Download presentation
Presentation is loading. Please wait.
1
The #1 Issue on VoIP, Fraud!
“Know your enemy” Sun Tzu's The Art of War The #1 Issue on VoIP, Fraud! Hello, Good afternoon to all participants. The presentation today is about the #1 issue in ITSPs called VoIP Fraud. There are several types of attacks to the VoIP infrastructure, but we are going to concentrate here only on the ones that costs money directly in the end of the month. The objective is to learn how to prevent and reduce damages caused by VoIP Frud. How to identify, prevent and reduce damages caused by fraud Flavio E. Goncalves
2
About me Author of the book
“Building Telephony Systems with OpenSIPS” CEO of sippulse.com a turnkey OpenSIPS solution for Telcos and Hosted PBX. Member of the OpenSIPS foundation.
3
Agenda How big is the problem? Anatomy of an attack. Types of attacks Mitigation techniques How to reduce damage if all previous measures failed This our extensive agenda, Warning: This presentation is about VoIP fraud, there are many security issues, such as DOS and Eavesdropping not covered here !
4
How big is the problem? June, 2009 – announced it had broken up a $55 million toll fraud ring that was operating internationally and targeting enterprise PBXs Source: Network World December, 2010 – 11 million Euros on VoIP Fraud, calling to premium numbers in Somalia, Sierra Leone…. In the first place, let me ask you here. Please raise your hand if you or some customer has had economic losses in the last six months caused by a VoIP vulnerability or misconfiguration? Source: SipVicious Blog
5
Anatomy of a simple attack.
Step 1 – Buy a Premium Rate Number Step 2 – Find a vulnerable VoIP device And call the premium rate number Anatomy of a simple attack. What attackers are doing lately is to buy a premium rate number, find vulnerable system, and here it can be a PBX or even a phone and finally they cash-out in the premium rate number, usually in a country where is very difficult to prosecute the offenders such as Somalia and North Korea. Step 3 – Cash-out in the premium number
7
Common ways to get a password
SIP Scan and Bruteforce TFTP attacks Phone vulnerabilities Signaling Attacks PBX web interface vulnerabilities
8
Under Heavy Attack! Basic Scan – sipvicious, friendly-scanner
Distributed SCAM by W32.Sality virus (discovered by Symantec/2010) Thousands of Corporate PBXs In the last year we faced a new challenge presented by distributed SIP scanning. The botnet created by the sality virus ran a possible variant of the sipvicious scan using Asterisk PBX as the user agent. The number of scans multiplied by ten and some servers started to have problems with flooding by the excessive number of requests. SIP Scan. Thousands of Register Attempts. Sality Peer-to-Peer Botnet Source: Symantec
9
SIP Scan Mitigation Mandatory strong passwords
8 digits minimum, special chars… Detect multiple authentication failures Block IP with Fail2Ban Block IP with Event Interface (OpenSIPS 1.7) Early detection and discard Detect specific signatures and patterns The main recommendations for SIP SCAN mitigation are: Early Detection and Discard Obligate users to use strng passwords Using fail2ban do ban multiple failed authentication attempts Using the brand new OpenSIPS 1.7 you can use the event interface to generate security events. Using an external software you can correlate this events and generate actions such as to ban a user in IPTABLES or any other firewall.
10
Signaling Attacks Malformed BYEs. Radius Server
Generate incorrect duration on CDR SIP Proxy Bye with wrong Cseq/Routing Set Signaling attack is another form of stealth attack. You will only see the results when doing the mediation between you and your wholesale provider. The attack is capable to stop your billing before the actual end of the call. Using a malformed BYE one attacker can simply drop the billing and keep the call active. In small scale it is very hard to detect. Bye with wrong Cseq: BYE DETECTED STOP BILLING!! WRONG CSEQ DISCARD!!
11
Mitigation for Signaling Attacks
Dialog Aware Proxy if (has_totag()) /*sequential requests*/ if (!validate_dialog()) fix_route_dialog(); To mitigate the malformed BYE attack you need to check the BYE request against a DIALOG. This is possible using OpenSIPS version 1.6 or superior.
12
With credentials in plain text
TFTP Attack Trivial Attack against VoIP Infrastructure 1st Option bruteforce tftp server 2nd Option sniff tftp files using MitM techniques Get file A5B6C.cfg TFTP Server Get file A5B6D.cfg … Plaintext Configuration File With credentials in plain text XML or not Another form of attack is the TFTP attack. Some ITSPs use TFTP to provision SIP ATAs or Phones. Even internally this is very dangerous. It is very easy for an attacker to brute force a TFTP server trying download each possible configuration file name. Even worse, a hacker can sniff the TFTP files being sent over the wire simply using a UDP dump utility Solution Use HTTPS or Encrypted config files
13
Attacks on SIP Phones How many of you change the default password for IP phones? How many of you update the IP Phone’s firmware regularly? After several months scanning servers, now most server already have strong passwords and a good percentage use fail2ban. Attackers are now using a different approach, trying to find vulnerabilities on phones and SIP phones open in the wild internet. Let me ask you a question. Please, raise your hand if you constantly update the firmware of the phones. Raise your hand now if you have changed the password for all default phone password on phones. Soory to say that even if you changed all the passwords there are still some hardcoded in some phones. Video #2 Video #1
14
More sophisticated attacks
SIP Digest Leak (1) INVITE in Mute (2) 200OK, User Answered (3) BYE, No Audio? (4) 401, WWW-Authenticate? (5) BYE, With Phone Credentials SIP digest leak. The first time I heard about it was in the sipvicious blog. It is an effective way to steal the credentials from a phone. Current estimated time needed to break all 8 chars length passwords [a-zA-Z0-9]{1,8} days [a-z0-9]{1,8} days Credits to Sandro Gaudio: blog.sipvicious.org
15
Mitigation for phone attacks
Don’t allow http/ssh access to the phones Disable the web interface when possible. Prefer secure automatic provisioning Standardize phones, update regularly. For SIP Digest Leak, drop 401 or 407 originated by subscribers.
16
Malformed Packets Attack Mitigation
Malformed packets can be used to exploit buffer overflows on phones. Tools: Protos TEST suite Mitigation Detect malformed packets using OpenSIPS Use Error_route to generate alerts Handle exceptions Use the event interface or fail2ban to ban the ofenders failregex= Auth Error for .* from <HOST> cause -[0-9] Malformed SIP request from user .* from <HOST>
17
TLS and SRTP Not very effective against fraud
TLS is not used for authentication in most cases TLS can help to avoid MitM attacks SRTP and ZRTP protect you against eavesdropping, but do not prevent a fraudulent call to a premium rate number
18
What OpenSIPS can offer to help you?
Subscribers Security and Admission Box VoIP Infrastructure Event and Alerting System Firewall Layer
19
What OpenSIPS can offer?
TLS and protocol translation Nonce re-usage prevention PIKE to detect spikes in req/s Rate-Limit to throttle SIP traffic Access any SIP header for sanity checks Signature detection Use the new event interface Predefined events E_PIKE_BLOCKED raise_event(event_name[, attrs] [, vals]) Connect the event interface to a firewall and/or alerting system Global Blacklists for premium rate numbers
20
Tips to prevent attacks
Use strong passwords Detect and drop specific signatures Ban IPs with authentication or malformed failures Drop 401 and 407 from subscribers Validate sequential requests, mainly BYEs Use secure provisioning for phones Do not allow unsecure external access to your system Update phones regularly Use TLS when possible to avoid MitM attacks Use a secure network ARP Inspection Secure voice VLAN
21
Damage Control Face a simple fact, sooner or later, a system open to the Internet will be compromised. The hacker’s advantage Administrators have to defend against all attacks, while one vulnerability is enough for the attacker! The administrator is one, attackers are many!
22
Tips to reduce possible damages?
Do not allow all routes to all users. Block premium-rate numbers (1-900) Do not route numbers without a defined rate Limit the number of simultaneous calls Drop calls after a certain period of time. Prefer prepaid, for postpaid use quotas Consider geo-ip restrictions for customers 8. Build an alert system for unusual patterns 9. Use two-way authentication for high-risk routes
23
Visit www.sippulse.com, a turnkey solution based
Thank You! Next OpenSIPS eBootcamp September 19th Learn OpenSIPS! Visit a turnkey solution based on OpenSIPS Questions and contact, please send an to or
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.