[VOIPSEC] IPS to protect against VOIP Attacks?

Olivier Festor olivier.festor at loria.fr
Wed Jan 13 04:55:02 CST 2010 

Hello

you can also use SECSIP (http://secsip.gforge.inria.fr) an Open Source (GPL)  extensible SIP Networks Protection System. 

Best Regards

Olivier Festor
Research Director at INRIA
Scientific leader of the EMANICS European Network of Excellence

On Jan 7, 2010, at 11:45 AM, samuel wrote:

> you can try to customize fail2ban, which can look for patterns in log files
> and block IPs which might block scans and force-brute password attacks but
> won't solve much the (D)DOS attacks...
> 
> 2010/1/6 J. Oquendo <sil at infiltrated.net>
> 
>> Juan B wrote:
>>> H All !!
>>> 
>>> I was wondering which is the best (or at least-good) IPS
>>> against VOIP attacks coming from the internet to the client network. he
>> has an Asterisk
>>> in the DMZ and cisco call manager in the lan. I want to protect the voip
>>> components with an IPS against known attacks and DOS-DDOS attacks as
>> well.
>>> 
>>> thanks a lot !
>>> 
>>> juan
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Voipsec mailing list
>>> Voipsec at voipsa.org
>>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>> 
>> 
>> The one you build on your own. Seriously. To date I have yet to see any
>> vendor guard successfully against say toll fraud attacks and I will
>> explain why...
>> 
>> In an IP based PBX, there is almost ALWAYS going to be remote (not local
>> on the same network) connectivity. Because of this, ports must remain
>> opened. While you can fool yourself into thinking that you will
>> configure a nice set of firewall rules or alert rules, what will you do
>> if say the CEO takes a trip to China, didn't configure his softphone and
>> is now generating "unauthorized *something*" messages. Block him out? If
>> you firewalled the PBX entirely, you'll have one irrate CEO ready to
>> kick that PBX to kingdom come (trust me I've seen it).
>> 
>> So what do you do? Tell the CEO: "When you get to China, go to
>> whatismyip.com, get your address so we can allow you in!" Won't work. In
>> an IPS, it gets even murkier. So you configure your IPS to do what...
>> Alert you right, but alert you to what? Bad registrations? INVITES gone
>> wild. OPTIONS gone bonkers? I'm assuming you're not familiar with SIP
>> messages (not that SIP is the only game in town). SIP messages can give
>> a host of informative yet at times incoherent messages. Same goes for
>> most messages logs on PBX's: e.g. Asterisk: Jan 06 09:14:51 DEBUG[4944]
>> chan_zap.c: Monitor doohicky got event Event 160 on channel 3
>> 
>> So how do you propose an IPS to be intelligent. Your best bet is to
>> literally understand your messaging, your threats and go from there. I
>> rambled on about this before (as I always do - ramble) and created a
>> crude framework anyone can follow under any PBX (your mileage may vary):
>> http://www.infiltrated.net/asterisk-ips.html
>> 
>> It's not as difficult as one might think:
>> 
>> VoIP Call Statistics
>> --------------------
>> Total Active Calls . . . . . . . . . . . . . . . . . 1374
>> 
>> ... edited boring stuff
>> 
>> Calls Processed. . . . . . . . . . . . . . . . . 4754903
>> Completed Calls                                  4157345
>> 
>> ... done editing boring stuff (nCite for those wondering: show stats
>> voip to be more concise)
>> 
>> I parse out logs to one server, do some fuzzy insane perl|ruby|awk (awk
>> is your friend) voodoo, get offenders, create rules and push those rules
>> back out to my managed PBX's. All within seconds. Its not that hard, you
>> have to know what you're looking for though. Take note... Working at a
>> VoIP carrier, even we have issues with marketing and choose to stay away
>> from hype and "CRAP Cross Reverse Anomaly Processing" devices and
>> applications.
>> 
>> When it comes to DDoS, the answer (drum roll) is: "In Soviet Russian
>> DDoS..." kidding ;) There is little to get into on protection from DDoS,
>> ultimately, your upstreams can help you here. However, if you want to
>> continue with this conversation, I can custom write you an all inclusive
>> IPS, IDS, TollFraud Mitigation System using "Intelligent Heuristic Cross
>> Compatible Anomalous Processing Processing" for a fee. Otherwise, you're
>> just wasting money. Strong passwords, vigilant monitoring, is all you
>> should need. Maybe (just maybe) a finely tuned SIEM (OSSIM) with some
>> nifty scripts will save you some serious ching.
>> 
>> By the way Happy New Year all.
>> 
>> --
>> 
>> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>> J. Oquendo
>> SGFA, SGFE, C|EH, CNDA, CHFI, OSCP
>> 
>> "It takes 20 years to build a reputation and five minutes to
>> ruin it. If you think about that, you'll do things
>> differently." - Warren Buffett
>> 
>> 227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
>> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
>> 
>> 
>> _______________________________________________
>> Voipsec mailing list
>> Voipsec at voipsa.org
>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list