<div dir="ltr">Hi Alex,<div><br></div><div>good approach.</div><div><br></div><div>one comment though: low-grade fraud traffic to audio text destinations will go undetected, and over time, it can accumulate more fraud loses than those who try to burst, get caught, and shut down immediately.</div>
<div><br></div><div>thanks,</div><div>dd.</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Feb 24, 2014 at 4:41 PM, Alex Balashov <span dir="ltr"><<a href="mailto:abalashov@evaristesys.com" target="_blank">abalashov@evaristesys.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I've said it before and I'll say it again:<br>
<br>
We stopped 95-98% of the losses on this sort of thing for a large customer who was losing thousands of dollars per day on it, by implementing the following approach:<br>
<br>
Every trunk group gets a 'high-cost channel limit', which is the X number of simultaneous calls that they are allowed to make to destinations that cost over $Y/min. The limit was typically something like $0.10, so as to exclude domestic US traffic, but certainly catch Somalia and Globalstar. Both X and Y are configurable on a per-trunk group basis, so customers who have a legitimate need for 50 concurrent calls to Dakar can do that. For most typical domestic users, the limit was set to something like $0.10 and 2 channels.<br>
<br>
When this limit was tripped, typically due to a compromised PBX with some extension password of 1234, the following things happen:<br>
<br>
(1) All existing calls are terminated;<br>
<br>
(2) An alert e-mail is sent out to the customer and to the NOC;<br>
<br>
(3) Customer is downgraded to a termination rate plan that only allows for domestic calling. That way, they're not totally cut off from calling and, in all but the most unusual scenarios, not exceptionally angry. There is no reason to cut them off entirely. That's a false dichotomy. Downgrade them to a restricted calling plan.<br>
<br>
The thinking was that (a) there's only so much exposure that two simultaneous calls to rural Chad can create; (2) almost any typical attack pattern relies on lighting up as many calls as possible in the shortest period of time, since they know they'll get cut off soon. So, almost any exploit is going to trip the wire, and do so quickly.<br>
<br>
These assumptions proved correct, and the losses virtually disappeared.<br>
<br>
Today, this fraud protection feature is integrated into the trunking platform that we sell. In our experience, it works very well.<span class="HOEnZb"><font color="#888888"><br>
<br>
-- <br>
Alex Balashov - Principal<br>
Evariste Systems LLC<br>
235 E Ponce de Leon Ave<br>
Suite 106<br>
Decatur, GA 30030<br>
United States<br>
Tel: <a href="tel:%2B1-678-954-0670" value="+16789540670" target="_blank">+1-678-954-0670</a><br>
Web: <a href="http://www.evaristesys.com/" target="_blank">http://www.evaristesys.com/</a>, <a href="http://www.alexbalashov.com/" target="_blank">http://www.alexbalashov.com/</a></font></span><div class="HOEnZb"><div class="h5">
<br>
______________________________<u></u>_________________<br>
VoiceOps mailing list<br>
<a href="mailto:VoiceOps@voiceops.org" target="_blank">VoiceOps@voiceops.org</a><br>
<a href="https://puck.nether.net/mailman/listinfo/voiceops" target="_blank">https://puck.nether.net/<u></u>mailman/listinfo/voiceops</a><br>
</div></div></blockquote></div><br></div>