2. About me
Flavio E. Goncalves
CTO of SipPulse (www.sippulse.com)
Turnkey solutions for VoIP providers and Telcos.
Anti-Fraud Solutions
3. Why you should care?
Exposure for a single T1 line
43200 min/month, US$5/min, 23 lines
US$ 4.968.000
4. Why they are doing?
#1 Allocate a number and a
recording in a PRN provider
#2 Find a vulnerable device
Using shodan
#3 Make calls
and cash your money
16. How hackers are getting into your PBX
• #1 – Sip Brute Force (Fail2ban is effective)
• #2 – Http Exploitation
• #3 – Attacks to phones
• #4 – Caller ID Spoofing
• #5 – Billing/Credit card frauds
17. Part – III How to defend
#1 Patching Everything and Upgrade
frequently
#2 Use a Firewall
#3 Use a Session Border Controller
#4 Use Encryption
#5 Use an Anti-Fraud System
18. #1 Patch Everything,
update frequently
• Effectiveness:
Low
• Risk: High
• Cost: High
19. #2 Use a Firewall or configure properly
IP tables
• Effectiveness: High
• Risk: Medium
• Cost: Low
• Absolutely a must do. At
least, no Internet access to
SSH, no Internet access to
HTTP/HTTPS.
• No prevention for phones
attacks
20. #3 Use a Session Border Controller
• Effectiveness: Medium
• Risk: Medium
• Cost: Very High
21. #4 Use encryption
• Effectiveness: Medium
•Risk: Medium
•Cost: High if you intend to do mutual
authentication
22. #5 Use an AntiFraud System
• Effectiveness: High
• Risk: Very Low
• Cost: Medium
• Comments: Can detect 99.999% of the
attacks, It prevents against caller ID
spoofing, Social Engineering and Phone
Attacks.
• Limitations: Firewall restrictions are required
to avoid tampering the anti-fraud rules.
23. Working Together in 2 steps
1. Make sure your customer’s
firewall and fail2ban is
configured right (You)
2. Partner with us to use TFPS on
your customers (Us)
25. How effective it is an Anti-Fraud Solution
•99.989% just by
protocol signature.
• Number obtained
comparing the
attacks registered on
the honeypot against
rules.
Anti-Fraud Effectiveness
Detected Undetected
26. www.tfps.co || tfps.sippulse.com
1. 99.89% of the attacks prevented by
signature detection
2. Collaborative protection. One PBX
hacked automatically blocks the IP for
the others
3. Mechanism, SIP Redirect
•No additional hardware required.
•Available for
OpenSIPS/Freeswitch/Asterisk
27. Asterisk Code
[from-internal] ; Set there the context for your users
;FPS for International Calls
exten=_011[1-9].,1,set(ip=${CHANNEL(recvip)})
same=>n,SIPAddHeader(P-Received: ${ip})
same=>n,set(ua=${CHANNEL(useragent)})
same=>n,SIPAddHeader(P-UA: ${ua})
same=>n,set(GROUP()=fps)
same=>n,set(ncalls=${GROUP_COUNT(fps)})
same=>n,SIPAddHeader(P-Calls: ${ncalls})
same=>n,set(_original=${EXTEN})
same=>n,dial(SIP/fps/${EXTEN:2})
28. Asterisk Code
[fps]
;For calls not approved
exten=_R.,1,Answer()
same=>n,playback(unauthorized); (Customize here to generate an
error message)
same=>n,hangup(21)
;For calls approved
exten=_A.,1,Answer()
same=>n,Dial(SIP/provider/${original});(Customize here to send the
call ahead)
same=>n,hangup(16)
30. Comparing to other anti-fraud solutions!
• Pluggable
• No Additional Hardware
• Small traffic to be analyzed
• Small risk, only a few calls can be affected.
• Easy handling of outages
38. #6 Freeswitch Attacks
GET /freeswitch/app/provision/index.php?mac=df-df-df-df-df-
df&template=linksys
39. #4 Caller ID Spoofing
• 1 - Send 1 million calls and cancel
• 2 - Fake the callerID to a PRN
• 3 - Wait for the call back.
40. Open Source is a Target!
•We are seeing scans for:
• Vicidial
• Astpp
• phpMyAdmin (hot)
• Tomcat
• Jboss
• FreeSwitch
41. First way to protect
1.Make sure your system is protected by a
firewall
1. Vulnerability SCAN
2. Apply firewall rules to prevent unauthorized
access to the server
3. Use .htaccess and implement dual authentication
Hello everybody. In the first place I would like to say thanks for the Astricon staff for this wonderful event at Las Vegas and the opportunity to be talking with you. It is a pleasure and honor for me to be here today. Our presentation today will cover the Fraud issue. It is not new, but unfortunately it is still here and growing. Is it time to say enough is enough. There is no technical justification to be frauded in these days. There are lots of tools available and we can work together to make sure your server is protected against these criminals.
Let me briefly introduce myselfm I’m CEO of SipPulse a softswich developer located in Brazil. We provide turnkey solutions for ITSPs and also Anti-Fraud solutions for PBXs.
#1 You don’t want to bankrupt your customers. An IP-PBX is one of the few technologies that can bankrupt your customer in less than 30 days. To work with IP-PBX and TDM trunks is actually very dangerous, because there are no limits in phone bills.
#2 You don’t want to defend yourself in court. In many cases, mainly when you are doing Software as a Service you can be liable for the security of the solution.
#3 You don’t want to stigmatize the Asterisk PBX market and slow sales. If some customers realize the potential dangerous of implementing an IP-PBX, many would give up without even start. Fraud is bad for business.
#4 You don’t want the investments in IP telephony going to phone bills. Fraud can consume the customer’s year budget.