Brief History
Throughout the course of three years I have been studying the Voice Over IP attack canvas. As a security engineer, I have had the privilege of seeing an enormous amount of attacks while working at a Managed Services Provider. Because I have multiple roles in the company I am working at, I get the best of multiple worlds. Sometimes I’m a VoIP engineer, sometimes a pentester, sometimes systems engineer, other times it depends highly on my mood. Overall I’m a Senior Coffee Tasting Engineer working at a company that gives me great flexibility to do what I want. This allowed me to create my own Voice Over IP Honeypot I called Arkeos for data analysis.
My original security application began as a “blacklisting” slash “VoIP Intrusion Prevention System” program using Asterisk. The goal was simple, keep an eye on live servers and when an attacker made a move, initiate a mechanism to automatically block the attacker, send the engineers a report, place the offender in a list to be distributed to all other PBX’s in my company so they too can block them. Initially my VoIP IPS worked just as programmed however, because I have clients all over the world, it became difficult to outright block entire CIDR ranges. I quickly whitelisted many addresses, re-hashed the IPS which worked fine for years.
The Arkeos idea came to mind after browsing around to see that there really wasn’t anyone to correspond with in this matter. People looking for and sharing similar data were few as opposed to normal networking slash abuse. I decided to build my honeypot based on what I was seeing from monitoring logs. Anyone who has known me for years can tell you that I kept tons of terminals opened with good old faithful tail -f running alongside whatever logging applications I have in house (Splunk, etc). As months passed by, I began archiving data from attacks spread across 20-30 Internet facing PBX’s. My current company sells VoIP trunks, managed VoIP services, T1-OCx connections, managed security services, video conferencing, digital signage, etc.; if it’s out there, then we likely do it. This gives me a high degree of visibility for not only VoIP attacks, but other attacks as well.
Arkeos is a program primarily used on Unix based servers running the Asterisk Open Source PBX. The application mimics a valid extension in which an attacker, after bruteforcing an account, attempts to place calls. What the attacker doesn’t know is that their calls go nowhere. The sole purpose of allowing them to perceive they have an account is to track them. Where they come from, what accounts they use, what VoIP account scanners they use, what numbers they try to dial. Because of the flexibility of Asterisk and Unix as a whole, the application does a lot more than stated however, I will not disclose too much otherwise any attackers reading this might catch on. Then I won’t have anyone to play with.
As time progressed customers who purchased SIP trunks from us were getting “owned” from time to time and to date, I have been called to handle incident response and forensics on over 75 VoIP servers ranging from Asterisk, Avaya, pbxnsip, CME and a mixture of everything in between. Usually the outcome has been the same: weak accounts and weak passwords.
2007 – 2008’s Attackers trends
For the better part of 2007 and 2008, attackers had a common modus operandi: scan a host for an open account, register a device (soft phone, another SIP trunk) and fire away thousands of calls. I have personally seen a company spend over a quarter of a million US dollars because of these attacks. Before I dive more into stats a bit, I will explain a bit about the financial loss for those who don’t think that it’s a big deal. I currently have a client who purchases a heavy amount of SIP trunks from my company, they in turn have a “Vonage” like business. Their customers buy an ATA, number, connect and place calls from Latin America. My client one day sends me an e-mail asking me if I would be willing to take a look at his network as his upstream was sending them abuse messages. Game on.
My client has approximately 20 servers in the continental US and 20 in Latin America. They were using a mixture of Asterisk and other equipment. What was happening to their servers was two-fold, attackers were leveraging VoIP accounts and placing thousands of calls. During the times when attacks took place, their bandwidth was so saturated that normal clients’ calls experienced horrible quality and drops. This led to loss of clients, enormous phone bills to places like Sierra Leone, Romania and the list goes on. To make a long story short, it took me approximately six weeks to clean up their shop as I could NOT take any of their servers offline. I essentially had to analyze what occurred, cut the bleeding, implement a fix and implement post remediation. Ultimately I programmed a distributed “cleaning” application to clean up accounts, create appropriate firewall rules, clean up backdoored binaries, implement an SIEM. This was another cost the client had to contend with. When I say over a quarter of a million dollars I am being very conservative. That was only the first instance of what occurred in their network, the second was, a few of their servers had become bots – but that is another story. Moving back into the statistics and trends of attackers I’ve seen, attackers are becoming smarter and the attacks seem more focused and targeted.
