[VoiceOps] Large VoIP Attacks?

Sandro Gauci sandro at enablesecurity.com
Wed Nov 27 04:16:50 EST 2013 

Thanks for the reply! Any logs from PBXNSIP/LifeSize?

Also, have you ever done INVITE floods (and other INVITE tricks) etc on
that PBX? I haven't so I'm wondering if this is simply the case of someone
running svwar.py with INVITE method or a similar tool. I've seen a rise in
that sort of thing lately.

Sandro Gauci
Penetration tester and security researcher
Email: sandro at enablesecurity.com
Web: http://enablesecurity.com/
PGP: 8028 D017 2207 1786 6403  CD45 2B02 CBFE 9549 3C0C


On Tue, Nov 26, 2013 at 7:40 PM, J. Oquendo <sil at infiltrated.net> wrote:

> On Tue, 26 Nov 2013, Sandro Gauci wrote:
>
> > Hey J,
> >
> > can you describe what you're seeing please? E.g. Is it a system
> compromise,
> > toll fraud or DoS  (or none of these?:) )
> >
> > Feel free to post the response to the lists or privately to me.
> >
> > cheers,
> >
> >
>
> Yo what's going on Sandro... Will post to list so that
> others may be able to chime in if they've seen similar.
>
> Unsure what was happening since we had to get systems up and
> running "right now" since they were live systems with a mess
> of users on them (give or take 1000,1500 users). This is
> all I can say...
>
> Yesterday morning, client who uses a PBXNSIP based system
> calls: "Can't make calls, receive calls." Not a big deal,
> reload software, sometimes it acts up. Ten minutes later,
> another client using PBXNSIP calls with the same issue,
> followed by 2-5 systems within a half an hour of one
> another.
>
> lsof | grep -i snom showed there were a lot of connections
> via http and SIP to various addresses in Europe (.it, .de
> and a few others). No one was connected out there. I could
> not do packet captures because clients were complaining
> so my ultimate reflex was an antitoll script I wrote which
> blocks ALL but ARIN based (North American) networks.
>
> This solved the problem on PBXNSIP. Minutes later, some of
> my LifeSize videoconferencing units started making phantom
> calls to extensions. The username was Test() via the
> LifeSize, but I could not perform a packet capture on that
> either.
>
> We didn't see any bursts of traffic, e.g., N_amount of
> excess bandwidth coming in, so DDoS was out of the question
> and I am always abusing (vulnscanning, webscanning, hitting
> up) my PBXs, but I have yet to ever make one unresponsive.
> So I am lost as to what occurred. Had I to guess what
> happened to PBXNSIP... Maybe some bad packetjuju forced it
> to crash (because it was down for the count). Mind you, this
> ONLY affected PBXs running PBXNSIP.
>
> Wish I knew anything more than "that was some bad packetry"
> but I'm stumped.
>
> --
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
>
> "Where ignorance is our master, there is no possibility of
> real peace" - Dalai Lama
>
> 42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20131127/27c8fa2a/attachment.html>

More information about the VoiceOps mailing list