Sjur Usken

Views on new technologies and business opportunities from Sjur Usken

Category Archives: VoIP

Open letter to the people behind the SIP scans….


I have written a letter to the people in charge of the SIP scanning and owner of the network. I have now sent it to several IP responsible for those IP addresses.

——-

Dear support personnel

We have repeatedly been scanned for open SIP (VoIP) access from IP
adresses: 113.105.152.101, 113.105.152.102 and 113.105.152.104.
The last time was February 27th 2010, but this scanning has been going
on for a long time, first reported back in December 2009.

http://www.usken.no/2010/02/and-the-scanning-just-keeps-on-coming/

http://pbxinaflash.com/forum/showthread.php?t=6223

http://www.freepbx.org/forum/freepbx/users/call-log-with-asterisk-in-both-source-and-clid-columns

We believe this is fraudulent activity to scan for open SIP gateways to
route traffic towards the telephony network.

Please inform the owners of these servers that this activity is not
tolerated and seen as an attack on our servers.

regards

sjur

And the scanning just keeps on coming


A Chinese based server has been very active latest days, and googling the IP addresses ( 113.105.152.102 and 113.105.152.104 ) tells me they have been scanning a long time.

One guy with an Asterisk got hit December 2009 and others back in November. Others starts debugging and asks what it is in public support forums. There will be even more of this scanning coming next months!

Some has added firewall rules like:

deny 113.105.152.102/255.255.255.255
deny 66.117.50.225/255.255.255.255
deny 204.57.122.6/255.255.255.255

But this will not last long until some new IP addresses show up.

What to do about it?

Secure your IP PBX and don’t let port 5060 be open for everybody.
If you must, have very long and strong passwords on all extensions. (or use port knocking..)
Make sure that callers into your PBX is not allowed onto any Outbond context making you pay their calls…

VoIP hackers getting their sentence….


Old news for us in the VoIP, but a reminder for you who think you can abuse VoIP systems and get away with it..

Dan York has a good overview of it on his blog:

Updating a story we have literally been following for years ever since it broke back in July 2006, the FBI recently issued a news release indicating that Edwin Pena pled guilty in what we have been calling the “Pena/Moore VoIP fraud case”. From the news release:

Edwin Pena, 27, a Venezuelan citizen, pleaded guilty before U.S. District Judge Susan D. Wigenton to one count of conspiracy to commit computer hacking and wire fraud and one count of wire fraud. Judge Wigenton continued Pena’s detention without bond pending his sentencing, which is scheduled for May 14.

SIP scanning causes DDoS on IP 1.1.1.1


RIPE said a long time ago that IPv4 is running out of addresses. Now they are also allocating the 1.x.x.x network for production traffic. But this is a bit problematic, since people have been using IP addresses like 1.1.1.1 and 1.2.3.4 as examples in scripts, tools and manuals. People who don’t know any better, they try contact these. When they routes to these networks where alive, a LOT of traffic started coming in.

What made it interesting for Sandro in EnableSecurity was that most traffic was UDP (60 %) and almost 90 % to IP addresss 1.1.1.1. This is a text from RIPEs article about it:

We found that almost 60% of the UDP packets are sent towards the IP address 1.1.1.1 on port 15206 which makes up the largest amount of packets seen by our RRC. Most of these packets start their data section with 0x80, continue with seemingly random data and are padded to 172 bytes with an (again seemingly random) 2 byte value.

This can actually be RTP traffic (VoIP audio traffic) generated from hosts that are vulnerable to SIP INVITE attacks, as Sandro points out in his comment and on his blog.

This is also alarming! This scanning with default RTP audio to IP 1.1.1.1 and port 15206 seems to be doing REALLY well on the Internet. There are a lot of VoIP unsecure platforms accepting and responding to ANY SIP INVITE they get. The software doing it is NOT SIPVicious, but another. It normally uses port 3058 to send the SIP INVITES from. If anybody knows something about this software, please contact me.

I have had a slide in my VoIP presentations about this scenario. If you do a SIP INVITE sweep, you should NOT have a valid IP address for the audio. Every successful INVITE would then generate at least 20 seconds of 0,1Mbit per second stream (g711 audio) to your IP address. Your SIP INVITE sweep with your IP as receiver for RTP traffic will not take long before it backfires on you and you get a DDoS on yourself (well earned though IMHO).

So what is next?

I would love to have a honeypot or get access to the traffic going to port 1.1.1.1. All hosts that would send RTP traffic to this address, should be contacted and asked to secure their servers!

Status now from RIPE:

Since the traffic patterns seemed to be stable we decided to withdraw the announcement of 1.1.1.0/24 and 1.2.3.0/24 on 2 February 2010.

Vulnerability in FreePBX 2.5 and 2.6


The Exploit Database reports that FreePBX version 2.5 and 2.6 is vulnerable to Cross-Site Scripting (XSS).

An affected user may unintentionally execute scripts or actions written by
an attacker. In addition, an attacker may obtain authorization cookies
that would allow him to gain unauthorized access to the application.

This is just the beginning of vulnerabilities in different VoIP applications. Up until now, there has not been the need of vulnerabilities to exploit VoIP services. Too many IP PBXes has been configured insecure, and easy to abuse.

The next wave will see more exploits beeing used towards IP PBXes. They are often based on same protocols and applications as any other server….

[ad]

And the VoIP scannings just keeps on coming


Mark Waters had his Asterisk scanned for extensions without passwords or easy passwords. Mark writes: “I have now set allowguest=no in /etc/asterisk/sip.conf and will monitor how this affects regular incoming calls and also the next ‘attack’”

If he really need his Asterisk available on port 5060, he could use SSH tunneling for the SIP signalling or a port knocking method to open port 5060 from his current IP when needed.

Will check what he does on the next attack.

Have you checked your logs lately?

[ad]

More automatic VoIP attacks – 10 000 hits in minutes…


Over 10 000 hits on one single VoIP honeypot within minutes. This is becoming the norm.

How they do it:

  1. They use SIPVicious to scan with SIP OPTIONS messages.
  2. If they get a response, this scan followed up with SIP REGISTER on all extensions from 100 to 9999
  3. Then they pick an EXTENSION and do brute force password on it. (another load of REGISTER)

What does this have to do to you?

If you have a VoIP platform which handles REGISTER or INVITES on a public IP, you BETTER have good passwords! And you need to handle large loads if have no protection!

If you can lock it down based on access lists or with VPN, do so now!

[ad]

Filter away those SIP attacks


Finally, an open-source solution to filter away those SIPVicious and other SIP attacks. SecSIP is Stateful SIP Protection Systemwhich analyses the SIP signalling on the fly and decides wether to forward it or not. It can throttle number of SIP messages (useful since one of mye VoIP honeypots was hit with 16 000 INVITES within 8 minutes..).

Great work and I’m looking forward to test it out live!
[ad]

Number of VoIP scannings has exploded


If you have an IP PBX on a public IP, and you are not quite sure if it is secure enough, you should get to it now!

Scannings on port 5060 has exploded the lastest days. Previously it was a couple hits in the week, now it’s up to a 100 a day. This means that if your VoIP setup is not 100% secure, others will find it and abuse it!And you will get the telephony bill!

Get to it, secure your VoIP communication platform right now!

Check the following:

  • All users has strong passwords
  • Access Lists are updated and preferably both ways (both incoming and outgoing traffic on the server)
  • No unused services are enabled
  • Latest patches are on the server OS
  • Latest patches are on the application
  • Latest SECURE firmware on the hardware endpoints (phones etc.)
  • Other services on the plattform like Web servers, TFTP, FTP, SSH are locked down or VERY strong passwords
  • Encrypt the traffic from the user and into the server (to make eavesdropping harder)
  • Make the PCs accessing your platform secure. Any keycatchers or sniffers installed here?
  • Forgotten someting? Please comment

[ad]

Why are there VoIP attacks from port 3058?


Been picking up more and more hits in the VoIP honeypots lately. What puzzles me, is that several of those originate from different IPs but same port number. IANA assigned port 3058 to the following:

videobeans 3058/tcp videobeans
videobeans 3058/udp videobeans

IPs that has hit one or more of our honeypots the latest days:

From port 3058
64.62.243.6
67.23.3.128
69.64.38.111

Other ports
174.129.70.133
207.239.216.52
207.239.216.53
208.38.164.48

Notice the two consecutive IPs, 207.239.216.52 and .53.

But why port 3058… the reason is probably simple, but for now I’m guessing on the same software running on PCs with a public IP.
[ad]