2009 – 2010’s Attackers trends
On a daily basis I see approximately six or seven attacks on each one of my Internet facing PBX’s, this estimate is based on solid numbers. The total amount of attacks divided by the amount of servers I have. While it may not seem like a big deal but the fact of the matter is, if one attack cost a company a quarter of a million in damages, the last thing I need to see is an attack on my company. Management’s first response would be “why didn’t you stop it.” The reality is, my company too was the victim of tollfraud via legacy VoIP accounts. We experienced 96 billable hours from our carrier to calls made to numbers in Sierra Leone. I know firsthand that these attackers are not “script kiddies” but focused fraudsters. Altogether during a highly volatile week, I can see approximately 150 – 200 attacks per day.
Previously (between 2007 – 2008) when I monitored the attacks, the attack phase was: “get an account, fire and forget,” whereas now, there seems to be less automation and more intervention. This is evident in the way attackers are placing calls. Here is an entry from today in my Arkeos database of an attacker coming from an address in Germany. Take note that I have sanitized data to keep the identity of my honeypot at bay:
# more peer-verbose-Mon-21-Sep-2009-11\:59\:34-AM-EDT.txt
-- General --
Name: SIP/300-b6b241c0
Type: SIP
UniqueID: 1253548774.7688
Caller ID: 1xxxxxxxxxx
Caller ID Name: xxxxxxxxxx
DNID Digits: 16085541772
State: Ring (4)
Rings: 0
NativeFormats: 0x2 (gsm)
WriteFormat: 0x40 (slin)
ReadFormat: 0x40 (slin)
WriteTranscode: Yes
ReadTranscode: Yes
1st File Descriptor: 39
Frames in: 0
Frames out: 0
Time to Hangup: 0
Elapsed Time: 0h0m0s
Direct Bridge:
Indirect Bridge:
-- PBX --
Context: xxxxxxxx
Extension: xxxxxxxx
Priority: 2
Call Group: 0
Pickup Group: 0
Application: Dial
Data: SIP/1xxxxxxxxxx
Blocking in: ast_waitfor_nandfds
Variables:
SYSTEMSTATUS=SUCCESS
SIPCALLID=146ef044580a3a795de94b541db21249@xxx.xxx.xxx.xxx
SIPUSERAGENT=Asterisk PBX
SIPDOMAIN=xxx.xxx.xxx.xxx
SIPURI=sip:300@85.214.85.180
CDR Variables:
level 1: clid=xxxxxxxx
level 1: src=xxxxxxxx
level 1: dst=xxxxxxxx
level 1: dcontext=xxxxxxxx
level 1: channel=SIP/300-b6b241c0
level 1: dstchannel=SIP/xxxxxxxx
level 1: lastapp=Dial
level 1: lastdata=SIP/xxxxxxxx
level 1: start=2009-09-21 11:59:34
level 1: answer=2009-09-21 11:59:34
level 1: end=2009-09-21 11:59:34
level 1: duration=0
level 1: billsec=0
level 1: disposition=NO ANSWER
level 1: amaflags=DOCUMENTATION
level 1: uniqueid=1253548774.7688
So what occurred here? The who, what, where and how? The four most important variables are easy to parse:
How: Name: SIP/300-b6b241c0
Where: DNID Digits: 002314599711
What: SIPUSERAGENT=Asterisk PBX
Who: SIPURI=sip:300@85.214.85.180
How? An attacker leveraged a SIP account on the honeypot (username=300) Where? They tried dialing 16085541772 What? They likely tried trunking the SIP account to their Asterisk box Who? 85.214.85.180 So who owns the server? A company reselling hosting:
inetnum: 85.214.16.0 - 85.214.139.255
netname: STRATO-RZG-DED2
descr: Strato Rechenzentrum, Berlin
country: DE
admin-c: SRDS-RIPE
tech-c: SRDS-RIPE
remarks: ************************************************************
remarks: * Please send abuse complaints to abuse-server@strato.de *
remarks: * or fax +49-30-88615-755 ONLY. *
remarks: * Abuse reports to other e-mail addresses will be ignored. *
remarks: ************************************************************
status: ASSIGNED PA
mnt-by: STRATO-RZG-MNT
source: RIPE # Filtered
Wondering if this is spoofed (since some seem to think it is):
# nmap -sU -p 5060 85.214.85.180
Interesting ports on server1.stacheshof.de (85.214.85.180):
PORT STATE SERVICE
5060/udp open|filtered sip
Nmap finished: 1 IP address (1 host up) scanned in 1.755 seconds
Likely not spoofed however, this does not stop someone from compromising a host and using it to do other things. The likelihood of this server being compromised AND running a PBX on it is low and here is my reasoning for this comment, I’ve seen this address quite a few times connecting to different addresses during different months. I would think a server’s administrator would notice a PBX server running on their system. What makes things even more interesting is the following, the attacker tries to make one call, then starts changing his (or her) dialing patterns:
002314599711 - 20100921-11:41:33
92314599711 - 20100921-11:47:42
9002314599711 - 20100921-11:54:31
90112314599711 - 20100921-12:00:29
The calls were placed at odd times to make me think they were automated. The first call was at 11:41 followed by six minute gap, followed by a 7 minute gap, followed by another 6 minute gap. In previous times, automation was instant. Even odder is, how is this person aware that a call didn’t go through and that they should be changing the dial plan? My response is, they have some form of visibility into that destination number. Calls from my honeypot sound just as any other call with the exception they all end up in one place. Voicemail to a non-existent account. This further allows me to hear the audio if any is left.
