Jeff Brower
2010-Sep-17 17:10 UTC
[asterisk-users] do carriers detect unusual / unauthorized VoIP calling patterns?
All- Recently an Asterisk server we host was hacked and used to route some unauthorized calls. We have since improved our security measures, including installation of fail2ban. The interesting thing is the way in which this was discovered. The unauthorized calls were occurring intermittently last Thurs evening thru Sat morning. On Sat morning, some of our employees were attempting to log-in remotely to a company e-mail server and one found that his provider, Verizon, had blocked the server static IP. My question: do carriers build some type of "internal blacklist" if they detect unusual VoIP calling patterns? And possibly trade that between themselves, for example one carrier detects it, and after some time other carriers are aware? The carrier was used for the unauthorized calls is Tata... I'm curious as to why Verizon (evidently) knew before Tata. -Jeff PS. Interesting footnote: upon learning of the Verizon block, one of our employees drove to the lab and disconnected the VoIP subnet (with the Asterisk box), reset some routers, etc in an attempt to get the company remote e-mail working again. He didn't know it at the time, but in so doing, he cut off the hackers "in mid call" (hehe) and saved a bunch of $$.
C F
2010-Sep-17 17:45 UTC
[asterisk-users] do carriers detect unusual / unauthorized VoIP calling patterns?
I have had where the Phone provider (this was a PRI) cut long distance service to a box that was compromised till we called them to assure them that the security holes where fixed. On Fri, Sep 17, 2010 at 1:10 PM, Jeff Brower <jbrower at signalogic.com> wrote:> All- > > Recently an Asterisk server we host was hacked and used to route some unauthorized calls. ?We have since improved our > security measures, including installation of fail2ban. > > The interesting thing is the way in which this was discovered. ?The unauthorized calls were occurring intermittently > last Thurs evening thru Sat morning. ?On Sat morning, some of our employees were attempting to log-in remotely to a > company e-mail server and one found that his provider, Verizon, had blocked the server static IP. > > My question: ?do carriers build some type of "internal blacklist" if they detect unusual VoIP calling patterns? ?And > possibly trade that between themselves, for example one carrier detects it, and after some time other carriers are > aware? ?The carrier was used for the unauthorized calls is Tata... I'm curious as to why Verizon (evidently) knew > before Tata. > > -Jeff > > PS. ?Interesting footnote: ?upon learning of the Verizon block, one of our employees drove to the lab and disconnected > the VoIP subnet (with the Asterisk box), reset some routers, etc in an attempt to get the company remote e-mail > working again. ?He didn't know it at the time, but in so doing, he cut off the hackers "in mid call" (hehe) and saved > a bunch of $$. > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > ? ? ? ? ? ? ? asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > ? lists.digium.com/mailman/listinfo/asterisk-users >
I am getting several hundred registration attempts on my aserterisk per minute. I have fail2ban installed but it's not stopping the attempts. Any suggestions. Whatever they are using is changing the userid on each attempt. Latest IP: 209.172.57.219 Thanks, Dave
It means that fail2ban is not configured correctly on your machine. For me it works fine, and in fact lately these registration/hack attempts have gone up significantly, thanks to cloud computing I guess. Zeeshan A Zakaria -- ilovetovoip.com On 2010-09-17 5:28 PM, "dave george" <dgeorge at teletoneinc.com> wrote: I am getting several hundred registration attempts on my aserterisk per minute. I have fail2ban installed but it's not stopping the attempts. Any suggestions. Whatever they are using is changing the userid on each attempt. Latest IP: 209.172.57.219 Thanks, Dave -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: lists.digium.com/mailman/listinfo/asterisk-users -------------- next part -------------- An HTML attachment was scrubbed... URL: lists.digium.com/pipermail/asterisk-users/attachments/20100917/515b3036/attachment.htm