[VoiceOps] VoIP Abuse Project Followups

J. Oquendo sil at infiltrated.net
Mon Sep 27 16:26:17 EDT 2010


Hiers, David wrote:
> I applaud the idea of protecting against attacks, and I feel the draw for this kind of function.  However, I do have a couple of thoughts to circulate to the group.
>
> 1. CPNI.  There are all sorts of regulations, laws, and policies that tightly constrain what telephone-related information I can disclose to anyone about anything.  
>
> 2. Criticality.  If a 911 call fails because someone intentionally took an action, bad things can happen.
>
>
> Like every business from banks to hotdog carts, we are all expected act to ensure that our actual losses do not exceed budgeted losses, and that the cost of the controls do not exceed the cost of the loss.  My main point is that whatever controls we erect must comport to the (ever-changing) regulatory and societal landscape for phone calls, which can be very different than that of email or other services.
>
> In summary, I see this as a very worthwhile effort, even if the rules and expectations that surround it make it different than similar efforts in other fields.
>
>   

I will try to find a definitive legal answer to these question and post
when I find one. In the interim, I'd like to explain my posture on why
CPNI is not relevant.

1) Logfiles that are posted contain solely the information of an
attacking IP address. Any visible IP addressing, naming conventions,
etc., are sanitized from the logs. This is done for two reasons, one to
protect the identity of my PBX servers and secondly to avoid having
attackers "fire away" at the addresses. There is no visible information
for my infrastructure nor clients being posted at any time.

2) Criticality - the only instance I can see this being an issue is if
the following occurs:

Being an ITSP provider, I manage PBX's and maintain hundreds of trunks
for clients who manage their own PBX's. If a client's PBX was
compromised, their IP Space would be listed in "the blacklist" which
could leave them in a bind if they weren't able to place emergency calls.

Emergency calls are a tricky subject as is when it comes to VoIP in the
following scenario: As a provider you have a client who does not pay
their bill and gets a temporary disconnect. Do you as a VoIP provider
STILL place emergency calls for them? There is no visible law relevant
to this, I know as I've scoured high and low for something to this tune,
maybe if someone at Dash is here, they can correct me on this. As it
stands, we as a VoIP carrier have to do nothing when someone doesn't pay
their bill.

a) AUP's, TOS', SLA's dictate what can or can't happen during the course
of a client's use. Therefore if my AUP directs me to disconnect "dirty
hosts" the onus is on the client to clean up their act. In today's day
and age, just about everyone except me has a cellular. So a 911 argument
isn't as strong as it would be say 10 years ago.

b) Abuse desks for companies attacking PBX's when located in North
America are ALWAYS notified. I give them the opportunity to "right their
wrongs" and have been doing so aimlessly for some time. A situation like
this would be a true test for a "dirty network" not me as a provider.
The legalities fall on them:

Offense: "You blocked an emergency call!"
Defense: "No we blocked your network from disrupting other networks
which has the potential to disrupts hundreds of other networks and PBX's"
Defense: "You were warned prior to being blacklisted. Your systems
autogenerated a response, months later we were attacked again. Obviously
you didn't take the situation serious"
Offense: "I object, security costs time and money. Money we don't have..."

True it is a touchy subject however, I don't believe there could be
legal recourse towards me for posting it, or anyone submitting data -
provided that whomever submits data - removes identifiable information.

With that said, my approach is to weed out erroneous reports, continue
to send a courtesy email to offending netblocks. If they don't respond
within a 72 hour period, they will be listed. 3 days is enough to take a
look at what is leaving a network and nipping it at the bud. Should
companies not see fit to clean up their act, obviously they not only
don't care about what leaves their network, they care less about their
clients as well.



-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E



More information about the VoiceOps mailing list