Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: How to protect Quadro from SIP attacks (basic guidance)

Hybrid View

  1. #1
    Quadro Architect
    Join Date
    Jun 2006
    Location
    Around myself
    Posts
    2,075

    Arrow How to protect Quadro from SIP attacks (basic guidance)

    Hi folks,

    taking into account the increased number of complaints because of SIP attacks, I decided to write up some guidance on how to secure your Quadro, to avoid unnecessary problems. This text is copied from one of my posts in another thread, and corrected/improved a bit. This (or similar) article will be posted in the Knowledgebase too.

    Here it is:

    Protecting Quadro from SIP Attacks

    With IP telephony becoming increasingly popular, it attracts the attension of those who would like to make free calls at other people's expense. SIP devices are often attacked, with the intent of finding the username/password of accounts on that device.

    Such attacks can be potentially dangerous. If somebody is constantly trying to guess your passwords, there is some probability that he will succeed some day.. If hacker is successful, one fine day the IPPBX owner could find his telephone bill containing tremendous number of calls to pretty expensive international destinations... Not a pleasant surprise at all.

    Except that, those attacks are adding unnecessary load to PBX, and that load can be really big. In case of very strong attack (especially distributed one), the device can slow down or even lock up. This can even make the owner of IP PBX believe that the hardware has failed and so cause support issues for integrator.

    Everything mentioned above refers to any SIP device. I would now focus on what can be done specifically in Quadro, to avoid such undesirable incidents.

    There are some steps, which could be taken at the time of installation of Quadro. As Quadro is supposed to use WAN port to connect to the Internet, where the supposed attackers are residing, I will focus on protecting the WAN in the first place.

    There are actually three possible cases when it comes to WAN usage:

    ************************************************** **********************

    Case 1: The WAN interface is not used for SIP calls, but only for remote management or other non-call related activity.

    Solution: In this case, the best solution is to set the Quadro Firewall level to High and disable the "SIP Access" in the firewall filtering rules.

    ************************************************** **********************

    Case 2: The WAN interface is used for SIP calls but only to/from specific SIP destinations. Those specific SIP destinations can be an ITSP server, other Quadros in another location or remote IP phones, given that all of them have fixed static IP addresses.

    Solution: In this case, you can again set the Firewall level to High and edit the "SIP Access" rule to allow access for only a specific IP group. You can add that group in the "IP Pool Configuration" page ("Manage IP Pool Groups" link in "Filtering Rules") and add the list of static IP addresses. Then you need to edit the "SIP Access" rule to choose that group instead of "Any IP". Don't forget to enable the rule after editing.

    ************************************************** **********************

    Case 3: This is the most complex case - if you need to make/receive SIP calls from/to devices having dynamic IP addresses. This could be other Quadros at remote locations (if for some reason you cannot give them static IP addresses) or remote phones used by traveling people to connect to remote extensions.

    Solution: As I told, it could be tricky to 100% secure the system in such cases, but it is possible to do. You have to use VPN to secure the Quadro, and have the remote users connect to the Quadro using a VPN router (in the case of remote SIP devices) or using VPN connection on their laptops (in case of traveling people connecting as remote extensions). If you are using a laptop with Windows, installing the PPTP VPN could be the most convenient option.

    Here are three options for setup at the Quadro side (all these options assume you are using High or Medium level of security on the Quadro firewall and that you just open SIP access to the devices which have known static IP addresses):

    Option A (simple, cheap, but limited). Use the Quadro's own VPN to connect to remote clients (Quadro as a VPN server). This will work, but will strongly limit the number of IP phones which can connect from the remote side. Quadro is not a dedicated VPN device, so loading it with high VPN traffic (such as many simultaneous calls) is very undesirable, as it may affect other user functionality.

    Option B. Set the Quadro behind a powerful VPN router/NAT device. The Quadro will have its firewall open for some selected IP addresses in the internet, and a selected IP range in the local network of that VPN router/NAT device. Remote devices should connect through VPN and upon connecting should get the IP from that allowed local range.

    Option C. Connect a VPN router connected in parallel to the Quadro. The WAN of the router will be connected to the same network as the Quadro's WAN (or you can have both the Quadro and the VPN router assigned real IP addresses). The LAN of the VPN router is connected to the same network as the LAN of the Quadro. Remote agents with their laptops can connect to the VPN router, and that way they can propagate to the Quadro's LAN network. The Quadro will then recognize them just as a regular device in its LAN.

    The last two options offered above are doable and pretty good solutions, they just need some additional expenses from the customer (I assume that is to be expected if customer has high security requirements, along with portability needs) and some network knowledge from the integrator.

