Explaining Sip Brute Force Attacks to Non-Techs

Posted on March 11, 2011 by Fred Posner

Today we received a call from a federal employee investigating a “hack” on a client’s system. Basically, the client suffered a SIP Brute Force attack on their elastix system. Besides the shock of a call from the feds (why did they ignore those Amazon attacks?), the realization of explaining a sip attack to someone not familiar with SIP, telephony, networking, or servers posed a little challenge.

So, how do we start?

First step: We will no longer use the words SIP, Brute, Force, and Attack. =)

What we’re talking about is a scheme to make expensive calls through your phone system. Of course, this isn’t true for all scenarios, but the vast majority simply want to make expensive calls on your dime.

How does it work?

The bad guys trick your phone system into thinking they are a valid user.

How can they do that?

When phones connect to your phone system, the system replies with different messages. Based on those messages, the bad guys can figure out phone names. Think of your phone system as the receptionist. An attempt might be similar to…

Bad Guy: “Hi, is Alice there?”
Receptionist: “No, there is no Alice here. You have the wrong number.”
Bad Guy: “Hi, is Bob there?”
Receptionist: “Yes, who may I say is calling?”

Basically, there’s a different response based on if that person exists in the company. Same thing with the phones. Once the Bad Guys find out phone names, they then use their computers to crack the phone password.

Once the password is detected, they connect their phone to your system and begin making calls.

What can I do to stop this?

If the person in charge of your phone system doesn’t understand what this attack is, you need to hire a consultant to help you and/or train your administrator. If you or your administrator understand this attack, then you need to make sure you are following the best practices for SIP security (here’s a good link for asterisk best practices).

If you’re running asterisk, you might wish to install a script that checks for attacks and blocks those connections.

Even better… consider Kamailio.

Kamailio (pronounced KAMA-ILLY-OH) is an open-source SIP proxy, registrar, application that is extremely robust and powerful. The software includes anti-flood features that really help protect your system and truly helps to minimize these annoying attacks.

Remember, the Internet is like a big city. Sure there’s great museums and entertainment, but there’s also bad, bad places filled with bad, bad people. If you’re going to leave your BMW unlocked in Hell’s Kitchen, don’t be surprised when it’s been taken around the block a few times.

Team Forrest assists Dream Day Cakes

Posted on October 5, 2010 by Fred Posner

GAINESVILLE, FL — Team Forrest recently assisted Dream Day Cakes with phone and intranet services. The Gainesville, Florida bakery specializes in wedding cakes, event cakes, and other bakery items benefited from a hybrid VoIP / Analog phone system.

Continue reading →

Use ENUM to Save Real MONey

Posted on May 27, 2010 by Fred Posner

Ok — it almost rhymed.

ENUM (read the wiki) refers to the mapping of telephone numbers to internet addresses. Think of it almost as reverse DNS for your phone number. Although there are many methods of integrating ENUM into your system, our current “favorite” is ENUMPlus.org.

From their website:

ENUM sources are very segregated and there was no global repository – until now. ENUMPlus queries all of the top ENUM lookup sources and returns the most accurate result with minimal overhead; meaning you only need to specify one source. ENUMPlus allows you to offload all of the query processing to our powerful servers so you don’t have to waste time and precious resources.

Integrating ENUMplus into Asterisk can be very quick and there’s a few choices/methods of going about it. You can choose to use their php scripts, go direct from the dialplan, or run your own lookup script. Here, we’ve chosen to write our own lookup script that basically does the following:

Checks ENUMplus.org for a result (with a 2 second timeout)
Sets a variable of ENUMRESULT and returns to dialplan
The dialplan then evaluates that variable, and if a sip value is provided calls the number directly via SIP.

Here’s an example dialplan:

exten => _X.,1,Set(CALLTO=${EXTEN})
exten => _X.,n,Goto(out,1)
exten => out,1,AGI(enumcheck.pl,${CALLTO})
exten => out,n,GotoIf($["${ENUMRESULT}" = "FAIL"]?pstn)
exten => out,n,GotoIf($[${ISNULL(${ENUMRESULT})}]?pstn)
exten => out,n,Dial(${ENUMRESULT},55)
exten => out,n,GotoIf($["${DIALSTATUS}" = "CHANUNAVAIL" ]?pstn)
exten => out,n,GotoIf($["${DIALSTATUS}" = "CONGESTION" ]?pstn)
exten => out,n,GotoIf($["${DIALSTATUS}" = "BUSY" ]?busy)
exten => out,n,Hangup()
exten => out,n(pstn),Dial(SIP/${CALLTO}@yourprovider); or DAHDI, etc.
exten => out,n,GotoIf($["${DIALSTATUS}" = "CHANUNAVAIL" ]?busy)
exten => out,n,GotoIf($["${DIALSTATUS}" = "CONGESTION" ]?busy)
exten => out,n,GotoIf($["${DIALSTATUS}" = "BUSY" ]?busy)
exten => out,n,Hangup()
exten => out,n(busy),Busy(5)
exten => out,n,Hangup()

