[VoiceOps] Fraud fun

anorexicpoodle anorexicpoodle at gmail.com
Wed May 18 16:42:13 EDT 2011


> The biggest gripe I have with Asterisk and other open source based PBXs,
> is the symmetry in logs. Its not fluid. One of the reasons I never built
> an "all out" honeypot. I have to modify so much across different
> versions. However, this is also the beauty of Asterisk and similar open
> source type PBXs, there is so much you can do but it almost always needs
> to be custom. I also have an insane expect to .bashrc script back to
> expect + ssh key script which runs on an SBC, parses some of the SBC
> logs, pushes the output to a Linux machine, gets re-parsed on the Linux
> box, triggers alert (right now to my SIP Blackberry client & Snom) based
> on predefined params (volume of calls, destination of calls) and has the
> capability of doing trigger based blocking (expect). Right now though,
> its only running on our nCite SBCs and once I become more comfortable
> with our Acme's logging capabilities, I may do the same type of
> scripting: From syslog based machine, parse elsewhere, sort out, pick
> out a trigger, create a rule, send it via expect to some defense
> mechanism. Depends on how REALLY bored I get and whether or not I
> actually even start looking at our Acmes. (Personally, I'd rather leave
> this to my colleague ;))


Interesting you should bring this up as it is something I have been
fiddling with now for a little while. I have all our Acmes feeding a
syslog server in SQL, and parsing those logs to generate lists of
particularly bad offenders, then using that process to seed a blacklist
BGP feed that all my edge routers draw from and then null route those
offenders at the edge of my network, or for particularly bad attacks
using BGP communities to signal our bandwidth provider to null them. 

This has the benefit of providing a measure of intelligent protection
network wide, even when the attack is focused on a single element and
can guard against both SIP based attacks and more traditional DDOS
attacks as well. 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20110518/e6e2444c/attachment.html>


More information about the VoiceOps mailing list