[outages] Call Centric Sip outage

Mitch mitpatterson at gmail.com
Fri Oct 5 17:09:34 EDT 2012 

Ok, well new update while I was gone, not sure when they posted it:

*Investigation into current problems:*
Hello,

For the past two days we have been experiencing a sophisticated type of
attack. As soon we noticed the first attempt we commenced an immediate
physical upgrade to all of our servers increasing capacity and CPU power by
a factor of four in addition to other precautions. Unfortunately even
though this is similar to a "typical" DDoS attack it is targeted
specifically at the SIP protocol and causes server load to increase to 100%
within 1 minute of initiation. As such, standard and extraordinary
prevention measures were unable to prevent it. We do not know the specific
methodology of the attack but are aware that it is *similar* in effect to a
DNS TRASH flood attack. We are performing forensic analysis on the data we
have and are capturing traffic to find an exact reason and solution.

We would like to clarify that there was no intrusion into our network and
all of our servers switches and internet connections have been functioning
*normally* throughout the entirety of this concern. None of our equipment
or interlinks were disconnected or went down. Additionally please note that
all of your information is encrypted, safe and secure; and that NO customer
data was stolen NOR destroyed.

We have been working as aggressively as possible throughout the day/night
and we have found a short term work-around which will provide immediate
relief and allow calls to function normally. This will require updating
your configuration slightly. Please re-configure your software/hardware
with the following information:

*UPDATED*

Your registrar and Domain should remain as is:

callcentric.com

Outbound proxy:

sip.callcentric.com - For clients *ONLY* able to use A records
srv.callcentric.com - For clients able to use DNS SRV
bypass.callcentric.com - For clients able to use DNS SRV

*UPDATED*

Asterisk users need the following:

host = sip.callcentric.com OR srv.callcentric.com
outboundproxy = sip.callcentric.com OR srv.callcentric
register => 1777MYCCID:SUPERSECRET at sip.callcentric.com OR
1777MYCCID:SUPERSECRET at srv.callcentric.com

*UPDATED*

3CX users need the following:

Outbound proxy hostname or IP: sip.callcentric.com
Outbound proxy port (default is 5060): 5060

*UPDATED*

PAP2/Linksys/Cisco users should be logged into their device in
admin/advanced mode and use the following settings:

Proxy - Enter callcentric.com in this field
Outbound Proxy - Enter srv.callcentric.com in this field
Use Outbound Proxy - yes
Use DNS SRV - yes
DNS SRV Auto Prefix - yes

*UPDATED*

Obihai users please make sure the following is configured:

Service Providers > ITSP Profile > SIP

ProxyServer: callcentric.com
RegistrarServer: srv.callcentric.com
UserAgentDomain: callcentric.com
OutboundProxy: srv.callcentric.com
X_ProxyServerRedundancy: Checked

Please update this information as soon as possible to restore your calling
ability and make sure to *REBOOT* or *RESTART* your device or software.

We have experienced attempted *unsuccessful* attacks in the past and have
made changes in real-time to stop them as well as to prevent future similar
attacks. Many of our security documentation guidelines and features have
been geared towards these changes. Unfortunately this is an entirely new
type of attack, the mechanics of which are still coming to light.

We sincerely apologize for the inconvenience this has caused. We are
committed to further protecting our network and for this reason we will
continue working with our engineers to implement a proper solution to
provide a comprehensive resolution.

If you have any questions/concerns regarding this message or if you need
assistance in updating your configuration our Support Staff are available
to answer your questions in as timely a manner as possible.

Upon achieving a resolution, we will be providing as detailed an
explanation as possible regarding this issue as well as the resolution.

Again, we sincerely apologize for any inconvenience that you have
experienced as a result of this matter and we appreciate your understanding
during this process.

On Fri, Oct 5, 2012 at 4:42 PM, Mitch <mitpatterson at gmail.com> wrote:

> Closest thing to instructions is what I pasted
> On Oct 5, 2012 4:30 PM, "Micah Brandon" <brandon at netsville.com> wrote:
>
>> On 10/05/2012 02:38 PM, Mitch wrote:
>> > Call centric is reporting they are experiencing a DDOS style attack
>> using the SIP protocol. My registrations are just timing out.
>> >
>> > There twitter is being updated: https://twitter.com/Callcentric They
>> are also posting updates to customers when the log in. According to the
>> first post regarding this issue on their twitter this is going on hour 17
>> or so. My logs for asterisk are just filling with registration time outs.
>>
>> They say in a later tweet that they posted "instructions" to customers
>> regarding changes to make.  Have you seen anything like this on your
>> dashboard?
>> _______________________________________________
>> Outages mailing list
>> Outages at outages.org
>> https://puck.nether.net/mailman/listinfo/outages
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/outages/attachments/20121005/476eeb05/attachment.htm>

More information about the Outages mailing list