Rehan, Asterisk is likely looking at the sip headers for IP authentication and not the actual IP headers. SIP headers can be spoofed, but I don't believe they can spoof the IP packets and still have it routed properly to this customer unless they are on the same network. If the customer does a packet capture (tcpdump tethereal etc) they should see the ip and sip headers do not match on those calls. They could use IP tables or some other ACL to block the hackers.
Andy Day Velocity Networks / IP Telesis 801-783-5105 www.vel.net Date: Fri, 4 Sep 2009 22:59:48 +0800 From: Rehan Ahmed Allahwala <[email protected]> Subject: [asterisk-biz] A hacker attack on asterisk To: Commercial and Business-Oriented Asterisk Discussion <[email protected]> Message-ID: <[email protected]> Content-Type: text/plain; charset="iso-8859-1" We have a customer who is facing this problem. There gateway asterisk to the termination side is being attacked by the hacker. The gateway asterisk is using ip based authentication, and also iax user name and password. The hacker is somehow able to send out the call out via the gateway asterisk, faking the ip address. The FULL log does not show any trace of the call or the number which is being called in the NODE Asterisk of which ip is being used, however the log of the GATEWAY Asterisk shows that the call was made from the IP of the NODE asterisk. Any suggestions, what they can use to do a further authentication for this particular customer ? Rehan _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz
