[VoiceOps] Fraud fun
Matthew S. Crocker
matthew at corp.crocker.com
Wed May 18 17:28:56 EDT 2011
----- Original Message -----
> From: "anorexicpoodle" <anorexicpoodle at gmail.com>
> To: "J. Oquendo" <sil at infiltrated.net>
> Cc: VoiceOps at voiceops.org
> Sent: Wednesday, May 18, 2011 5:01:39 PM
> Subject: Re: [VoiceOps] Fraud fun
> On Wed, 2011-05-18 at 16:52 -0400, J. Oquendo wrote:
>
>
> Not blacklisting entire ASN's, feeding specific /32's into a BGP feed
> (usually hosted on Vyatta or Quagga in VM) though it does kinda bring
> up
> some interesting ideas about correlating the black-listed /32's to
> specific ASN's and Countries for alert grouping and reporting. Ill
> have
> to have a play with that.
>
> here is where I got the original idea:
> http://www.team-cymru.org/Services/Bogons/bgp.html
>
> And i just extended it to feed from other sources via scripted input
> and
> hosted the feed myself.
>
BGP communities & null route black holes sure are fun for that sort of thing. Make sure you whitelist core services. Things can go sideways when your attacker realizes they can send bogus SIP form your upstream SIP peer IPs and have you auto-block your providers. Auto blocking root DNS servers is a joy too!
There are a couple scripts that eat up snort logs to generate quagga BGP announcements, shouldn't bee to hard to mess with the SIP rules in snort have it running on a span port.
-Matt
--
Matthew S. Crocker
President
Crocker Communications, Inc.
PO BOX 710
Greenfield, MA 01302-0710
http://www.crocker.com
P: 413-746-2760
More information about the VoiceOps
mailing list