Vishing attack

[gbonebrake]

One of my customers was hit by a vishing attack through their Elastix box. The attack was coming from a machine owned by a company in Austin Texas that was in a Colo, they were unaware of any issues until I called them. IN a period of about 36 hours about 8,500 calls were made.

I'm still trying to understand exactly how the attack functioned. This system was still being tested, and admittedly had weak SIP secrets. However, I have not seen anything in the Asterisk logs indicating a dictionary attack. Is there somewhere else I should be looking? Never a failed registration, just all of a sudden outgoing calls started. Did they really guess an extension and a SIP secret the first time out?

I may open a paid support ticket to discuss this but if anyone else has any thoughts I'd appreciate it. I have a need for remote extensions on some of my systems and to this point have been doing it without VPN. With this attack I question if it is wise to have port 5060 open to the world.

Anyone else having problems like this?

 

[dicko]

There is a security forum in which this issue is discussed.

Typically:

here is a couple of recent examples from /var/log/asterisk/full

[2009-03-16 22:21:27] NOTICE[4835] chan_sip.c: Registration from '"682430411"<sip:682430411@x.x.x.x>' failed for '91.90.250.140' - No matching peer fo
und
[2009-03-16 22:21:28] NOTICE[4835] chan_sip.c: Registration from '"100"<sip:100@x.x.x.x>' failed for '91.90.250.140' - No matching peer found
[2009-03-16 22:21:28] NOTICE[4835] chan_sip.c: Registration from '"101"<sip:101@x.x.x.x>' failed for '91.90.250.140' - No matching peer found
[2009-03-16 22:21:28] NOTICE[4835] chan_sip.c: Registration from '"102"<sip:102@x.x.x.x>' failed for '91.90.250.140' - No matching peer found
.
.
[2009-03-13 20:17:58] NOTICE[8449] chan_sip.c: Registration from '"3903987048"<sip:3903987048@x.x.x.x>' failed for '82.245.236.94' - No matching peer found
[2009-03-13 20:17:59] NOTICE[8449] chan_sip.c: Registration from '"100"<sip:100@x.x.x.x>' failed for '82.245.236.94' - No matching peer found
[2009-03-13 20:17:59] NOTICE[8449] chan_sip.c: Registration from '"101"<sip:101@x.x.x.x>' failed for '82.245.236.94' - No matching peer found

etc.

(IP addresses NOT removed to expose the guilty)

The first call is an "anonymous" sip call, to probe for 5060 being open. You reject the call as you have no route to it, it's just a "misdial"
The second is to extension 100 with password 100. Then hundreds a second of attempts on extensions of sequential numbers.
If that is your scenario, you have ext. 100 with password 100, then you blew it.

Strong passwords are IMPERATIVE, fail2ban will effectively make the attacker move on by denying them after 2 seconds (or 5 failures).
Only allow anonymous sip calls if absolutely necessary.

If a different script was used without the random first probe, then I guess you wouldn't see log entries,

The log rotates daily so

cat /var/log/asterisk/full* |grep "No matching peer"
will quickly return all attempts in the last x days(depending on how your log rotate is setup)

 

[ramoncio]

I've moved this thread here, as it is security related.

For remote extensions I use OpenVPN or a VPN router, deppending on the case.
For OpenVPN you need a computer able to launch the OpenVPN client, or a phone that has a OpenVPN client integrated in its firmware (I've heard some Snom phones have it, but I've never tried them).
If you just have a phone or a gateway without possibility to launch the OpenVPN client, then get VPN routers.

 

[gbonebrake]

Running cat /var/log/asterisk/full* | grep "No matching peer" on the attacked box yeilds no results.

I'm fairly new to Elastix/Asterisk in general, perhaps I missed something, but in order to receive incoming calls from my SIP trunk provider, I must enable anonymous SIP calls.

Is the only way to provide secured remote extensions, while needing anonymous SIP enabled, to run the remote phones over VPN? I'm currently using Polycom phones, so I don't believe there is any option to have them provide the VPN. I'm currently running a hardware firewall that supports dynamic objects based on DNS. I suppose I could setup dynamic DNS entries for my remote phones and then setup rules on the firewall to allow SIP from those devices only.

Thoughts?

 

[dicko]

Someone must have registered to make those calls

all "Registrations" can be filtered with

cat full* |grep "Registered SIP"

you can further pipe that through grep -v <first three octets of local network> (eg, 192.168.0)

to show rogue registrations (if they penetration happened within the retention period of you logs) , (time and date) then a more exploratory investigation of the logs to do the forensics. DENY/ALLOW IP networks for each of your extensions is also good practice.


VPN is not the only way but it is a very safe way, a very strong password will be almost as effective.
but as in any server deployment exposed to the outside Intrusion detection and prevention is paramount.

As you have setup your inbound/outbound trunks with your voip provider they would not normally be anonymous. But the remote phones would need it without a VPN.

(I write this as one who is "once bitten, twice shy" )

 

[Chilling_Silence]

If you just have a phone or a gateway without possibility to launch the OpenVPN client, then get VPN routers.

Ive just been doing this recently, its actually incredibly easy with DD-WRT's -vpn firmware, or a mod to the Tomato firmware which includes OpenVPN. Highly worthwhile to have the endpoints secured!