[VOIPSEC] IPS to protect against VOIP Attacks?

samuel samu60 at gmail.com
Thu Jan 7 04:45:56 CST 2010 

you can try to customize fail2ban, which can look for patterns in log files
and block IPs which might block scans and force-brute password attacks but
won't solve much the (D)DOS attacks...

2010/1/6 J. Oquendo <sil at infiltrated.net>

> Juan B wrote:
> > H All !!
> >
> > I was wondering which is the best (or at least-good) IPS
> >  against VOIP attacks coming from the internet to the client network. he
> has an Asterisk
> >  in the DMZ and cisco call manager in the lan. I want to protect the voip
> >  components with an IPS against known attacks and DOS-DDOS attacks as
> well.
> >
> > thanks a lot !
> >
> > juan
> >
> >
> >
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
>
> The one you build on your own. Seriously. To date I have yet to see any
> vendor guard successfully against say toll fraud attacks and I will
> explain why...
>
> In an IP based PBX, there is almost ALWAYS going to be remote (not local
> on the same network) connectivity. Because of this, ports must remain
> opened. While you can fool yourself into thinking that you will
> configure a nice set of firewall rules or alert rules, what will you do
> if say the CEO takes a trip to China, didn't configure his softphone and
> is now generating "unauthorized *something*" messages. Block him out? If
> you firewalled the PBX entirely, you'll have one irrate CEO ready to
> kick that PBX to kingdom come (trust me I've seen it).
>
> So what do you do? Tell the CEO: "When you get to China, go to
> whatismyip.com, get your address so we can allow you in!" Won't work. In
> an IPS, it gets even murkier. So you configure your IPS to do what...
> Alert you right, but alert you to what? Bad registrations? INVITES gone
> wild. OPTIONS gone bonkers? I'm assuming you're not familiar with SIP
> messages (not that SIP is the only game in town). SIP messages can give
> a host of informative yet at times incoherent messages. Same goes for
> most messages logs on PBX's: e.g. Asterisk: Jan 06 09:14:51 DEBUG[4944]
> chan_zap.c: Monitor doohicky got event Event 160 on channel 3
>
> So how do you propose an IPS to be intelligent. Your best bet is to
> literally understand your messaging, your threats and go from there. I
> rambled on about this before (as I always do - ramble) and created a
> crude framework anyone can follow under any PBX (your mileage may vary):
> http://www.infiltrated.net/asterisk-ips.html
>
> It's not as difficult as one might think:
>
> VoIP Call Statistics
> --------------------
> Total Active Calls . . . . . . . . . . . . . . . . . 1374
>
> ... edited boring stuff
>
> Calls Processed. . . . . . . . . . . . . . . . . 4754903
> Completed Calls                                  4157345
>
> ... done editing boring stuff (nCite for those wondering: show stats
> voip to be more concise)
>
> I parse out logs to one server, do some fuzzy insane perl|ruby|awk (awk
> is your friend) voodoo, get offenders, create rules and push those rules
> back out to my managed PBX's. All within seconds. Its not that hard, you
> have to know what you're looking for though. Take note... Working at a
> VoIP carrier, even we have issues with marketing and choose to stay away
> from hype and "CRAP Cross Reverse Anomaly Processing" devices and
> applications.
>
> When it comes to DDoS, the answer (drum roll) is: "In Soviet Russian
> DDoS..." kidding ;) There is little to get into on protection from DDoS,
> ultimately, your upstreams can help you here. However, if you want to
> continue with this conversation, I can custom write you an all inclusive
> IPS, IDS, TollFraud Mitigation System using "Intelligent Heuristic Cross
> Compatible Anomalous Processing Processing" for a fee. Otherwise, you're
> just wasting money. Strong passwords, vigilant monitoring, is all you
> should need. Maybe (just maybe) a finely tuned SIEM (OSSIM) with some
> nifty scripts will save you some serious ching.
>
> By the way Happy New Year all.
>
> --
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> SGFA, SGFE, C|EH, CNDA, CHFI, OSCP
>
> "It takes 20 years to build a reputation and five minutes to
> ruin it. If you think about that, you'll do things
> differently." - Warren Buffett
>
> 227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>

More information about the Voipsec mailing list