VoIP Tech Chat

The VoIP Users Conference provides an open-to-all weekly conference call where anyone can engage in discussions related to, well, VoIP. Sometimes the conversations discuss new technologies / products. Sometimes discussions center around implementation. And lately, conversations may focus on security.

Last week, Ward Mundy, Tim Panton, Karl Fife, Leif Madsen, Yours Truly, and many other regulars discussed a SIP Caller ID Injection Hack. As in all conversations, opinions differ. My position about where to best filter this injection differed than Ward Mundy’s thoughts… and, courtesy of the VoIP Users Conference, you can listen to the conversation and form your own opinions.

Although, next time… maybe you’d enjoy actively participating in our conversations rather than listening to the replay.

→ SIP Hacks: who should filter what, where? (VoIP Users Conference)

(The VoIP Users Conference provides weekly live discussion about VoIP, SIP, Asterisk and all kinds of telephony-related topics every Friday at 12pm EST. For more information, please visit http://vuc.me.)

Attacks from the cloud.

Just over a month ago, we reported that SIP attacks from the Amazon EC2 cloud were on the rise. While the attacks we received last month were limited to “extension only” registration attempts, one of the attacks we received this morning included what we assume was a standard dictionary attack.

The first attack came from 204.236.245.101. In less than 60 seconds, this IP attempted more than 11,500 registrations against our server. Most of these were 4 digit extensions (download the log (zipped) here). The second attack came from 184.73.4.183. In less than 90 seconds, this IP attempted more than 21,000 registrations against our server; including what we think is a standard dictionary attack complete with root, postmaster, pixadmin, etc. (download the log (zipped) here).

Read the rest of this entry »

Attacks from the cloud.

Update #1: 12 APR 2010. Amazon NOC’s response.
Update #2: 12 APR 2010. Amazon Statement.
Update #3: 13 APR 2010. Amazon Response.

Complaints of rampant SIP Brute Force Attacks coming from servers with Amazon EC2 IP Addresses cause many admins to simply drop all Amazon EC2 traffic. Generally, SIP brute force attacks attempt to register various peer names to a system and/or attempt to guess passwords of known/guesses peers or endpoints.

The complaints mentioned this weekend show an excessive amount of traffic; with some providers claiming 6GB of traffic dedicated to such attacks. Since we ourselves received an attack from an Amazon hosted server, we also reported and complained to the Amazon NOC/Abuse depts. As of this posting, no response or acknowledgement has been received from Amazon. The response from Amazon is below. Read the rest of this entry »

Cisco recently announced a Denial of Service vulnerability within the SIP implementation of the Cisco IOS Software. Cisco devices running affected Cisco IOS Software versions that are configured to process SIP messages are affected. The vulnerability allows a remote attacker to reload a device and/or execute remote code.

Cisco recommends removing SIP support unless needed. “If the affected Cisco IOS device requires SIP for VoIP services, SIP cannot be disabled, and no workarounds are available. Users are advised to apply mitigation techniques to help limit exposure to the vulnerabilities. Mitigation consists of allowing only legitimate devices to connect to affected devices. To increase effectiveness, the mitigation must be coupled with anti-spoofing measures on the network edge. This action is required because SIP can use UDP as the transport protocol.”

The full advisory is reprinted below: Read the rest of this entry »

Verizon recently issued a press release where they introduced two new “packages” aimed to help small to medium sized businesses through “rough economic times.” Although the packages are detailed and named in the press release (reprinted below), the release and website are a little lacking for information regarding costs and fees. If Verizon will be making it easier (and cost effective) to get SIP Trunks to end users, this may open a great window for PBX systems such as Asterisk, SwitchVox, FreeSWITCH, and more.

The press release follows:

Small and Medium-Sized Business Options Are Focus of Verizon Global Wholesale Offers

Voice Over IP and Powerful Internet Access Packages Bolster Business Success In Rough Economic Times

March 15, 2010

NEW YORK – At a time when small and medium-sized businesses look for every technological advantage to help them continue as the fundamental economic growth engine in the U.S., Verizon is providing support with three new voice-over-IP and Internet packages available through the Verizon Global Wholesale division. Read the rest of this entry »

VoicePulse announced today in an email that Business and Wholesale accounts will be required to meet a minimum usage of $10/month. They also advised that their Terms of Service had been updated to reflect the change. The company targeting users utilizing the service as a backup provider encouraged account holders to contact a representative to discuss becoming the “Primary” provider.

The email follows: Read the rest of this entry »

The Asterisk team of Digium announced new versions of Asterisk in reference to a potential security issue. The release highlights best practices and hopes to raise awareness of some potential security issues and injection statments. The announcement follows:

The Asterisk Development Team has announced security releases for the following
versions of Asterisk: Read the rest of this entry »

Hi, VoIP Tech Chat here introducing a BRAND NEW download from Digium, the company bringing you Asterisk. Are your Skype calls limiting you to sitting in front of your computer? Do you ever forget to plug in your microphone and lose audio? Well, Digium has the perfect product for you!

Skype for Asterisk Beta is a download that lets you integrate your Asterisk system with the Skype network.

With Skype for Asterisk, you can: Read the rest of this entry »

Cory Andrews posted a great “tech tip” on the VoIP Insider blog detailing how to convert a Cisco SCCP phone to SIP.

Whether you’re a Cisco fan that finally realizes Asterisk can provide better PBX services (at a lower cost) or just someone who happens to have a bunch of Cisco Skinny VoIP telephones laying around, converting the firmware to SIP can make the Cisco phone compatible with many VoIP systems.

But, don’t take my word for it… go to the VoIP Insider and read Cory’s tech tip. Give it a shot and tell us what you think.

John Todd (with Digium) sent a great email on SIP Security. Although written towards the Asterisk audience, this email provides a very good guideline towards increasing your VoIP SIP Security. It’s a must read and reprinted here for your easy viewing.

In case any of you were wondering why there has been a fairly notable upswing in the attacks happening on SIP endpoints, the answer is “script kiddies.”  In the last few months, a number of new tools have made it easy for knuckle-draggers to attack and defraud SIP endpoints, Asterisk-based systems included.  There are easily-available tools that scan networks looking for SIP hosts, and then scan hosts looking for valid extensions, and then scan valid extensions looking for passwords.  You can take steps, NOW, to eliminate many of these problems.  I think the community is interested in coming up with an integrated Asterisk-based solution that is much wider in scope for dynamic protection (community-shared blacklists is the current thinking) but that doesn’t mean you should wait for some new tool to defend your systems.  You can IMMEDIATELY take fairly common-sense measures to protect your Asterisk server from the bulk of the scans and attacks that are on the increase. The methods and tools for protection already exists – just apply them, and you’ll be able to sleep more soundly at night.

Seven Easy Steps to Better SIP Security on Asterisk: Read the rest of this entry »