Enjoy!

Scannings on port 5060 has exploded the lastest days. Previously it was a couple hits in the week, now it’s up to a 100 a day. This means that if your VoIP setup is not 100% secure, others will find it and abuse it!And you will get the telephony bill!

Get to it, secure your VoIP communication platform right now!

Check the following:

• All users has strong passwords
• Access Lists are updated and preferably both ways (both incoming and outgoing traffic on the server)
• No unused services are enabled
• Latest patches are on the server OS
• Latest patches are on the application
• Latest SECURE firmware on the hardware endpoints (phones etc.)
• Other services on the plattform like Web servers, TFTP, FTP, SSH are locked down or VERY strong passwords
• Encrypt the traffic from the user and into the server (to make eavesdropping harder)
• Make the PCs accessing your platform secure. Any keycatchers or sniffers installed here?
• Forgotten someting? Please comment

Whose fault is it?

And the guilty one? Several are to blame.

First; the Piradius (again…) network doing SIP and H.323 scans on open phones and gateways.
Second; the phone producer not making a secure enough phone.
Third; the people putting such a solution onto the Internet with no security.

What the attacker did

The Piradius network was scanning the network sequential and sending H.323 Call Connect to each IP address. The phones were open to invites from any IP address. The phones then rang, and when answered by some people there were nobody in the other end.

Information about the packet

In the h.323 packet the claim to use Cisco equipment, but I’ve never heard about a “balhophone”. If you do know, please comment! The version does sound too suspicious (1.666666). I’m guessing on an Asterisk….

vendor
           t35CountryCode: United States (181)
            t35Extension: 0
           manufacturerCode: 18
                             H.221 Manufacturer: Cisco (0xb5000012)
                            productId: balhophone
                            versionId: v 1.666666

The contact information within the H.323 packet for audio so totally different from where the TCP traffic is originated from. It is an unallocated space.

AS  | IP             | BGP Prefix   | CC | Registry | Allocated  | AS Name
NA | 36.27.177.136   | NA           |    |          |            | NA

The attacker has just used this IP address as a /dev/null for the audio of those that actually answered the phone. This RTP traffic back from mass calling can be a DoS attack in itself. If every packet you send on 1500 bytes generates a continues stream of 0,1Mbit (G711), it could take down the attacker itself….

The called number

Called party number: ‘40#5926693444′

I’ve seen that they do include the # in several attacks previously, but this is not used in any part of Scandinavia to make an outbound call. If you know why an attacker is using the #, please let me know.

Do we need another firewall for all new services? There are several Media specialized firewalls, often called Session Border Controller that does this, but is this the way to do it? Probably not. IMHO it is to have a good security audit and overview of your own infrastructure, take control! Don’t buy yourself out of the current biggest threats, there will be new! Take control with IDS and even IPS, and have backup plans in case serious bugs and flaws makes your services vulnerable!

And good there is several other people talking about security, like Mark Collier and the folks behind the bluebox security podcast! Good job!

IT hacking costs money, and when implementing mis configured VoIP it shows up on the telephony bill as well. Previously it was costs that were not that obvious, down-time for the firm, stolen documents used against them in business competitions or just abuse of their Internet bandwidth to hurt others. How would the world been if all the security faults a firm had would show up on their monthly Internet bill? “Your computers have been participating in a DDoS attacking costing a firm 5 million, this is your cost”

The companies need to take security more serious. It is a war going on on the Internet where the strongest one will survive. And the war has begun for a long time ago…