Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SIP Attacks and Bad Service Providers

Status
Not open for further replies.
jimbojimbo

jimbojimbo

Vendor
Jul 2, 2002
1,081
US
Anyone known where there is a reasonable list of bad service providers know to harbor malicious actors? I've been building up my firewall rules on the SBC and have eliminated most attacks however I'm still getting a few every couple of days.

I had one major issue and eventually had to open a case with the FBI since the hosted solution provider basically refused to do anything other than change their form for abuse reporting (I assume so they could filter mine out). Provider also refused to disclose the name of the individual or company attacking me.

Blocking foreign address space is relatively easy. Unfortunately foreign entities are allowed to purchase hosted space using US IP address space.
 
Sort by date Sort by votes
I asked Avaya to add it to the SBC. Like firewalls feed up the naughty stuff to the firewall vendor's mothership and they learn what new bad stuff their is and your software subscription gets you updates.

Are you worried about bad IPs trying to register as remote workers or bad calls coming from these providers thru your provider and onto your SIP trunk?

If it's the latter, that ain't going to be easy. You're basically waiting for STIR/SHAKEN so your carrier can pass you a level of attestation and then you decide what to do with that if they're not attested.

Until that's a carrier provided thing, there's not much your provider knows about the originating end.
 
Upvote 0 Downvote
Even after STIR/SHAKEN implementation it might be tough. Attestation can only come if the whole path of the call is IP based. Throw any TDM legs into the mix and you won't see certs passed. The carrier simply won't know if it's a valid call or not.

Offshore/foreign entities will have an easier time of keeping TDM in play, at least for the meantime.
 
Upvote 0 Downvote
Not worried about STIR/SHAKEN. Getting a variety of attacks. I've been able to eliminate most since there seems to be specific hosted providers which are being leveraged more than others. Even so I still get the occasional hacker trying to get in. I make sure to report the attacks to the hosted solution provider so they can take action. I also post on the abuseipdb.com Unfortunately there is no requirement for them to provide any information on a customer. Without significant financial loss FBI Cyber won't touch it.
 
Upvote 0 Downvote
Is you SBC directly connected to the internet versus a private connection directly to your carrier?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

hebegb41
  • Question
Avaya SM/CM 8.1 J139 SIP phones and "bridged Appearances"
Replies
4
Views
310
hebegb41
hebegb41
B0nes
  • Question
DomainAdapter or how to manipulate sip domain.
Replies
5
Views
271
kyle555
kyle555
Stinney
  • Question
Can't set SIP signaling group to not add '+' 1
Replies
2
Views
5K
Instructor of Avaya
Instructor of Avaya
monkey101
  • Locked
  • Question
Avaya Aura and Spectralink SIP Dect
Replies
2
Views
149
kashbrook
kashbrook
Rosesam
  • Locked
  • Question
Device adapter sets stay as Uneq + Sip sets throw invalid extension and password
Replies
1
Views
120
Rosesam
Rosesam

Part and Inventory Search

Sponsor

Back
Top