Hello Robert: With regards to, "I'm curious why would you ever put an asterisk machine with a know ports/function directly on the internet?" --- Please read the entire chain carefully. We **do** put a firewall in place. Without the firewall the Asterisk service itself would have been taking a beating and the system would have easily been compromised. You can use a set of open source tools out there and crash an Asterisk server within minutes if you don't have a firewall type of solution in place before the packets reach Asterisk.
And you can't have VPN on a production server that serves hundreds and thousands of clients and force each of your client to use your VPN. Doesn't work that way unfortunately. In the termination and origination business, you do not have an option but to put the servers out in the open, protected with firewalls and log monitoring tools to monitor abnormal log activity. When the firewall logs grow from couple of megs to 10-20 Giga Bytes in an hour or two... you know the firewall is doing its job. You might be a telecom administrator taking care of one organization - but we are a carrier, 1 level below the CLEC having hundreds of end points registering to our server for carrier and phone services and we see all types of attacks and attempts every day. We start worrying if the attacks cost us heavy bandwidth use. As per your quote, " There should be a good firewall or firewall/VPN solution in front of all machines put on the internet. The firewall should also monitor all unusual traffic and block attacks. " ---- Not sure what you are trying to say here because I did mention on my first post about the importance of firewall (IPTABLES & FAIL2BAN to start with), but VPN is not an option. And even if you have a VPN and Firewall option -- your firewall will hold... but if you are paying 50 cents per gigabyte beyond your allocated traffic (lets say 500 GB)... well... your firewall may hold, but your pocket will not hold if your firewall is handing and fighting off approximately 10 gigabytes of DDOS data per hour. Lets say you are indeed running a full blown VPN... then obviously the VPN is connected to the Internet... and there is a port of entry from the internet to your VPN. You have firewall in place - but that still does not prevent the attacks from happening and you are sill paying for bandwidth beyond your quota as your firewall is fighting off the unwanted data. Installing a firewall does not mean the brute force attacks no longer arrive at your demarcation point. Our servers have a full 100Mpbs connection to the internet backbone - and if attacks are originating from multiple sources through a systematic well coordinated attack on your server - then you need to take other unorthodox approach. When your attacks are in the range of 10 Gigabytes per hour you need to pick up the phone and call the overseas company hosting the servers in question, or you have to call your banker. Most brute force (daily occurrences) DDOS type attacks stop within minutes after they see their IP is blocked. But as early as recently I'm witnessing attacks of DDOS Brute Force type attacks in the Giga Bytes of data. This is not targeted to my platforms alone. These are targeted country wide. I am observing at my end, the more speed you have (jumping from 1Mbps to 10 Mbps to 100 Mbps) -- the strength of attacks just increase several folds (systematically) from multiple locations. I hope this gives you and others an added perspective of the nature of systematic brute force DDOS type attacks. It only takes a few minutes to implement good firewall policies to protect a server. Kind regards, Reza. On Tue, Aug 31, 2010 at 11:11 AM, Robert Brock <[email protected]> wrote: > I'm curious why would you ever put an asterisk machine with a know > ports/function directly on the internet? > > There should be a good firewall or firewall/VPN solution in front of all > machines put on the internet. The firewall should also monitor all unusual > traffic and block attacks. > > Putting any machine on both the internal and external network at any location > is a serious no no. > > Robert Brock > Telecom Administrator, MKS Inc., www.mks.com > Waterloo, ON, Canada > Tel: 519-883-3243 or 800-265-2797 x3243 > Fax: 519-884-8861 > > > -----Original Message----- > From: Reza - Asterisk Consultant [mailto:[email protected]] > Sent: Tuesday, August 31, 2010 1:36 AM > To: John Lange > Cc: Asterisk Users Group > Subject: Re: [on-asterisk] Asterisk Hacks on the rise. > > Hello John: > > For your clarification - 4 test servers running on 4 IP address, > Rogers Cable home, Rogers cable Business, TekSavvy DSL, and Bell DSL. > These were test servers. So they are not located on the same > facility or a real data centre. Also machines experiencing SIP Brute > Force DDOS attacks without even registering to any provider tells me > the scanners and scanning/sniffing open ports. > > There are three other high-end production servers located at data > centres with different subnets. I would normally agree with you with > regards to an inside job, but when all 4-7 coins are flipped and land > on the same side - I don't think thats coincidence. > > The scanners are targeting anyone and everyone with GOOD interconnects > high speeds of minimum 10Mpbs to the internet backbone if you ask my > opinion. Bandwidth and speed is relatively cheap in North America > compared to the rest of the globle so I believe North American servers > are primary targets. Attacks originating from both UK and France > based servers, their service providers have been amazing in shutting > down the servers originating the attacks. > > My 3rd Party SIP Providers and PRI providers are **ALL** CLECs. > Unless an employee within the CLEC doesn't like me - I doubt they > would want to waste their valuable resources on a smaller provider for > sabotage. Highly unlikely. > > The reality is that SIP based DDOS is on the rise for the