[VoiceOps] Broadsoft SIP Trunks and ILD Fraud

Dag Peak dpeak at broadsoft.com
Tue Jan 10 12:35:32 EST 2012


What actually is happening in the case outlined below by Zak Rupas is probably something that everyone should be aware of. It is not about somehow finding a way to exceed the capacity configured for the given BroadWorks trunk group, it's ultimately about originating a call via a BW trunk group and then immediately transferring that call such that it is no longer on the BW trunk group.

Scenario goes like this, with four parties involved; Customer PBX with BW trunk, Bad Guy, Expensive International number, and US number. In this scenario, the Bad Guy wants to allow the US Number and Expensive International number to talk on PBX owner's dime.


1.                   Service Provider provides an authenticated BW SIP trunk to their customer's PBX, with let's say 5 sim calls.

2.                   Customer's PBX gets compromised somehow, and the Bad Guy now has control of some number of phones/endpoints behind that PBX.

3.                   ILD originations are allowed by the Service Provider from the PBX, so Bad Guy places a call to Expensive International number.

4.                   Bad Guy then immediately blind transfers the call to the US number, such that the call is no longer associated with the trunk group and the trunk group's sim call limitations.

5.                   US number and ILD destination are connected, they talk, with billing going to the PBX owner (as that's who the CDR will show as placing the original call and making the transfer).

6.                   Bad Guy repeats this many times, getting many calls going simultaneously, fundamentally unrestricted by the capacity of the trunk group.

With existing functionality, there are ways to mitigate this situation.


1.                   Ensure that PBX doesn't get compromised in the first place, but this is hard, and is bound to happen, so this is not sufficient to prevent fraud.

2.                   In BroadWorks, turn of ILD for all users altogether, and if some users actually do need ILD, only enable it for them explicitly using Comm Barring.

3.                   In BroadWorks, enforce an Authorization Code when dialing ILD destinations. This can be all ILD, or can be a subset of ILD destinations, using the Comm Barring feature with Auth Code as the action.

4.                   In BroadWorks, use Call Processing Policies to limit the number of redirected calls allowed by a given trunking user to some small number like 1 or 2. This does not solve the problem entirely, but will reduce the total number of calls that the Bad Guy can get pinned up to one or two time the number of compromised DIDs on the trunk. BroadSoft recommends that all users have such Call Processing Policies enabled and configured.

5.                   Use some fraud detection system (like Equinox IS Protector or whatever) that alerts you when a strange calling patterns occurs. If this is in place, then even if the system is compromised, you'll be alerted to it soon after it starts and then you can turn off that trunk.

For those of you with access to Xchange, there is a document that outlines all the layers of security that should be enabled to harden your networks against fraud. URL below:

http://xchange.broadsoft.com/php/xchange/support/broadworks/tac/technical-summits/events2007/tech-summit-Sydney

Dag Peak
Senior Systems Engineer
dpeak at broadsoft.com<mailto:dpeak at broadsoft.com>
Twitter @dagpeak

From: Danijel [mailto:theghost101 at gmail.com]
Sent: Tuesday, January 10, 2012 8:31 AM
To: voiceops at voiceops.org
Subject: Re: [VoiceOps] Broadsoft SIP Trunks and ILD Fraud

That's unblocked only only per customer basis if the customer complains that he can't reach those numbers ;-)

--
*blap*

On Mon, Jan 2, 2012 at 15:49, Alex Balashov <abalashov at evaristesys.com<mailto:abalashov at evaristesys.com>> wrote:
Or Globalstar or Inmarsat. :-)
--
This message was painstakingly thumbed out on my mobile, so apologies for brevity, errors, and general sloppiness.

Alex Balashov - Principal
Evariste Systems LLC
260 Peachtree Street NW
Suite 2200
Atlanta, GA 30303
Tel: +1-678-954-0670<tel:%2B1-678-954-0670>
Fax: +1-404-961-1892<tel:%2B1-404-961-1892>
Web: http://www.evaristesys.com/

On Jan 2, 2012, at 5:17 AM, Danijel <theghost101 at gmail.com<mailto:theghost101 at gmail.com>> wrote:
5 simultaneous calls to Cuba or some African country is still a lots of money.

--
*blap*

On Fri, Dec 30, 2011 at 17:36, Zak Rupas <zak at simplesignal.com<mailto:zak at simplesignal.com>> wrote:
Good Morning Voice OPS

Is anyone else experiencing anything like this? If so please share what you have done / or will to make it stop

We have a series of smaller SIP trunk customers using Broadsoft trunk groups. By design the trunk groups have a concurrent call limitation based off the customer's order. These smaller SIP trunks groups when compromised are able to run up HUGE fraud bills even tho they only have 5 or 6 SIP trunks. Needing to know if anyone else is seeing this that has Broadsoft and what was done to protect yourselves?

Otherwise Happy NYE :)

Zak Rupas
VoIP Engineer

SimpleSignal
3600 S Yosemite Suite 150
Denver, CO 80237
One Number Rings All My Phones: 303-242-8606<tel:303-242-8606>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20120110/c7506d4f/attachment.html>


More information about the VoiceOps mailing list