[VoiceOps] Large VoIP Attacks?
sandro at enablesecurity.com
Wed Nov 27 04:16:50 EST 2013
Thanks for the reply! Any logs from PBXNSIP/LifeSize?
Also, have you ever done INVITE floods (and other INVITE tricks) etc on
that PBX? I haven't so I'm wondering if this is simply the case of someone
running svwar.py with INVITE method or a similar tool. I've seen a rise in
that sort of thing lately.
Penetration tester and security researcher
Email: sandro at enablesecurity.com
PGP: 8028 D017 2207 1786 6403 CD45 2B02 CBFE 9549 3C0C
On Tue, Nov 26, 2013 at 7:40 PM, J. Oquendo <sil at infiltrated.net> wrote:
> On Tue, 26 Nov 2013, Sandro Gauci wrote:
> > Hey J,
> > can you describe what you're seeing please? E.g. Is it a system
> > toll fraud or DoS (or none of these?:) )
> > Feel free to post the response to the lists or privately to me.
> > cheers,
> Yo what's going on Sandro... Will post to list so that
> others may be able to chime in if they've seen similar.
> Unsure what was happening since we had to get systems up and
> running "right now" since they were live systems with a mess
> of users on them (give or take 1000,1500 users). This is
> all I can say...
> Yesterday morning, client who uses a PBXNSIP based system
> calls: "Can't make calls, receive calls." Not a big deal,
> reload software, sometimes it acts up. Ten minutes later,
> another client using PBXNSIP calls with the same issue,
> followed by 2-5 systems within a half an hour of one
> lsof | grep -i snom showed there were a lot of connections
> via http and SIP to various addresses in Europe (.it, .de
> and a few others). No one was connected out there. I could
> not do packet captures because clients were complaining
> so my ultimate reflex was an antitoll script I wrote which
> blocks ALL but ARIN based (North American) networks.
> This solved the problem on PBXNSIP. Minutes later, some of
> my LifeSize videoconferencing units started making phantom
> calls to extensions. The username was Test() via the
> LifeSize, but I could not perform a packet capture on that
> We didn't see any bursts of traffic, e.g., N_amount of
> excess bandwidth coming in, so DDoS was out of the question
> and I am always abusing (vulnscanning, webscanning, hitting
> up) my PBXs, but I have yet to ever make one unresponsive.
> So I am lost as to what occurred. Had I to guess what
> happened to PBXNSIP... Maybe some bad packetjuju forced it
> to crash (because it was down for the count). Mind you, this
> ONLY affected PBXs running PBXNSIP.
> Wish I knew anything more than "that was some bad packetry"
> but I'm stumped.
> J. Oquendo
> SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
> "Where ignorance is our master, there is no possibility of
> real peace" - Dalai Lama
> 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the VoiceOps