And here’s the script:

#!/usr/bin/perl -w
use strict;
$|=1;
my ($phone, $url, $apikey, $result, @sip);

while(<STDIN>) {
	chomp;
	last unless length($_);
}

if ($ARGV[0]) {
	$phone = &URLEncode($ARGV[0]);
} else {
	&setvar("ENUMRESULT", "FAIL");
	&printverbose("enumlookup: No CALLTO received.",2);
	exit(0);
}

#Get via WEB
$apikey = "REPLACE WITH YOUR KEY";
$url = "http://enumplus.org/api";

$result = qx(curl -m 2 -s -d 'key=$apikey' $url/$phone);

if ($result) {
	if ($result =~ /SIP/i) {
		@sip = split(/\|/, $result);
		&setvar("ENUMRESULT", $sip[0]);
		&printverbose("enumlookup: $sip[0]",2);
	} else {
		&setvar("ENUMRESULT", "FAIL");
		&printverbose("enumlookup: No sip address found.",2);
	}
} else {
	&setvar("ENUMRESULT", "FAIL");
	&printverbose("enumlookup: Timeout or error",2);
}

sub URLEncode {
   my $theURL = $_[0];
   $theURL =~ s/([\W])/"%" . uc(sprintf("%2.2x",ord($1)))/eg;
   return $theURL;
}

sub setvar {
	my ($var, $val) = @_;
	print STDOUT "SET VARIABLE $var \"$val\" \n";
	while(<STDIN>) {
		m/200 result=1/ && last;
	}
	return;
}

sub printverbose {
	my ($var, $val) = @_;
	print STDOUT "VERBOSE \"$var\" $val\n";
	while(<STDIN>) {
		m/200 result=1/ && last;
	}
	return;
}

Happy Coding!

Automatically Block Failed SIP Peer Registrations

Posted on April 13, 2010 by Fred Posner

Previously we posted a little script for quickly checking your asterisk log for failed peer registrations. Building on that script, and with the use of iptables and cron, you can easily (and automatically) block flooding traffic from your system. Iptables, a linux command line program to filter IP traffic, provides high level packet filtering before the traffic can be used to corrupt a program. Cron, the linux time scheduler, enables you to automatically run commands at scheduled time periods.

Set up IP Tables

We will not be discussing the intricacies of iptables in this post. There are excellent tutorials on iptables, and with most things linux, help is only a google away. To help identify the traffic blocked as asterisk related, a new chain will be created appropriately called… asterisk.

Here’s how to add the new chain:

iptables -N asterisk
iptables -A INPUT -j asterisk
iptables -A FORWARD -j asterisk

This will help identify hosts blocked for failed registrations.

Asterisk’s Log for Failed Registrations

In most cases of a sip flood attack, the host attempts registration to Asterisk. These hosts are identified in the Asterisk log (/var/log/messages) as “No matching peer found.” The following perl script scans /var/log/messages for these patterns, strips the IP address, and puts the IP address into an array.

After the file has been read, the IP addresses are counted (each count is a failed attempt), compared against the existing blocked hosts, and new occurrences are blocked. With this script we are blocking any host after the 4th failed attempt.

Here’s the script (last updated 05 SEP 2010):

#!/usr/bin/perl -w
use strict;
use warnings;
my (@failhost);
my %currblocked;
my %addblocked;
my $action;

open (MYINPUTFILE, "/var/log/asterisk/messages") or die "\n", $!, "Does log file file exist\?\n\n";

while (<MYINPUTFILE>) {
	my ($line) = $_;
	chomp($line);
	if ($line =~ m/\' failed for \'(.*?)\' - No matching peer found/) {
		push(@failhost,$1);
	}
	if ($line =~ m/\' failed for \'(.*?)\' – Wrong password/) {
		push(@failhost,$1);
	}
}

my $blockedhosts = `/sbin/iptables -n -L asterisk`;

while ($blockedhosts =~ /(.*)/g) {
	my ($line2) = $1;
	chomp($line2);
	if ($line2 =~ m/(\d+\.\d+\.\d+\.\d+)(\s+)/) {
		$currblocked{ $1 } = 'blocked';
	}
}

while (my ($key, $value) = each(%currblocked)){
	print $key . "\n";
}

if (@failhost) {
	&count_unique(@failhost);
	while (my ($ip, $count) = each(%addblocked)) {
		if (exists $currblocked{ $ip }) {
			print "$ip already blocked\n";
		} else {
			$action = `/sbin/iptables -I asterisk -s $ip -j DROP`;
			print "$ip blocked. $count attempts.\n";
		}
	}
} else {
	print "no failed registrations.\n";
}

sub count_unique {
    my @array = @_;
    my %count;
    map { $count{$_}++ } @array;
    map {($addblocked{ $_ } = ${count{$_}})} sort keys(%count);
}

Schedule the script with cron

The final step is to schedule your script to run every X minutes in cron. We’ve chosen to run our script every 2 minutes, but you can change this to 1 minute or any other time period you choose. Just remember… you can receive thousands of attempts within 2 minutes.

