[VoiceOps] Fraud fun

Ujjval Karihaloo ujjval at simplesignal.com
Fri May 20 12:21:30 EDT 2011 

Along those lines – since most of these Sipviscious REGISTER scans originate
from Compromised servers out there……it makes sense to look at REGISTER scans
and then actual Traffic (INVITEs) and then correlate data to make ACL Deny
decisions.



I have been told Palladion has something like this and its flexible enough
to change detection parameters. However, implementing the automated Blocking
piece is what needs to be figured out in conjunction with product.



*From:* voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org]
*On Behalf Of *anorexicpoodle
*Sent:* Thursday, May 19, 2011 2:34 PM
*To:* Peter Eisengrein
*Cc:* voiceops at voiceops.org
*Subject:* Re: [VoiceOps] Fraud fun



Was probably me you're referring to.

I do this primarily off of syslog data since my process is based off of the
acme trust demotion messages. Every time the SD demotes an endpoint to the
deny trust level it produces a syslog message, which I write into sql. I
then have a process that parses these messages, extracts the IP addresses
and generates counts of the number of times an address has been blacklisted
in given timeframes, so while at this level the SD is actually protecting
the network from the "bad" traffic, it still needs to see X messages before
the demotion policy takes effect and the demotion is relatively short term.
This short-term blacklist is where my process picks up, and looks for larger
trends scoring bad behavior across wider time ranges, and across different
SD's and using that data to determine if a given address needs a heavier
handed response at the router, so we can preserve SD cpu cycles.

-anorexicpoodle






On Thu, 2011-05-19 at 15:59 -0400, Peter Eisengrein wrote:



Someone (sorry, don't have the email handy) previously mentioned that
they monitor the output from their acme and then blacklist IP's. Very
interesting idea -- how are you determining who the "bad guys" are?
>From the "friendly-scanner" agent field? In what field is this? Are
you doing this from the RADIUS CDRs?



Thanks,

Pete



_______________________________________________

VoiceOps mailing list

VoiceOps at voiceops.org

https://puck.nether.net/mailman/listinfo/voiceops
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20110520/36305407/attachment.html>

More information about the VoiceOps mailing list