Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Fraudulent REGISTER on SBCE Remoteworker flow 1

Status
Not open for further replies.

AvayaUC2021

Technical User
Jan 27, 2021
13
FR
Hi team,

I have an Avaya SBCE (release 8.0.1) installed with an Avaya IPO (reelase 11.0.4).

I have a remote worker service running on SBCE.

Since yesterday, I received many fraudulent REGISTER and I don't know how to block that correctly.

I have already activaed DDoS options but that doesn't block the attacks.

SNAG-0006_27-01-2021_17.43.32_kimmzc.png


Thank you for help

Regards
 
They use the Avaya User Agent as default, I get these attacks on systems where you can't access the settings file.

It used to be the User Agent for the old Nortel phone but they've changed it again.

"Trying is the first step to failure..." - Homer
 
Although they could get this from the User Agent you send out.
It would probably make sense to make the SBC remove or alter it.

"Trying is the first step to failure..." - Homer
 
Hi team,

So I maked some configuration that's look fine to block attacks !

- I created one URI-Group (BLOCK) that block all domains.

- I created anotehr URI-Group (ALLOW) that allow only my domain

- I affected the ALLOW URI-Group to my subscriber/server flows

Now attacks are directlly blocked by SBCE with 403 message !

I'm working on user's passwords complexity, to enforce users to change their passwords with a password complexity choosed by the admininistrator of IPO.
Also, I'm working on an MDM solution to push my certificate on the user's phones.

I think with all that I'll be safe :)

Thank you
 
yes I want to add the mutual authentication to enforce security
 
Hi team,

Does someone use DDoS Call Walking feature on SBCE ?
How that's work ?

Thanks
 
Hi team,

it is possible that SBCE don't response to hackers with 403 Forbidden message ?

SNAG-0009_09-02-2021_16.12.32_gsm98a.png


Thank you
 
I Tried that but doesn't work, I still sending 403 Forbidden to hackers...

SNAG-0016_09-02-2021_17.41.06_witpmc.png
 
I think, because the SBCE generates the message, we can’t modify it. I tried a sigma script but same result.

Freelance Certified Avaya Aura Engineer

 
I like working on Avaya solutions Ameliorations.
I'll request a GIRP for that fonctionnality.

I requested a GIRP for SBCE license usage in real time with IPO and my request was released on SBCE 8.1.2 (license compliance) :)

have a nice day !
 
Can't you just change the security settings so if they fail to many times they get ignored?

Default settings is set pretty high before it triggers anything.

"Trying is the first step to failure..." - Homer
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top