    ************************************************** **********************

    Those are the general ideas/instructions on how to solve the problem. The detailed instructions, diagrams, would be nice of course, but they are out of scope of this document.

    And, last but not the least - if by some reason you cannot use any of the methods above, you still can use the "SIP IDS" feature of the Quadro. Epygi does not guarantee that SIP IDS will block any kind of attack (blocking all attacks is a pretty difficult separate task, similar to writing antivirus products) but it really helps in many cases. It can be enabled in the hidden "generalconfig.cgi" (for older 5.2 versions), or from the "System"->"System Security Management" page in the newer versions.

    Best regards,
    David

  2. #2

    Default

    Hi David,
    Thanks for the options provided, I use my system like option 2, and I have created an IP Pool group,with the two ITSP IP addresses in it, configured SIP Access to only allow my Voip pool, enabled it. I was hoping to test it but just this morning I got attacked by some one as usual, it happens about 6 times a months. And the system got very slow and I received about 100 or so emails notifying me about the sip attack.
    I am not sure what I have done wrong.
    Please help.

  3. #3
    Quadro Architect
    Join Date
    Jun 2006
    Location
    Around myself
    Posts
    2,075

    Default

    If you did everything right, the firewall would block every IP except the ones you have configured, and hacker has no chance to break in. So if you still have attacks, there are three options: either those attacks came from your ITSP addresses, or the attacker is coming from the LAN side, or you misconfigured something in the Firewall.
    You could check the following:
    1. make sure you enabled the filewall and set it to Medium or High security.
    2. make sure you don't have alien IP addresses in the "Allowed IP List"
    This config is actually very simple and there is not much thing which could go wrong with that. It should work, as it is very simple. If you checked everything, and still the hacker somehow manages to penetrate into your Quadro, please contact Epygi tech support (tell them that David asked you to do so). I am sure this problem could be resolved very quickly, as soo as we could look at the configuration of that device.

  4. #4

    Thumbs up Is working great now, Thanks

    Hi David,
    I did what you said and removed a rule I found that previously blocked outbound Internet access this time around I don't have the block access issue. I have tried to register a sip client using my Iphone and it does not even show on the events list, only trouble is I cant use my IQall,I can live with that.
    Thanks for not giving up on me. Much appreciated

  5. #5

    Default

    What are our options for older hardware systems 4x and 2x that can't be upgraded to 5.2 software. I would like to enable IDS for SIP attacks but think I have to upgrade to 5.2 but the upgrade fails.

  6. #6

    Default

    Quote Originally Posted by abpinter View Post
    What are our options for older hardware systems 4x and 2x that can't be upgraded to 5.2 software. I would like to enable IDS for SIP attacks but think I have to upgrade to 5.2 but the upgrade fails.

    See if your hardware versions are 32 or 64, if 64 you can follow the upgrade path to the latest firmware version.

    32 meg NAND systems can not be firmware upgraded to version 5.2 or above.

    5.1.39 is the best they can get to.


    K

  7. #7
    Quadro Architect
    Join Date
    Jun 2006
    Location
    Around myself
    Posts
    2,075

    Default

    Quote Originally Posted by abpinter View Post
    What are our options for older hardware systems 4x and 2x that can't be upgraded to 5.2 software. I would like to enable IDS for SIP attacks but think I have to upgrade to 5.2 but the upgrade fails.
    The SIP IDS is not the only, and actually is not the preferred way to get rid of SIP attacks. In the article above, you can see your options for older hardware systems. Eventually the whole article is dedicated to those options. Just try to read that please.

  8. #8

    Default

    Hi David,

    Thanks for the guidance, explained simply what we need to do in this critical area.

    We have tested a few Quadro systems during implementations and noticed that when we used a non-standard port, i.e. non-5060, the SIP attacks were absent. The Quadros with port 5060 continued to have daily barrages of such attacks. We have also tried our best to send abuse reports of the offending IPs and this at times at acted on. This is not a foolproof case but does help in some way to strenghten the defences in this crazy environment.

  9. #9

    Default

    Great post.thanks for sharing this.

  10. #10

    Default

    Hi David,Protecting Quadro from SIP Attacks,i learn it,thank you

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Basic Router Features of the Quadro.
    By SITEL S.A in forum Installation
    Replies: 0
    Last Post: 05-19-2010, 01:52 PM
  2. Basic Config
    By scrumpers in forum VXML Scripting on Quadro
    Replies: 2
    Last Post: 05-12-2009, 11:50 AM
  3. pin protect specific numbers
    By zero in forum 'How Do I' Questions
    Replies: 4
    Last Post: 11-14-2008, 01:41 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •