan/context/honeypot slash Incident Response ;) (http://www.infiltrated.net/scripts/phorensix) I once swapped over a comprised account into that context and out of boreDumb did some interesting things: "In order to place this call please enter a callback" wish at the time I had that in Egyptian. Nevertheless you'd be surprised at how many "scamsters" dial their own numbers trying to test whether or not an account they compromised works. I also did some not so interesting and outright juvenile things - made a dialplan that had them conversate with Les Grossman (http://www.google.com/search?q=les+grossman) to play back the captured sound :D Hey I get bored!. Anyhow, I noticed while doing all of this, there was A LOT of potential to do some interesting things. The biggest gripe I have with Asterisk and other open source based PBXs, is the symmetry in logs. Its not fluid. One of the reasons I never built an "all out" honeypot. I have to modify so much across different versions. However, this is also the beauty of Asterisk and similar open source type PBXs, there is so much you can do but it almost always needs to be custom. I also have an insane expect to .bashrc script back to expect + ssh key script which runs on an SBC, parses some of the SBC logs, pushes the output to a Linux machine, gets re-parsed on the Linux box, triggers alert (right now to my SIP Blackberry client & Snom) based on predefined params (volume of calls, destination of calls) and has the capability of doing trigger based blocking (expect). Right now though, its only running on our nCite SBCs and once I become more comfortable with our Acme's logging capabilities, I may do the same type of scripting: From syslog based machine, parse elsewhere, sort out, pick out a trigger, create a rule, send it via expect to some defense mechanism. Depends on how REALLY bored I get and whether or not I actually even start looking at our Acmes. (Personally, I'd rather leave this to my colleague ;)) -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
The biggest gripe I have with Asterisk and other open source based PBXs, is the symmetry in logs. Its not fluid. One of the reasons I never built an "all out" honeypot. I have to modify so much across different versions. However, this is also the beauty of Asterisk and similar open source type PBXs, there is so much you can do but it almost always needs to be custom. I also have an insane expect to .bashrc script back to expect + ssh key script which runs on an SBC, parses some of the SBC logs, pushes the output to a Linux machine, gets re-parsed on the Linux box, triggers alert (right now to my SIP Blackberry client & Snom) based on predefined params (volume of calls, destination of calls) and has the capability of doing trigger based blocking (expect). Right now though, its only running on our nCite SBCs and once I become more comfortable with our Acme's logging capabilities, I may do the same type of scripting: From syslog based machine, parse elsewhere, sort out, pick out a trigger, create a rule, send it via expect to some defense mechanism. Depends on how REALLY bored I get and whether or not I actually even start looking at our Acmes. (Personally, I'd rather leave this to my colleague ;))
Interesting you should bring this up as it is something I have been fiddling with now for a little while. I have all our Acmes feeding a syslog server in SQL, and parsing those logs to generate lists of particularly bad offenders, then using that process to seed a blacklist BGP feed that all my edge routers draw from and then null route those offenders at the edge of my network, or for particularly bad attacks using BGP communities to signal our bandwidth provider to null them. This has the benefit of providing a measure of intelligent protection network wide, even when the attack is focused on a single element and can guard against both SIP based attacks and more traditional DDOS attacks as well.
On 5/18/2011 4:42 PM, anorexicpoodle wrote:
The biggest gripe I have with Asterisk and other open source based PBXs, is the symmetry in logs. Its not fluid. One of the reasons I never built an "all out" honeypot. I have to modify so much across different versions. However, this is also the beauty of Asterisk and similar open source type PBXs, there is so much you can do but it almost always needs to be custom. I also have an insane expect to .bashrc script back to expect + ssh key script which runs on an SBC, parses some of the SBC logs, pushes the output to a Linux machine, gets re-parsed on the Linux box, triggers alert (right now to my SIP Blackberry client & Snom) based on predefined params (volume of calls, destination of calls) and has the capability of doing trigger based blocking (expect). Right now though, its only running on our nCite SBCs and once I become more comfortable with our Acme's logging capabilities, I may do the same type of scripting: From syslog based machine, parse elsewhere, sort out, pick out a trigger, create a rule, send it via expect to some defense mechanism. Depends on how REALLY bored I get and whether or not I actually even start looking at our Acmes. (Personally, I'd rather leave this to my colleague ;))
Interesting you should bring this up as it is something I have been fiddling with now for a little while. I have all our Acmes feeding a syslog server in SQL, and parsing those logs to generate lists of particularly bad offenders, then using that process to seed a blacklist BGP feed that all my edge routers draw from and then null route those offenders at the edge of my network, or for particularly bad attacks using BGP communities to signal our bandwidth provider to null them.
This has the benefit of providing a measure of intelligent protection network wide, even when the attack is focused on a single element and can guard against both SIP based attacks and more traditional DDOS attacks as well.
