[VoiceOps] Fraud fun

anorexicpoodle anorexicpoodle at gmail.com
Wed May 18 17:01:39 EDT 2011


On Wed, 2011-05-18 at 16:52 -0400, J. Oquendo wrote:

> On 5/18/2011 4:42 PM, anorexicpoodle wrote:
> >> The biggest gripe I have with Asterisk and other open source based PBXs,
> >> is the symmetry in logs. Its not fluid. One of the reasons I never built
> >> an "all out" honeypot. I have to modify so much across different
> >> versions. However, this is also the beauty of Asterisk and similar open
> >> source type PBXs, there is so much you can do but it almost always needs
> >> to be custom. I also have an insane expect to .bashrc script back to
> >> expect + ssh key script which runs on an SBC, parses some of the SBC
> >> logs, pushes the output to a Linux machine, gets re-parsed on the Linux
> >> box, triggers alert (right now to my SIP Blackberry client & Snom) based
> >> on predefined params (volume of calls, destination of calls) and has the
> >> capability of doing trigger based blocking (expect). Right now though,
> >> its only running on our nCite SBCs and once I become more comfortable
> >> with our Acme's logging capabilities, I may do the same type of
> >> scripting: From syslog based machine, parse elsewhere, sort out, pick
> >> out a trigger, create a rule, send it via expect to some defense
> >> mechanism. Depends on how REALLY bored I get and whether or not I
> >> actually even start looking at our Acmes. (Personally, I'd rather leave
> >> this to my colleague ;))
> >
> > Interesting you should bring this up as it is something I have been
> > fiddling with now for a little while. I have all our Acmes feeding a
> > syslog server in SQL, and parsing those logs to generate lists of
> > particularly bad offenders, then using that process to seed a
> > blacklist BGP feed that all my edge routers draw from and then null
> > route those offenders at the edge of my network, or for particularly
> > bad attacks using BGP communities to signal our bandwidth provider to
> > null them.
> >
> > This has the benefit of providing a measure of intelligent protection
> > network wide, even when the attack is focused on a single element and
> > can guard against both SIP based attacks and more traditional DDOS
> > attacks as well.
> >
> >
> 
> Un cc'd you guys to stop the dupes ;)
> 
> The logic you have sounds cool however, I would have to be cautious
> blacklisting an entire ASNs as we do have some clients abroad with
> interconnected trunks to their offices here. I like running phorensix
> since it gives me an indication of "which country is hot" for fraud
> right now. I called "Romania" back in Sept of 2010 and lo and behold
> arrests hit that country for fraud. In Oct I called "Egypt" which is a
> hotspot (ASN 8452). Soon I'll tinker around with Acme via syslog and
> maybe I'll revise something for phorensix soon and make it public.
> 


Not blacklisting entire ASN's, feeding specific /32's into a BGP feed
(usually hosted on Vyatta or Quagga in VM) though it does kinda bring up
some interesting ideas about correlating the black-listed /32's to
specific ASN's and Countries for alert grouping and reporting. Ill have
to have a play with that. 

here is where I got the original idea:
http://www.team-cymru.org/Services/Bogons/bgp.html

And i just extended it to feed from other sources via scripted input and
hosted the feed myself. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20110518/db516b35/attachment.html>


More information about the VoiceOps mailing list