[VOIPSEC] A Simple Asterisk Based Toll Fraud Prevention Script

J. Oquendo sil at infiltrated.net
Sat Feb 7 11:02:26 CST 2009 

On Sat, 07 Feb 2009, Hendrik Scholz wrote:

> Hi!
> 
> What would happen if I just send REGISTERs with broken/wrong 
> Authorization: headers?
> Looking at check_auth() in chan_sip.c there is no difference
> if the nonce was offered by the Asterisk machine itself or it
> was just a random one I came up with.
> That way an attacker could spoof a source IP, send a single
> REGISTER with random Authorization:.
> Your script would trigger and blog a possibly legitimate source
> (i.e. your outbound SIP trunk ;)).
> 
> Just my $.02,
>  Hendrik
> 
> -- 
> Hendrik Scholz <hs at 123.org>
> 

You assume two things... First, it was a basic primer, secondly
you'd have to guess where someone would be coming from to make
it effective. For example let's look at the following:

PBX 10.1.1.0/24(internal)|2.3.4.5/32(external)

Internal users would be registering internally, if you're not
doing at least 1918 filtering on your network, you shouldn't
even be talking on this or any professional security list.

So now we take your theory:

Remote_SIP_User --> Register --> Asterisk_PBX

To disaffect the Remote_SIP_User, you'd 1) have to know his
or her address and which server they're registering to, not
to mention HOPE they'd be running that script without modifying
it.

Source IP would always be the root of evil, but in this
IPS/IDS/INSERT_YOUR_NAME_HERE write up, you're weighing
options. The potential of someone ranDumbly scanning
VoIP based PBX's for the sake of causing denials of
service is low in comparison to those scanning in hopes
of making money (toll fraud).

Remember, the goal here wasn't to protect against DoS
it's to prevent bruteforce attacks - which are almost
never a denial of service, but an entry point for 
something else. In the case of the PBX, outrageous
calls.


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"Enough research will tend to support your
conclusions." - Arthur Bloch

"A conclusion is the place where you got
tired of thinking" - Arthur Bloch

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E

More information about the Voipsec mailing list