If you have named your script check-failed-regs.pl and placed it in your /usr/local/bin directory, your cron statement would look like this:

*/2 * * * * perl /usr/local/bin/check-failed-regs.pl &> /dev/null

Questions? Comments? We love feedback. Or, contact us for more information.

Perl Script for Asterisk Failed Peer Registrations

Posted on April 12, 2010 by Fred Posner

I guess this might be better titled as the ~~Quick and~~ Dirty Perl Script… but here we go:

#!/usr/bin/perl -w
use strict;
use warnings;
my (@failhost);

open (MYINPUTFILE, "/var/log/asterisk/$ARGV[0]") or die "\n", $!, "Does log file file exist\?\n\n";

while (<MYINPUTFILE>) {
	my ($line) = $_;
	chomp($line);
	if ($line =~ m/\' failed for \'(.*?)\' - No matching peer found/) {
		push(@failhost,$1);
	}
}

if (@failhost) {
	&count_unique(@failhost);
} else {
	print "no failed registrations.\n";
}

sub count_unique {
    my @array = @_;
    my %count;
    map { $count{$_}++ } @array;

	#print them out:

    map {print "$_ = ${count{$_}}\n"} sort keys(%count);

}

And while we duck from @Merlyn’s criticisms (although we love his criticism), the basic usage is:

perl [Whatever you named it].pl messages
or perl [Whatever you named it].pl messages.1

Results look like:

184.73.53.22 = 13586
64.76.45.100 = 9895
78.46.87.14 = 9960

Or “no failed registrations.” if you have no failed attempts.

SIP Response Codes

Posted on January 26, 2010 by Fred Posner

The Session Initiation Protocol (SIP) is widely used to control VoIP, Video Calls, and other multimedia communication over a newtork. SIP uses design elements similar to HTTP requests/responses (although they are not 1 to 1).

Following is a list of SIP Response Codes: Continue reading →

Integrating Fax for Asterisk

Posted on November 16, 2009 by Fred Posner

Asterisk provides an open-source solution for IP Telephony (aka VoIP). Customizing your telephone system to increase productivity remains one of Asterisk’s greatest features. Today, we will look at using Asterisk to replace your need for a fax machine.

Benefits

Store faxes electronically
Reduce printing costs
Share faxes via email

Requirements

Server running Asterisk (32 bit compatibility needed)
Fax for Asterisk Software Add-on

Step One: Get the Fax for Asterisk Software License

First, choose the licensing based on your needs. If you will only need to support 1 simultaneous fax Continue reading →

New! Human Resources Consulting

Posted on September 25, 2009 by Fred Posner

Team Forrest proudly announces the launch of our Human Resources Consulting Services. Team Forrest now provides HR Consulting Services to both existing and new businesses. Whether you’re looking to streamline your existing needs or need a complete HR package, Team Forrest is here to help.

Human Resources Consulting

Strong Human resources policies and procedures provides a great defense against expensive lawsuits and complaints. Our professional HR Consultants use their experience and knowledge to evaluate your existing procedures and correct potential liability. From training to policy development, strong Human Resources policies provide a level of protection for both your employees and company.

We look forward to working with you and helping your business.

For more information about our new services, please visit the Human Resources page or contact us.

Skype for Asterisk Public Beta

Posted on July 30, 2009 by Fred Posner

VoIP Tech Chat posted an article about Digium’s public Beta launch of Skype for Asterisk.

They wrote the article in a Billy Mays style:

Limited Time Offer – Skype for Asterisk Public Beta

Residential VoIP

Posted on June 19, 2009 by Fred Posner

VoIP Tech Chat posted a new article discussing residential VoIP (and the savings you can get from switching). It’s an interesting read, especially the data with wireless only usage and some of the savings breakdown.

For a typical household, VoIP remains a very cost-effective telephone solution; although you must remember that without good (and we mean good), high-speed Internet, your VoIP will be unusable. Many local phone companies offer a “dial tone only” line for less than $15.00 monthly. With the use of VoIP and a dial-tone only landline, you can still save more than $150.00 yearly while providing your family a reliable method of calling during emergencies and power outages.

TEAM FORREST Blog

Kamailio, Asterisk, VoIP, and IT Consulting

Category Archives: VoIP