[VoiceOps] Large VoIP Attacks?

J. Oquendo sil at infiltrated.net
Tue Nov 26 13:40:29 EST 2013 

On Tue, 26 Nov 2013, Sandro Gauci wrote:

> Hey J,
> 
> can you describe what you're seeing please? E.g. Is it a system compromise,
> toll fraud or DoS  (or none of these?:) )
> 
> Feel free to post the response to the lists or privately to me.
> 
> cheers,
> 
> 

Yo what's going on Sandro... Will post to list so that
others may be able to chime in if they've seen similar.

Unsure what was happening since we had to get systems up and
running "right now" since they were live systems with a mess
of users on them (give or take 1000,1500 users). This is
all I can say...

Yesterday morning, client who uses a PBXNSIP based system
calls: "Can't make calls, receive calls." Not a big deal,
reload software, sometimes it acts up. Ten minutes later,
another client using PBXNSIP calls with the same issue,
followed by 2-5 systems within a half an hour of one
another.

lsof | grep -i snom showed there were a lot of connections
via http and SIP to various addresses in Europe (.it, .de
and a few others). No one was connected out there. I could
not do packet captures because clients were complaining
so my ultimate reflex was an antitoll script I wrote which
blocks ALL but ARIN based (North American) networks.

This solved the problem on PBXNSIP. Minutes later, some of
my LifeSize videoconferencing units started making phantom
calls to extensions. The username was Test() via the
LifeSize, but I could not perform a packet capture on that
either.

We didn't see any bursts of traffic, e.g., N_amount of
excess bandwidth coming in, so DDoS was out of the question
and I am always abusing (vulnscanning, webscanning, hitting
up) my PBXs, but I have yet to ever make one unresponsive.
So I am lost as to what occurred. Had I to guess what
happened to PBXNSIP... Maybe some bad packetjuju forced it
to crash (because it was down for the count). Mind you, this
ONLY affected PBXs running PBXNSIP.

Wish I knew anything more than "that was some bad packetry"
but I'm stumped. 

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF

More information about the VoiceOps mailing list