[VoiceOps] VoIP Abuse Project Followups

Hiers, David David_Hiers at adp.com
Mon Sep 27 15:21:56 EDT 2010


I applaud the idea of protecting against attacks, and I feel the draw for this kind of function.  However, I do have a couple of thoughts to circulate to the group.

1. CPNI.  There are all sorts of regulations, laws, and policies that tightly constrain what telephone-related information I can disclose to anyone about anything.  

2. Criticality.  If a 911 call fails because someone intentionally took an action, bad things can happen.


Like every business from banks to hotdog carts, we are all expected act to ensure that our actual losses do not exceed budgeted losses, and that the cost of the controls do not exceed the cost of the loss.  My main point is that whatever controls we erect must comport to the (ever-changing) regulatory and societal landscape for phone calls, which can be very different than that of email or other services.

In summary, I see this as a very worthwhile effort, even if the rules and expectations that surround it make it different than similar efforts in other fields.



Thanks,



David Hiers

CCIE (R/S, V), CISSP
ADP Dealer Services
2525 SW 1st Ave.
Suite 300W
Portland, OR 97201
o: 503-205-4467
f: 503-402-3277


-----Original Message-----
From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of J. Oquendo
Sent: Sunday, September 26, 2010 11:58 AM
To: voiceops at voiceops.org
Subject: [VoiceOps] VoIP Abuse Project Followups


Hey all, thanks to everyone whose mailed me both on and off-list in regards to the VoIP Abuse Project.

Before things spiral out of control, I decided to make things a bit more detailed and easier to access as well as adding all addresses of attackers, not only ARIN addressing.

There are seven sections in which I will try to keep as current as possible:

Addresses:		These are the IP addresses of bruteforcing hosts
Netblocks:		These are the netblocks of attacking hosts
Numbers Called:		These are the numbers called by attackers from my honeypots
E-mails Sent:		These are the e-mails sent to abuse desks
Responses Received:	These are the responses (if any) received in response to my e-mails
Attack logs:		These are the logs of attacks	
Defensive suggestions:	IPF/IPTables/PF based script for Asterisk PBX's
Submissions Removals: 	Information on submissions and removals


Any recommendations and or feedback is greatly appreciated. I believe the "Numbers called" section would interest investigators in determining the potential identification of an attacker. This is based upon one and a half years of monitoring, correlating and studying attack patterns. The page is self explanatory on my theories.

For admins and engineers under attack, the defensive suggestions may assist in minimizing attacks. And finally, "A Simple Asterisk Based Toll Fraud Prevention Script" (http://www.infiltrated.net/asterisk-ips.html) This document led to the framework of a honeypot I created and maintain across numerous managed, public-facing, Asterisk PBX servers. For admins, owners and engineers on the list, see removals: 

Lest I forget to give thanks to those in the industry who've given me ideas and inspiration to pursue this hobby/project: Mark Collier, David Endler (they wrote the book on Hacking VoIP which is a definite must read not only for pentesters, but for admins and engineers), Sandro Gauci for always taking the time to respond to some of my ramblings. David Hiers and the rest of the Voice-Ops list for tolerating me. Shawn Merdinger, Dan York and the rest of the VoIPSA list for tolerating my ramblings.

-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E

_______________________________________________
VoiceOps mailing list
VoiceOps at voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops


This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.



More information about the VoiceOps mailing list