[VoiceOps] Growing attack pains

Matthew S. Crocker matthew at corp.crocker.com
Mon Jan 10 18:54:49 EST 2011 


Have your router handle the dropping of bad packets.  If you configured 'ip verify unicast reverse-path' on your inbound interface you can then auto-drop packets from a hacker by injecting a null route for the offending /32.

You would set up a Snort box on a span port to monitor your VoIP traffic.  When it sees something it doesn't like it injects a /32 route into BGP via quagga.  Your router is configured to route all BGP announcements from quagga to Null0.   uRPF will then drop the packet on the inbound interface of your border router.

If you have an Acme Packet you could have it watch for 'bad stuff' and throw a trap to your Snort/Quagga box to inject the route.

You need to be very careful that the hacker doesn't figure out what you are doing and send you forged SIP packets from fun IPs like a.root-servers.net, blackholing DNS wouldn't be good.

Snort: http://www.snort.org/
Quagga: http://www.quagga.net/
Cisco: http://www.cisco.com/en/US/docs/ios/11_1/feature/guide/uni_rpf.html#wp1022865



----- Original Message -----
> From: "Stefan Sayer" <stefan.sayer at googlemail.com>
> To: "J. Oquendo" <sil at infiltrated.net>
> Cc: VoiceOps at voiceops.org
> Sent: Monday, January 10, 2011 4:55:28 PM
> Subject: Re: [VoiceOps] Growing attack pains
> o J. Oquendo on 01/10/2011 05:53 PM:
> > I'm in the market for something to place in front of an SBC (modules
> > would be nice, e.g., Asterisk module, Avaya module, etc.) The device
> > will need to do the following:
> >
> > Block on N ... Block N amount bad attempts indefinitely and alert
> > Block on Prefix ... If PREFIX is anywhere in SIPURI/ANI/CID, block
> > (country specific would be nice)
> >
> > We are having a hard time keeping up with the attack vectors here.
> > We
> > recently saw a compromise from Egypt where the password was 15
> > characters mixed numbers, letters and symbols. So obviously longer
> > passwords aren't even an issue anymore.
> >
> 
> Palladion from IPTEGO can detect attacks and SPIT on a variety of
> configurable triggers (even scriptable) and also control firewalls and
> IPS like e.g. radware defensepro.
> 
> if you want to build your own, you may find some hints at
> http://asipto.com/u/i
> 
> Stefan
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops

-- 
Matthew S. Crocker
President
Crocker Communications, Inc.
PO BOX 710
Greenfield, MA 01302-0710
http://www.crocker.com
P: 413-746-2760

More information about the VoiceOps mailing list