[VoiceOps] Fraud fun

J. Oquendo sil at infiltrated.net
Wed May 18 16:52:33 EDT 2011


On 5/18/2011 4:42 PM, anorexicpoodle wrote:
>> The biggest gripe I have with Asterisk and other open source based PBXs,
>> is the symmetry in logs. Its not fluid. One of the reasons I never built
>> an "all out" honeypot. I have to modify so much across different
>> versions. However, this is also the beauty of Asterisk and similar open
>> source type PBXs, there is so much you can do but it almost always needs
>> to be custom. I also have an insane expect to .bashrc script back to
>> expect + ssh key script which runs on an SBC, parses some of the SBC
>> logs, pushes the output to a Linux machine, gets re-parsed on the Linux
>> box, triggers alert (right now to my SIP Blackberry client & Snom) based
>> on predefined params (volume of calls, destination of calls) and has the
>> capability of doing trigger based blocking (expect). Right now though,
>> its only running on our nCite SBCs and once I become more comfortable
>> with our Acme's logging capabilities, I may do the same type of
>> scripting: From syslog based machine, parse elsewhere, sort out, pick
>> out a trigger, create a rule, send it via expect to some defense
>> mechanism. Depends on how REALLY bored I get and whether or not I
>> actually even start looking at our Acmes. (Personally, I'd rather leave
>> this to my colleague ;))
>
> Interesting you should bring this up as it is something I have been
> fiddling with now for a little while. I have all our Acmes feeding a
> syslog server in SQL, and parsing those logs to generate lists of
> particularly bad offenders, then using that process to seed a
> blacklist BGP feed that all my edge routers draw from and then null
> route those offenders at the edge of my network, or for particularly
> bad attacks using BGP communities to signal our bandwidth provider to
> null them.
>
> This has the benefit of providing a measure of intelligent protection
> network wide, even when the attack is focused on a single element and
> can guard against both SIP based attacks and more traditional DDOS
> attacks as well.
>
>

Un cc'd you guys to stop the dupes ;)

The logic you have sounds cool however, I would have to be cautious
blacklisting an entire ASNs as we do have some clients abroad with
interconnected trunks to their offices here. I like running phorensix
since it gives me an indication of "which country is hot" for fraud
right now. I called "Romania" back in Sept of 2010 and lo and behold
arrests hit that country for fraud. In Oct I called "Egypt" which is a
hotspot (ASN 8452). Soon I'll tinker around with Acme via syslog and
maybe I'll revise something for phorensix soon and make it public.

-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF



More information about the VoiceOps mailing list