Today we received a call from a federal employee investigating a “hack” on a client’s system. Basically, the client suffered a SIP Brute Force attack on their elastix system. Besides the shock of a call from the feds (why did they ignore those Amazon attacks?), the realization of explaining a sip attack to someone not familiar with SIP, telephony, networking, or servers posed a little challenge.
So, how do we start?
First step: We will no longer use the words SIP, Brute, Force, and Attack. =)
What we’re talking about is a scheme to make expensive calls through your phone system. Of course, this isn’t true for all scenarios, but the vast majority simply want to make expensive calls on your dime.
How does it work?
The bad guys trick your phone system into thinking they are a valid user.
How can they do that?
When phones connect to your phone system, the system replies with different messages. Based on those messages, the bad guys can figure out phone names. Think of your phone system as the receptionist. An attempt might be similar to…
Bad Guy: “Hi, is Alice there?”
Receptionist: “No, there is no Alice here. You have the wrong number.”
Bad Guy: “Hi, is Bob there?”
Receptionist: “Yes, who may I say is calling?”
Basically, there’s a different response based on if that person exists in the company. Same thing with the phones. Once the Bad Guys find out phone names, they then use their computers to crack the phone password.
Once the password is detected, they connect their phone to your system and begin making calls.
What can I do to stop this?
If the person in charge of your phone system doesn’t understand what this attack is, you need to hire a consultant to help you and/or train your administrator. If you or your administrator understand this attack, then you need to make sure you are following the best practices for SIP security (here’s a good link for asterisk best practices).
If you’re running asterisk, you might wish to install a script that checks for attacks and blocks those connections.
Even better… consider Kamailio.
Kamailio (pronounced KAMA-ILLY-OH) is an open-source SIP proxy, registrar, application that is extremely robust and powerful. The software includes anti-flood features that really help protect your system and truly helps to minimize these annoying attacks.
Remember, the Internet is like a big city. Sure there’s great museums and entertainment, but there’s also bad, bad places filled with bad, bad people. If you’re going to leave your BMW unlocked in Hell’s Kitchen, don’t be surprised when it’s been taken around the block a few times.