 Okay, we'll get started. This is Craig talking about defending VoIP. Hi everyone, I'm Craig Asking, so I work for a couple of companies. One of them is NetSIP, who's a VoIP provider, so we have a bit of practical experience in this particular arena. Yes, they really are out to get you all day, all the time. Why are they after you? Money. Pure and simple. It's either they're selling Globestar Satellite or mobile phone access in various African countries, or more commonly these days it's some kind of premium number overseas where they actually get a kickback of the revenue. It is large amounts of money now. There was a group late last year in Eastern Europe that was caught who'd done about 11 million euro worth of premium number calling, of which they were getting about a 10% kickback. They were going so well they actually set up a franchise system where they were leasing out access to these numbers to people who had hacked your system. More profitable than McDonald's I guess. Okay, here is some of the things, basically the logged attacks against some of our systems. As you can see there's a distinct spike on Mondays. It's actually early Monday which is the weekend on Sunday in the US. The reason they do this is they want to do these attacks when you're not there. They want to get a good couple of hours in where they can smash your systems. Go hard, 30 channels, 60 channels, 100 channels, simultaneous calls all up, going to these premium numbers. Some of them can be dollars per minute. All going to your phone bill. Okay, do you really need to be on the internet for your SIP? Is it just a couple of phones in your office? If so, get behind the firewall. Don't let 5060 UDP through. Don't let TCP 5060 UDP through. If you do have roaming people put them behind a VPN. VPN access only. There are some hard phones these days that can connect to open VPN. Back to your call. Most mobile devices that do SIP can also do SIP tunnels. Seriously don't get on the internet unless you really need to be there. And if you are there try and whitelist certain IPs and block everything else. So if you can do that, problem solved. If you can't, this is the rest of the story. First thing, defense in depth. Use strong passwords. Don't use 1, 2, 3, 4, 5, 6. Don't use extension 100 with a password of 100. That will be attempt number 2 in the SIP thing. SIP attacks. Generally we see attack rates of about 1 to 2 megabits a second. That's about anywhere between 500 to 1,000 registration attempts a second against your system. They'll start at Anthony and work their way down to Z and extension 100 all the way through to 999. They'll just keep going. Use fail to ban or something like that. Fail to ban or watch your asterisk logs for these attempts. And once someone's tried 3 or 4 or 5 times, whatever you configure it will do an action of your choice. Generally the default ones that they've got, which are quite good, is it will add an IP tables rule to firewall it and then send you off an email saying the following IP address has been banned. Make sure you whitelist your office network. I've seen it done. I've done it to myself. It will stop the attacks against your asterisk box. It'll also free up the resources. While you're under attack under a heavy attack, you will actually have your fellow staff members complaining that they can't make calls because the asterisk box is down trying to do MD5 sums for all the authentication requests. This will stop the attack from actually penetrating your system. You'll still be using several megabits a second of your traffic. So it'll protect your box. You'll still be consuming data. There's also an IP tables rate limiting script. Go to the URL. I won't explain it in too much depth. What it actually does is it uses what's called hash limit where it runs a couple of source and destination IP address. So even if you've got one person actually hammering you or everyone else won't be directly affected by the rate limit. If you're really good at good IP tables set up just grab the relevant bits out of the script at that URL and just insert them in. It works quite well for anything really. You can use it for SSH. Just change the port numbers. Limit the number of simultaneous calls on your trunks. Once you're compromised, if you've got an office of five people do you really need 30 simultaneous calls to your upstream supply? Do you need 100? I've seen a two person office get owned and they were doing 60 calls simultaneous. If you don't really need it dial it back. You've already been owned. This gives you more time to as far as your wallet's concerned while you're dealing with the situation. Ask your telco to block international calls. Also get it in writing or an email so when they forget you've got that to fall back on when you go to the telecommunications omission about the size of your bill. This actually happened to a client two shops down from me. So we had a wholesale customer who asked them. One of their clients asked our whole customer to block international calls. They said, yeah, we've done it. They hadn't. They got smashed. Thankfully for the wholesale customer we had our own systems in place so they were limited to $600 in about 20 minutes. Which of course comes to the next step. Choose a paranoid supplier. That there is an itemised bill for 60 channels used day in, day out. That's actually a legitimate bill from our rapport accounts department had a slight heart attack when they turned up. For some reason our supplier thought it was a good idea to give us a paper itemised bill but yes, if you have a whole month of SIP traffic going, that's what your accounts department will get from Telstra or however your supplier is. That's the basic part of the talk. I will cover something else that's not official. When you get hit by these systems they're all generally a variant of what's called a tool written by a bloke with SIP fishes. It doesn't maintain state in the application. It inserts the state of the request in the UDP packet that's sent to you and then comes back. That means it can go fast. It can go hard and doesn't particularly care if it doesn't get a response back. So once you've firewalled it or you've blocked it further up your network stream it'll quite happily sit there for several hours still going and most of the people attacking you will have more bandwidth than you. Amazon EC2 isn't unusual. Rackspace cloud servers are not unusual. They will be having at you for days at a time. Now this particular server was actually written as a load testing tool. It wasn't designed to be a cracking tool. It just got turned into that way. So he wrote an updated version of the software. The newer version, if it doesn't get a response for about 15 minutes or so it'll just shut down. The older version that's still in the wild actually has a processing bug in the unpacking of the information that comes back. So he wrote a tool called SV Crack. This is why it's not in the talk. It will send a packet back, especially crafted that will crash the software. I don't recommend you use it have at least once. Somewhere else on the internet just on the off chance that they decided they really didn't like me for doing that. But yes if you're sitting there on a 1.5 mega ADSL it will be flat lined. Day in, day out you will get shaped because you went over your quota. So there is that as well. Any questions? Implementation details. Excellent. One other thing as the gentleman mentioned, Asterix is the common particular target and if they find you you will get hammered out again and again. It's no longer just that. Other tools, systems like FreeSwitch now which generally used to be ignored are becoming more popular so they are actually attacking other systems. Don't just limit your trunks. If you are a 50-100 person office and you might need 30 calls, limit your individual users. One user does not need to be making 5 calls at once usually. Very good point. It's not just VoIP systems we've had, I've had a client with a commercial voicemail package that got an $80,000 bill last month off their voicemail service that had no dial out capability that had been hacked and used to dial numbers in Afghanistan that were allocated to satellite phones. And that server disappeared out of the data centre at 6am with a couple of guys in ray jackets to be assessed. Aside to the paranoid supply issue that's the group that I work with. We actually have separate limits for international calls. We have separate systems. We've actually blocked certain international destinations like satellite phones from Afghanistan. My Netphone is another company that does that. I'm sure most online ITSPs probably do something similar for the very reason of if someone's on a $14 home plan you don't really want to be sending them a $6,000 bill because even though it was their endpoint that got owned the telecommunications almost generally takes a dim view of these things most people can't generally afford a $6,000 bill. No it doesn't. On that exact point you have systems related straight to the customers bill and the lines of you've had a $100 bill for seven months running we're not going to give you a $10,000 bill or at least without talking to the accounts people of the company. It depends on the size of the attack and how badly they've been owned. We try and hold the line and keep the calls up for a few minutes so we can get told to the customers, hey look we're getting this unusual pattern. Mostly because most people have more than one upstream supplier if they're smart. They'll have their SIP based system and they'll go, well I've got ICDN on site as well. I'll use that as a backup. So great. We've shut them off. It starts dialing out the more expensive link. We actually, and I'm assuming others are like that as well, we get real-time alerts. It'll start SMSing people and we'll try and contact the customer for that reason.