After accumulating all of this data, I figured it would be best to share it with others in the industry via the “VoIP Abuse Project.” The purpose of the project is to create a blacklist of sorts for any engineer or admin to be able to use to block out the bad guys. Alongside blocking out the bad guys, it always offers a place to showcase the realities of “abuse desks” of companies whose networks are being used in attacks. That goal too is simple, systems are attacked and reported, companies responding and correcting issues should be applauded, companies ignoring the issue should know that it will only be a matter of time before their clients cost them more in lost revenue. It’s their networks, they should be more responsible about what leaves their network. Anyhow, this has become rather long so I will leave this as a part one. Stay tuned for more.
Pingback: Arkeos and the VoIP Abuse Product | VoIP Users Conference
Thank you for sharing your extensive work Jay, looking forward for more details about your Arkeos Project…
Pingback: Links from October 1st, 2010 | VoIP Users Conference
Hi Jay,
While reading your excellent report, one question came to mind:
What is the added value of having a honeypot listening/responding to SIP traffic in the first place?
I would think that if I would deploy a honeypot this would live on an IP that no legitimate user needs to be at. So any host addressing this honeypot is hostile by default.
Have this honeypot script the offending address in the edge router’s ACL through which he entered my network, and I’m done, no?
In other words, I’m not at all interested in what the bad-guy is trying to accomplish, (i.e. which port he is calling, SIP, SSH, ping, whatever) once he hits the honeypot I slam the door on him.
Makes sense?
Kind regards,
Leo
The honeypot script itself that I made can be used to perform incident response on the fly. For example, let’s assume you are using Asterisk and an extension get compromised. You can modify the dialplan for the compromised extension to point at the honeypot and gather information on who compromised you.
Also, the theory always was, if they found ONE thing that was interesting, they would leave other things on your network alone, which gave you time to sort out who was attacking.
Right now any and all versions of Asterisk I run have the honeypot running for the sake of determining what attackers are doing. It performs three functions, study the attackers, then blocks them, then reports to a master. The master now Tweets those attackers in near real time to: http://www.twitter.com/voipabuse/
Are you still involved in this project i see the attacker tweets stopped in 2011?
Sharif,
I’m guessing that the project is on hold because, as you note, the tweets stopped in 2011. I will see if I can contact j. Oquendo to have him provide an update.
Thanks for noticing,
Dan
Hello,
Will you be kind enough to share your Arkeos script so I can add it on my Asterisk server for added security?
Herald,
Given that this blog post is 6 years old now, I’ll have to try to reach out to J. Oquendo and see if he is still using this setup and can help you. I will contact you directly if I am able to reach him.
Dan
Arkeos evolved into Phorensix which has not been updated in some time so it will likely need some work to get it going in your environment. Unfortunately I have been out of the VoIP loop for some time and have been focused on Threat Intelligence and Pentesting moreso than VoIP. (Greets Dan. My contact info should be up to date on LinkedIn, if not send me an email and I will get it over to you)
Quick question.. would you consider doing a review or test of our cloud phone service? We’re located in Florida and trying to get the word out there.
I tried reaching out to you but your email server returned an error:
: host fax.xxxxxx.com[199.85.xxx.xx] said: 550 5.7.1
Unable to relay for connolly@xxxxxx.com (in reply to RCPT TO command)