asterisk users - Sep 2010 - do carriers detect unusual / unauthorized VoIP calling patterns?

All-

Recently an Asterisk server we host was hacked and used to route some
unauthorized calls.  We have since improved our
security measures, including installation of fail2ban.

The interesting thing is the way in which this was discovered.  The unauthorized
calls were occurring intermittently
last Thurs evening thru Sat morning.  On Sat morning, some of our employees were
attempting to log-in remotely to a
company e-mail server and one found that his provider, Verizon, had blocked the
server static IP.

My question:  do carriers build some type of "internal blacklist" if
they detect unusual VoIP calling patterns?  And
possibly trade that between themselves, for example one carrier detects it, and
after some time other carriers are
aware?  The carrier was used for the unauthorized calls is Tata... I'm
curious as to why Verizon (evidently) knew
before Tata.

-Jeff

PS.  Interesting footnote:  upon learning of the Verizon block, one of our
employees drove to the lab and disconnected
the VoIP subnet (with the Asterisk box), reset some routers, etc in an attempt
to get the company remote e-mail
working again.  He didn't know it at the time, but in so doing, he cut off
the hackers "in mid call" (hehe) and saved
a bunch of $$.

I have had where the Phone provider (this was a PRI) cut long distance
service to a box that was compromised till we called them to assure
them that the security holes where fixed.


On Fri, Sep 17, 2010 at 1:10 PM, Jeff Brower <jbrower at signalogic.com>
wrote:
> All-
>
> Recently an Asterisk server we host was hacked and used to route some
unauthorized calls. ?We have since improved our
> security measures, including installation of fail2ban.
>
> The interesting thing is the way in which this was discovered. ?The
unauthorized calls were occurring intermittently
> last Thurs evening thru Sat morning. ?On Sat morning, some of our employees
were attempting to log-in remotely to a
> company e-mail server and one found that his provider, Verizon, had blocked
the server static IP.
>
> My question: ?do carriers build some type of "internal blacklist"
if they detect unusual VoIP calling patterns? ?And
> possibly trade that between themselves, for example one carrier detects it,
and after some time other carriers are
> aware? ?The carrier was used for the unauthorized calls is Tata... I'm
curious as to why Verizon (evidently) knew
> before Tata.
>
> -Jeff
>
> PS. ?Interesting footnote: ?upon learning of the Verizon block, one of our
employees drove to the lab and disconnected
> the VoIP subnet (with the Asterisk box), reset some routers, etc in an
attempt to get the company remote e-mail
> working again. ?He didn't know it at the time, but in so doing, he cut
off the hackers "in mid call" (hehe) and saved
> a bunch of $$.
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
> ? ? ? ? ? ? ? http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> ? http://lists.digium.com/mailman/listinfo/asterisk-users
>

I am getting several hundred registration attempts on my aserterisk per
minute.  I have fail2ban installed but it's not stopping the attempts.  Any
suggestions.  Whatever they are using is changing the  userid on each
attempt.

Latest IP: 209.172.57.219

Thanks,
Dave

It means that fail2ban is not configured correctly on your machine. For me
it works fine, and in fact lately these registration/hack attempts have gone
up significantly, thanks to cloud computing I guess.

Zeeshan A Zakaria

--
www.ilovetovoip.com

On 2010-09-17 5:28 PM, "dave george" <dgeorge at
teletoneinc.com> wrote:

I am getting several hundred registration attempts on my aserterisk per
minute.  I have fail2ban installed but it's not stopping the attempts.  Any
suggestions.  Whatever they are using is changing the  userid on each
attempt.

Latest IP: 209.172.57.219

Thanks,
Dave


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
              http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20100917/515b3036/attachment.htm