<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.hoenzb
{mso-style-name:hoenzb;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:482940079;
mso-list-type:hybrid;
mso-list-template-ids:-1373363990 -317411326 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.5in;}
@list l1
{mso-list-id:812601572;
mso-list-type:hybrid;
mso-list-template-ids:158897734 -317411326 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.5in;}
@list l2
{mso-list-id:1602448156;
mso-list-type:hybrid;
mso-list-template-ids:-1654512808 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l2:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>What actually is happening in the case outlined below by Zak Rupas is probably something that everyone should be aware of. It is not about somehow finding a way to exceed the capacity configured for the given BroadWorks trunk group, it's ultimately about originating a call via a BW trunk group and then immediately transferring that call such that it is no longer on the BW trunk group.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Scenario goes like this, with four parties involved; Customer PBX with BW trunk, Bad Guy, Expensive International number, and US number. In this scenario, the Bad Guy wants to allow the US Number and Expensive International number to talk on PBX owner's dime.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoListParagraph style='margin-left:.75in;text-indent:-.5in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Service Provider provides an authenticated BW SIP trunk to their customer’s PBX, with let’s say 5 sim calls.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:.75in;text-indent:-.5in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Customer’s PBX gets compromised somehow, and the Bad Guy now has control of some number of phones/endpoints behind that PBX.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:.75in;text-indent:-.5in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>ILD originations are allowed by the Service Provider from the PBX, so Bad Guy places a call to Expensive International number. <o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:.75in;text-indent:-.5in;mso-list:l0 level1 lfo2'><![if !supportLists]><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>4.<span style='font:7.0pt "Times New Roman"'> </span></span></span></b><![endif]><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Bad Guy then immediately blind transfers the call to the US number, <u>such that the call is no longer associated with the trunk group </u>and the trunk group's sim call limitations.<o:p></o:p></span></b></p><p class=MsoListParagraph style='margin-left:.75in;text-indent:-.5in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>5.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>US number and ILD destination are connected, they talk, with billing going to the PBX owner (as that's who the CDR will show as placing the original call and making the transfer).<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:.75in;text-indent:-.5in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>6.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Bad Guy repeats this many times, getting many calls going simultaneously, fundamentally unrestricted by the capacity of the trunk group.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>With existing functionality, there are ways to mitigate this situation.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoListParagraph style='margin-left:.75in;text-indent:-.5in;mso-list:l1 level1 lfo3'><![if !supportLists]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Ensure that PBX doesn't get compromised in the first place, but this is hard, and is bound to happen, so this is not sufficient to prevent fraud.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:.75in;text-indent:-.5in;mso-list:l1 level1 lfo3'><![if !supportLists]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>In BroadWorks, turn of ILD for all users altogether, and if some users actually do need ILD, only enable it for them explicitly using Comm Barring.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:.75in;text-indent:-.5in;mso-list:l1 level1 lfo3'><![if !supportLists]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>In BroadWorks, enforce an Authorization Code when dialing ILD destinations. This can be all ILD, or can be a subset of ILD destinations, using the Comm Barring feature with Auth Code as the action. <o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:.75in;text-indent:-.5in;mso-list:l1 level1 lfo3'><![if !supportLists]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>4.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>In BroadWorks, use Call Processing Policies to limit the number of redirected calls allowed by a given trunking user to some small number like 1 or 2. This does not solve the problem entirely, but will reduce the total number of calls that the Bad Guy can get pinned up to one or two time the number of compromised DIDs on the trunk. BroadSoft recommends that all users have such Call Processing Policies enabled and configured.<o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:.75in;text-indent:-.5in;mso-list:l1 level1 lfo3'><![if !supportLists]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span style='mso-list:Ignore'>5.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Use some fraud detection system (like Equinox IS Protector or whatever) that alerts you when a strange calling patterns occurs. If this is in place, then even if the system is compromised, you'll be alerted to it soon after it starts and then you can turn off that trunk.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>For those of you with access to Xchange, there is a document that outlines all the layers of security that should be enabled to harden your networks against fraud. URL below:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>http://xchange.broadsoft.com/php/xchange/support/broadworks/tac/technical-summits/events2007/tech-summit-Sydney<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial","sans-serif";color:gray'>Dag Peak<br>Senior Systems Engineer<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial","sans-serif";color:gray'><a href="mailto:dpeak@broadsoft.com">dpeak@broadsoft.com</a><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial","sans-serif";color:gray'>Twitter @dagpeak<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Danijel [mailto:theghost101@gmail.com] <br><b>Sent:</b> Tuesday, January 10, 2012 8:31 AM<br><b>To:</b> voiceops@voiceops.org<br><b>Subject:</b> Re: [VoiceOps] Broadsoft SIP Trunks and ILD Fraud<o:p></o:p></span></p></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'>That's unblocked only only per customer basis if the customer complains that he can't reach those numbers ;-)<br><br clear=all>-- <br>*blap*<br><br><o:p></o:p></p><div><p class=MsoNormal>On Mon, Jan 2, 2012 at 15:49, Alex Balashov <<a href="mailto:abalashov@evaristesys.com">abalashov@evaristesys.com</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='margin-bottom:12.0pt'>Or Globalstar or Inmarsat. :-)<span class=hoenzb><span style='color:#888888'><o:p></o:p></span></span></p><div><p class=MsoNormal><span style='color:#888888'>--</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#888888'>This message was painstakingly thumbed out on my mobile, so apologies for brevity, errors, and general sloppiness.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:#888888'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='color:#888888'>Alex Balashov - Principal<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:#888888'>Evariste Systems LLC<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:#888888'>260 Peachtree Street NW<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:#888888'>Suite 2200<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:#888888'>Atlanta, GA 30303<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:#888888'>Tel: <a href="tel:%2B1-678-954-0670" target="_blank">+1-678-954-0670</a><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:#888888'>Fax: <a href="tel:%2B1-404-961-1892" target="_blank">+1-404-961-1892</a><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:#888888'>Web: <a href="http://www.evaristesys.com/" target="_blank">http://www.evaristesys.com/</a><o:p></o:p></span></p></div></div><div><div><div><p class=MsoNormal style='margin-bottom:12.0pt'><br>On Jan 2, 2012, at 5:17 AM, Danijel <<a href="mailto:theghost101@gmail.com" target="_blank">theghost101@gmail.com</a>> wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='margin-bottom:12.0pt'>5 simultaneous calls to Cuba or some African country is still a lots of money.<br><br clear=all>-- <br>*blap*<br><br><o:p></o:p></p><div><p class=MsoNormal>On Fri, Dec 30, 2011 at 17:36, Zak Rupas <<a href="mailto:zak@simplesignal.com" target="_blank">zak@simplesignal.com</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Good Morning Voice OPS<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Is anyone else experiencing anything like this? If so please share what you have done / or will to make it stop<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>We have a series of smaller SIP trunk customers using Broadsoft trunk groups. By design the trunk groups have a concurrent call limitation based off the customer’s order. These smaller SIP trunks groups when compromised are able to run up HUGE fraud bills even tho they only have 5 or 6 SIP trunks. Needing to know if anyone else is seeing this that has Broadsoft and what was done to protect yourselves?<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Otherwise Happy NYE <span style='font-family:Wingdings'>J</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:17.5pt;font-family:"Arial","sans-serif"'>Zak Rupas</span><br><span style='font-size:9.0pt;font-family:"Arial","sans-serif"'>VoIP Engineer<br><br><b>SimpleSignal</b><br>3600 S Yosemite Suite 150</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;margin-right:.5in;mso-margin-bottom-alt:auto;margin-left:.5in'><span style='font-size:9.0pt;font-family:"Arial","sans-serif"'>Denver, CO 80237<br>One Number Rings All My Phones: <a href="tel:303-242-8606" target="_blank">303-242-8606</a></span><span style='color:#1F497D'><o:p></o:p></span></p></div></div></div></div></blockquote></div></div></div></div></div></body></html>