[VoiceOps] Broadsoft SIP Trunks and ILD Fraud

J. Oquendo joquendo at e-fensive.net
Fri Dec 30 15:04:43 EST 2011 

On 12/30/2011 8:36 AM, Zak Rupas wrote:
>
> Good Morning Voice OPS
>
> Is anyone else experiencing anything like this? If so please share 
> what you have done / or will to make it stop
>
> We have a series of smaller SIP trunk customers using Broadsoft trunk 
> groups. By design the trunk groups have a concurrent call limitation 
> based off the customer's order. These smaller SIP trunks groups when 
> compromised are able to run up HUGE fraud bills even tho they only 
> have 5 or 6 SIP trunks. Needing to know if anyone else is seeing this 
> that has Broadsoft and what was done to protect yourselves?
>
>

It all depends on the set-up on the client's end. Most PBXs have the 
capabilities to drop certain calling patterns (dialplans) but you can 
also implement PIN based international calling dialplans, block known 
bad blocks or outright block everyone in and allow ONLY trusted sources 
(usually your best bet) to register and or place calls through the 
trunked PBX.

I have implemented a wide array of counters to this ranging from 
blocking country-codes based on pricing, PIN based international 
calling, "creative firewalling" to full blown reactive honeypot based 
systems to detect and counter this type of fraud as it occurs. The 
metrics behind the honeypots are based on a variety of pre-defined 
variables (who is making the call (what IP), when the call is being made 
(time of day), the destination party, country code rates) which is the 
reason for the initial statement: "all depends on the set-up."

I noticed that under the managed SIP trunking umbrella, clients had no 
problem using PINs once they understood "why" and "how much" it would 
cost them otherwise. You have to spell it out though: "We will implement 
an as-you-go-based opt-*out* international calling mechanism to deter 
against toll-fraud. To counter fraud we are implementing X change." Once 
clients become aware of the need for something like a PIN or time based 
calling, they're likely to go ahead with the changes as they understand 
they will be held liable for NOT abiding by the TOS you put forth. Most 
of the times, this whole issue is sketchy. E.g., you get a new customer, 
they get "owned" and they owe you say $1000 where you owe YOUR upstream 
say $800, if they leave, you're still hit with the bill. By creating 
something that states "YOU WILL ABIDE BY" gives you better legal footing 
IMHO. But IANAL so double check that ;)

Summary: Configure the trunked PBXs properly. If you KNOW international 
calling is a necessity, then create say a PIN and time based dial plan. 
You can also restrict the amount of calls placed BY any device 
registering as well as solely allowing N amount of account 
registrations. You could also firewall down the PBX. There are plenty of 
options, hope my rambling helps.

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20111230/5ff672ac/attachment.html>

More information about the VoiceOps mailing list