Un cc'd you guys to stop the dupes ;) The logic you have sounds cool however, I would have to be cautious blacklisting an entire ASNs as we do have some clients abroad with interconnected trunks to their offices here. I like running phorensix since it gives me an indication of "which country is hot" for fraud right now. I called "Romania" back in Sept of 2010 and lo and behold arrests hit that country for fraud. In Oct I called "Egypt" which is a hotspot (ASN 8452). Soon I'll tinker around with Acme via syslog and maybe I'll revise something for phorensix soon and make it public. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
On Wed, 2011-05-18 at 16:52 -0400, J. Oquendo wrote:
On 5/18/2011 4:42 PM, anorexicpoodle wrote:
The biggest gripe I have with Asterisk and other open source based PBXs, is the symmetry in logs. Its not fluid. One of the reasons I never built an "all out" honeypot. I have to modify so much across different versions. However, this is also the beauty of Asterisk and similar open source type PBXs, there is so much you can do but it almost always needs to be custom. I also have an insane expect to .bashrc script back to expect + ssh key script which runs on an SBC, parses some of the SBC logs, pushes the output to a Linux machine, gets re-parsed on the Linux box, triggers alert (right now to my SIP Blackberry client & Snom) based on predefined params (volume of calls, destination of calls) and has the capability of doing trigger based blocking (expect). Right now though, its only running on our nCite SBCs and once I become more comfortable with our Acme's logging capabilities, I may do the same type of scripting: From syslog based machine, parse elsewhere, sort out, pick out a trigger, create a rule, send it via expect to some defense mechanism. Depends on how REALLY bored I get and whether or not I actually even start looking at our Acmes. (Personally, I'd rather leave this to my colleague ;))
Interesting you should bring this up as it is something I have been fiddling with now for a little while. I have all our Acmes feeding a syslog server in SQL, and parsing those logs to generate lists of particularly bad offenders, then using that process to seed a blacklist BGP feed that all my edge routers draw from and then null route those offenders at the edge of my network, or for particularly bad attacks using BGP communities to signal our bandwidth provider to null them.
This has the benefit of providing a measure of intelligent protection network wide, even when the attack is focused on a single element and can guard against both SIP based attacks and more traditional DDOS attacks as well.
Un cc'd you guys to stop the dupes ;)
The logic you have sounds cool however, I would have to be cautious blacklisting an entire ASNs as we do have some clients abroad with interconnected trunks to their offices here. I like running phorensix since it gives me an indication of "which country is hot" for fraud right now. I called "Romania" back in Sept of 2010 and lo and behold arrests hit that country for fraud. In Oct I called "Egypt" which is a hotspot (ASN 8452). Soon I'll tinker around with Acme via syslog and maybe I'll revise something for phorensix soon and make it public.
Not blacklisting entire ASN's, feeding specific /32's into a BGP feed (usually hosted on Vyatta or Quagga in VM) though it does kinda bring up some interesting ideas about correlating the black-listed /32's to specific ASN's and Countries for alert grouping and reporting. Ill have to have a play with that. here is where I got the original idea: http://www.team-cymru.org/Services/Bogons/bgp.html And i just extended it to feed from other sources via scripted input and hosted the feed myself.
----- Original Message -----
From: "anorexicpoodle" <anorexicpoodle at gmail.com> To: "J. Oquendo" <sil at infiltrated.net> Cc: VoiceOps at voiceops.org Sent: Wednesday, May 18, 2011 5:01:39 PM Subject: Re: [VoiceOps] Fraud fun On Wed, 2011-05-18 at 16:52 -0400, J. Oquendo wrote:
Not blacklisting entire ASN's, feeding specific /32's into a BGP feed (usually hosted on Vyatta or Quagga in VM) though it does kinda bring up some interesting ideas about correlating the black-listed /32's to specific ASN's and Countries for alert grouping and reporting. Ill have to have a play with that.
here is where I got the original idea: http://www.team-cymru.org/Services/Bogons/bgp.html
And i just extended it to feed from other sources via scripted input and hosted the feed myself.
BGP communities & null route black holes sure are fun for that sort of thing. Make sure you whitelist core services. Things can go sideways when your attacker realizes they can send bogus SIP form your upstream SIP peer IPs and have you auto-block your providers. Auto blocking root DNS servers is a joy too! There are a couple scripts that eat up snort logs to generate quagga BGP announcements, shouldn't bee to hard to mess with the SIP rules in snort have it running on a span port. -Matt -- Matthew S. Crocker President Crocker Communications, Inc. PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com P: 413-746-2760
participants (4)
-
abalashov@evaristesys.com -
anorexicpoodle@gmail.com -
matthew@corp.crocker.com -
sil@infiltrated.net