Re: How common are wide open SIP gateways?

2010-02-06 Thread John Todd


On Feb 5, 2010, at 1:27 PM, Scott Howard wrote:

On Fri, Feb 5, 2010 at 9:45 AM, David Birnbaum dav...@pins.net  
wrote:
We have noticed a lot of issues with Asterisk 1.2 and some 1.4  
rollouts.

FreePBX had some truck-sized holes in it.


Most/all of the big issues that existed in previous version of
Asterisk/FreePBX have been resolved in later releases.

The majority of the stolen SIP cases I've heard of have come down to
brute forcing of often very insecure passwords - quite often stupid
insecure passwords like the same as the username.  And of course the
username itself is normally the extension, which makes is relatively
easy to guess (if 100 doesn't exist, then 200 or 1000 probably
does, etc).

Then there's the issue of unencrypted/unsecured phone provisioning
files, complete with SIP usernames/passwords,  hosted on internet
webservers - often with the only security being your ability to guess
the MAC address...

On our relatively small client base, we are seing SIP probing on  
more or
less a non-stop basis, and some of our customers have been hacked  
over the


Presuming you're running Asterisk, fail2ban can help.  The only real
issue I've had with it is that many softphones will repeated try to
register if you get the password wrong, so a user entering their
username/password even only once will get them blocked for X minutes.

 Scott



I'll second Scott's comments, and add a few.

SIP servers aren't much good unless they're wide open, if you're  
serving to a large number of diverse users whose networks you do not  
control with a VPN or a customized client.  This invites probing to  
determine identity choice weakness.  It seems that new SIP servers are  
discovered within about 5 days of being put up without filtering, at  
least looking at my logs.


The most commonly-available toolset for such attacks seems to have  
moved SIP attacks into script-kiddie land about a year and a half  
ago.  The tool has three functions: scan for SIP servers (UDP 5060),  
identify SIP identities via login failure or other error message  
information leakage, and lastly guess passwords in brute-force manners  
on those identified SIP extensions.


The attacks seem to be geographically diverse - I've seen originations  
both in North America as well as non-NA origins, though the ultimate  
origin is often a mystery due to compromised servers being used for  
probe sweeps.  The attacks also seem to have a variety of purposes.   
The four that I've most commonly seen are:


 1) Experimenting, joy riders.
 2) Attacking to obtain free international long distance
 3) Attacking to obtain access into the PBX network with fraudulent  
identity to perform fraudulent internal activity (This is Bob from  
accounting...)
 4) Attacking to create large numbers of domestic calls for phishing  
scams (This is your bank.  Please enter your credit card number now.)


Of these, #4 seems to be the only one that gets significant attention  
of LEA resources.


I wrote some notes for security basics on this a while back as it  
pertains to Asterisk in particular, but the problem remains with some  
very old installations that accept inbound calls into the default  
Asterisk context (which is not a bug, but really a configuration  
error) or it crops up anew with administrators who do not adequately  
create sufficiently random SIP identities and passwords.  Asterisk is  
fairly robust against such attacks, but often the flexibility of a  
complex system allows administrators to inadvertently expose  
themselves in ways they wouldn't ordinarily think about.  More here:


  http://blogs.digium.com/2009/03/28/sip-security/

As far as network impacts: some of these probes are fairly significant  
in bandwidth consumption (3-5 mbps, from what I've seen) and may cause  
problems with whatever your SIP authentication method is due to the  
volume of requests.   A distributed attack at higher volumes has less  
chance of success because most SIP platforms do not have the ability  
to respond to high volumes of requests anyway.  Fail2Ban can be  
implemented on most SIP platforms at the application level, and works  
quite well against most probe methods.


I can't even comment on the issue of unencrypted/unauthenticated  
provisioning servers.  If you're provisioning in an unauthenticated  
way across the big internet, then... well, you takes yer chances.



Lastly: SIP is very flexible in handling alternate ports for  
communications in URIs or other pointers, though I have never seen a  
SIP server using anything other than 5060/5061.  Perhaps related, I've  
never seen a suspicious system probing on 5060 looking at any other  
ports.  Maybe changing ports would siipmly solve problems pretty  
quickly for people seeing attacks who have some ability to influence/ 
configure their end devices or trunking peers.  (At least, for a  
little while.  Remember: when chased by a bear, you just need to be  
faster than the guy behind you.)


JT

Re: How common are wide open SIP gateways?

2010-02-05 Thread Seth Mattinen
On 2/5/10 9:33 AM, Drew Weaver wrote:
 Heya,
 
   Has anyone done any research or have any anecdotal numbers related to 
 how common it is to have a SIP gateway sitting out on the Internet with no 
 ACL or authentication? Recently we have noticed a couple of instances where 
 we get abuse complaints from companies who claim that one of our hosting 
 clients 'stole SIP service' from them. This reminds me somewhat of the 'SMTP 
 open relay' days. We obviously take action and shut the offending user down 
 but I can't help but wonder how common this practice is. Usually I just ask 
 the company why their system allows anyone to use their SIP gateway and they 
 usually say something like We can't predict what IP our users will come in 
 from... etc
 
 I am just wondering if anyone else has noticed this trend.
 


While it's true you can't predict the source IP when you have remote
users with dynamic IP (think SIP at home or softphone on the road),
that's no reason to omot basic MD5 digest auth.

~Seth



Re: How common are wide open SIP gateways?

2010-02-05 Thread David Birnbaum
If you are using Asterisk (and many derived PBXs), and your installation is old 
enough, and your default context will complete a call...then you may find you 
are giving free calling out.  This was fixed at some point in the Asterisk 
default configuration files.


We have noticed a lot of issues with Asterisk 1.2 and some 1.4 rollouts. 
FreePBX had some truck-sized holes in it.


On our relatively small client base, we are seing SIP probing on more or less a 
non-stop basis, and some of our customers have been hacked over the years. 
It's definitely increasing - the modern equivilent of the open-DISA access many 
old PBX/VMs offer.


On the plus side, they ususal start calling North Korea or Somalia or something 
which triggers the alarms, so they get shut down right away; we offer a default 
Axis of Evil block to stop international calling to the high-fraud countries 
that are out there and only allow calling there upon customer request.  I 
wouldn't be at all surprised to find much cleverer people that have hacked PBXs 
and are making calls at a moderate pace to domestic or other inexpensive areas 
as to avoid detection.


Cheers,

David.

-

On Fri, 5 Feb 2010, Drew Weaver wrote:


Heya,

Has anyone done any research or have any anecdotal numbers related to how common 
it is to have a SIP gateway sitting out on the Internet with no ACL or authentication? 
Recently we have noticed a couple of instances where we get abuse complaints from 
companies who claim that one of our hosting clients 'stole SIP service' from them. This 
reminds me somewhat of the 'SMTP open relay' days. We obviously take action and shut the 
offending user down but I can't help but wonder how common this practice is. Usually I 
just ask the company why their system allows anyone to use their SIP gateway and they 
usually say something like We can't predict what IP our users will come in from... 
etc

I am just wondering if anyone else has noticed this trend.

-Drew







Re: How common are wide open SIP gateways?

2010-02-05 Thread Jon Lewis

On Fri, 5 Feb 2010, Drew Weaver wrote:

	Has anyone done any research or have any anecdotal numbers related 
to how common it is to have a SIP gateway sitting out on the Internet 
with no ACL or authentication? Recently we have noticed a couple of 
instances where we get abuse complaints from companies who claim that 
one of our hosting clients 'stole SIP service' from them. This reminds 
me somewhat of the 'SMTP open relay' days. We obviously take action and 
shut the offending user down but I can't help but wonder how common this 
practice is. Usually I just ask the company why their system allows 
anyone to use their SIP gateway and they usually say something like We 
can't predict what IP our users will come in from... etc


Just because one of your users stole SIP service from a site doesn't mean 
their gateway doesn't do authenticate.  We operate a number of SIP 
gateways, some of which do need to be relatively wide open ACL-wise. 
Like any other service, good usernames and passwords are a must.  I've 
seen people trying to brute force SIP access on our servers just as they 
do with SSH (if you leave that open) or POP3.


Stealing phone service is nothing new.  SIP's just the latest vector for 
it.


--
 Jon Lewis   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: How common are wide open SIP gateways?

2010-02-05 Thread Chris Hills

On 05/02/2010 17:33, Drew Weaver wrote:

Has anyone done any research or have any anecdotal numbers related to how common 
it is to have a SIP gateway sitting out on the Internet with no ACL or authentication? 
Recently we have noticed a couple of instances where we get abuse complaints from 
companies who claim that one of our hosting clients 'stole SIP service' from them. This 
reminds me somewhat of the 'SMTP open relay' days. We obviously take action and shut the 
offending user down but I can't help but wonder how common this practice is. Usually I 
just ask the company why their system allows anyone to use their SIP gateway and they 
usually say something like We can't predict what IP our users will come in from... 
etc

I am just wondering if anyone else has noticed this trend.


If you register your phone numbers in e164.arpa it is pretty useless 
adding records for a sip server that requires authentication because 
hardly anybody is going to be able to reach you!


(e164.arpa provides phone number to service mapping, like ip6.arpa 
provides ipv6 address to hostname mapping)





Re: How common are wide open SIP gateways?

2010-02-05 Thread Jonathan Thurman
On 05/02/2010 17:33, Drew Weaver wrote:

        Has anyone done any research or have any anecdotal numbers related
 to how common it is to have a SIP gateway sitting out on the Internet with
 no ACL or authentication? Recently we have noticed a couple of instances
 where we get abuse complaints from companies who claim that one of our
 hosting clients 'stole SIP service' from them. This reminds me somewhat of
 the 'SMTP open relay' days. We obviously take action and shut the offending
 user down but I can't help but wonder how common this practice is. Usually I
 just ask the company why their system allows anyone to use their SIP gateway
 and they usually say something like We can't predict what IP our users will
 come in from... etc

 I am just wondering if anyone else has noticed this trend.

The VoiceOps mailing list (http://www.voiceops.org/) would probably
have more info for you on this.  Although many people are on NANOG too
and may chime in.



On Fri, Feb 5, 2010 at 9:50 AM, Chris Hills c...@chaz6.com wrote:
 If you register your phone numbers in e164.arpa it is pretty useless adding
 records for a sip server that requires authentication because hardly anybody
 is going to be able to reach you!

If the call is to Me, then I don't care about authentication.  If the
call is to someone else, then I require authentication.  That is
fairly easy to configure on every SIP platform that I have used.

-Jonathan



Re: How common are wide open SIP gateways?

2010-02-05 Thread Brandon Ewing
On Fri, Feb 05, 2010 at 12:45:13PM -0500, David Birnbaum wrote:
 We have noticed a lot of issues with Asterisk 1.2 and some 1.4 rollouts. 
 FreePBX had some truck-sized holes in it.


FreePBX 2.6.0 defaults to refusing anonymous SIP calls.  If you enable
inbound anonymous calls, it includes only the from-trunk context, making
it behave like a standard incoming over over a configured trunk.  If you've
configured FreePBX to allow outgoing calls from the trunk context, you have
larger problems in general.

-- 
Brandon Ewing(nicot...@warningg.com)


pgp5bOWiI8hbn.pgp
Description: PGP signature


Re: How common are wide open SIP gateways?

2010-02-05 Thread David Birnbaum
I should have prefaced that with older installations as well.  As far as we 
can see, most of the newer packages have fixed the known truck-sized holes in 
their default configurations, but given the lack of any formal framework for 
testing this stuff, even the big switches have been found to have security 
issues from time to time.


I have to admit I was surprised at the number of people I've run into over the 
years who unpacked Asterisk, played with a few phones, and stuck themselves on 
the Internet without any clear understanding of how exposed they are.


Cheers,

David.

-

On Fri, 5 Feb 2010, Brandon Ewing wrote:


On Fri, Feb 05, 2010 at 12:45:13PM -0500, David Birnbaum wrote:

We have noticed a lot of issues with Asterisk 1.2 and some 1.4 rollouts.
FreePBX had some truck-sized holes in it.



FreePBX 2.6.0 defaults to refusing anonymous SIP calls.  If you enable
inbound anonymous calls, it includes only the from-trunk context, making
it behave like a standard incoming over over a configured trunk.  If you've
configured FreePBX to allow outgoing calls from the trunk context, you have
larger problems in general.

--
Brandon Ewing(nicot...@warningg.com)





RE: How common are wide open SIP gateways?

2010-02-05 Thread Drew Weaver
Eventually I'll have to get around to setting up netflow so I can detect the 
scanners before it becomes a problem =)

Just not a great deal of 'cohesiveness' with the current open source netflow 
implementations, and then all of the different Cisco gear has different caveats 
related to NF, so it's hard to use that as a good way to detect this sort of 
thing, although I'm guessing it can't be too hard to figure out which hosts are 
making a bunch of outbound connections to random IPs on 5060 =)

-Drew

-Original Message-
From: David Birnbaum [mailto:dav...@pins.net] 
Sent: Friday, February 05, 2010 1:22 PM
To: Brandon Ewing
Cc: nanog@nanog.org
Subject: Re: How common are wide open SIP gateways?

I should have prefaced that with older installations as well.  As far as we 
can see, most of the newer packages have fixed the known truck-sized holes in 
their default configurations, but given the lack of any formal framework for 
testing this stuff, even the big switches have been found to have security 
issues from time to time.

I have to admit I was surprised at the number of people I've run into over the 
years who unpacked Asterisk, played with a few phones, and stuck themselves on 
the Internet without any clear understanding of how exposed they are.

Cheers,

David.

-

On Fri, 5 Feb 2010, Brandon Ewing wrote:

 On Fri, Feb 05, 2010 at 12:45:13PM -0500, David Birnbaum wrote:
 We have noticed a lot of issues with Asterisk 1.2 and some 1.4 rollouts.
 FreePBX had some truck-sized holes in it.


 FreePBX 2.6.0 defaults to refusing anonymous SIP calls.  If you enable
 inbound anonymous calls, it includes only the from-trunk context, making
 it behave like a standard incoming over over a configured trunk.  If you've
 configured FreePBX to allow outgoing calls from the trunk context, you have
 larger problems in general.

 -- 
 Brandon Ewing(nicot...@warningg.com)





Re: How common are wide open SIP gateways?

2010-02-05 Thread Scott Howard
On Fri, Feb 5, 2010 at 9:45 AM, David Birnbaum dav...@pins.net wrote:
 We have noticed a lot of issues with Asterisk 1.2 and some 1.4 rollouts.
 FreePBX had some truck-sized holes in it.


Most/all of the big issues that existed in previous version of
Asterisk/FreePBX have been resolved in later releases.

The majority of the stolen SIP cases I've heard of have come down to
brute forcing of often very insecure passwords - quite often stupid
insecure passwords like the same as the username.  And of course the
username itself is normally the extension, which makes is relatively
easy to guess (if 100 doesn't exist, then 200 or 1000 probably
does, etc).

Then there's the issue of unencrypted/unsecured phone provisioning
files, complete with SIP usernames/passwords,  hosted on internet
webservers - often with the only security being your ability to guess
the MAC address...

 On our relatively small client base, we are seing SIP probing on more or
 less a non-stop basis, and some of our customers have been hacked over the

Presuming you're running Asterisk, fail2ban can help.  The only real
issue I've had with it is that many softphones will repeated try to
register if you get the password wrong, so a user entering their
username/password even only once will get them blocked for X minutes.

  Scott