one and only > one reason... and that is to gain access to the PSTN and make > fraudulent calls. As early as this month I have been informed of > several thousand dollars of fraudulent calls made to other parts of > the globe from a business who's office PBX was compromised because the > guru forgot to change the default password on their system. > > If you have not been looking or observing your logs, have a look at > your logs under /var/log and check the auth.log and related log files, > along with asterisk notice logs. You will be surprised how common > this is. We've been in business for 5+ years and we see attacks all > the time. We brush it off and ban the IPs because the attacks are not > severe and very manageable (at the technical level). > > When you are being hit by giga bytes and giga bytes of attacks from > one source - I am still not worried about entry. Our firewall does > its job and does is damn well barely using less than a fraction of a > percent of CPU usage... *** B U T *** what does hurt is if you have > 50 Giga bytes of attacks on a given day from ONE source and it > persists -- well, then it hurts your pocket. > > I have confirmed that at least 3 other clients who has servers at data > centres (both US and Canada) have complained about the same SIP DDOS > attacks over the past couple of weeks. I just think its getting more > aggressive and more common than most people are aware of. > > Hope this helps with some insight. > > Cheers! > Reza. > > > On Mon, Aug 30, 2010 at 11:08 AM, John Lange <[email protected]> wrote: >> Reza, are the four new servers in the same subnet at a facility that has >> other SIP services? >> >> We have a number of servers deployed across different providers and >> don't see many hack attempts so I'm wondering if the scanners are >> targeting areas where they know there is a higher number of asterisk >> servers? >> >> Alternatively, I think I'd be suspicious of whoever your 3rd party SIP >> providers are. Somehow the IP addresses of your servers are quickly >> becoming known to attackers so there is definitely a weakness someplace. >> >> On the plus side, it seems unlikely that they are able to sniff your >> traffic because if they could they wouldn't have any need to brute force >> your passwords. >> >> -- >> John Lange >> http://www.johnlange.ca >> >> >> On Sat, 2010-08-28 at 02:17 -0400, Reza - Asterisk Consultant wrote: >>> I've been following some of the hacking posts. To advise - this sort >>> of Asterisk hack attempts and brute force attacks (both SSH, but >>> specially SIP 5060) are on the rise. We deployed 4 test servers with >>> unique IP addresses over the past 7 days, with 2 production servers >>> (fortunately with IP Table rules and Fail2Ban implemented). Within >>> literally couple of hours from the machines going up - we immediately >>> encountered brute force friendly-scanner type SIP attacks. >>> >>> There was one particular IP address, originating from France dedicated >>> server hosting company (www.ovh.fr) which was causing me about 10 MB >>> of traffic per minute of pure sip brute force. Most attacks stop >>> after they observe their IP has been banned, but this was being >>> particularly stubborn. In about 24hrs and after about 10 gigabytes >>> of IPTABLE packet drops from this IP, I picked up the phone, called >>> the hosting company in France and they put a cork on it immediately. >>> I was quite impressed at these guys in France suspending the culprit >>> server after submitting the logs. >>> >>> In a nutshell - this is what I have: >>> >>> a) ZERO access to anonymous sip calls. >>> b) Complex alpha-numeric passwords for all SIP end points. >>> c) Complex SSH password with IP-Tables configured to reject SSH >>> logins from IP address after 2nd attempt (for sys admins only) >>> d) Only SIP and SSH service running on my platform >>> e) Fail2Ban / IP TABLES blocking IP address for 15 minutes >>> f) Brute force attackers being banned permanently within my IP tables >>> g) China, South America, India and Israel IP address blocks completely >>> banned. >>> >>> My brute force attacks used to rank highest from Israel and then from >>> China. Lately I'm beginning to see more attacks, usually giving up >>> within few minutes, from West Europe. This one attack from France was >>> the most notorious of all. >>> >>> If you are running on of the GUI variants of Asterisk such as TrixBox, >>> Elastix, ThirdLane and other similar type front-ends, be warned that >>> all default and dictionary word type passwords are hacked within >>> minutes and your server compromised in record time. Before you have >>> your services up and running, ensure that you change your default >>> passwords immediately (otherwise you are asking for it and inviting >>> problems). >>> >>> Having all 4 test servers and 2 production servers experiencing brute >>> force SIP attacks within hours of deployment, I refuse to believe its >>> coincidence. My conclusion of what I have observed over the past >>> several months is that there are sniffers out there, that sniff 24/7, >>> SIP ports. Once they find sip ports open, they brute force attack. >>> If you have firewall / IP table rules implemented, most give up >>> within minutes. >>> >>> As a rule of thumb, what I am doing at my end is to ensure all my >>> servers have IP Tables, Fail2Ban and related protection tools deployed >>> before any voice services are deployed. >>> >>> I would like to hear how you protect your servers. >>> >>> Thank you, >>> Reza. >>> >>> >> >> > > > > -- > Toronto based VoIP / Asterisk Trainer, > I.T. Consultant and Hosted PBX Solutions Provider. > +1-647-476-2067. > http://www.linkedin.com/in/seminar > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- Toronto based VoIP / Asterisk Trainer, I.T. Consultant and Hosted PBX Solutions Provider. +1-647-476-2067. http://www.linkedin.com/in/seminar --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
