Discussion:
[VOIPSEC] Large VoIP Attacks?
J. Oquendo
2013-11-25 18:48:52 UTC
Permalink
Been a very fun/interesting morning. Since so much has gone
on, I figured I'd share. We have seen a larger than normal,
if not, one of the largest attacks against some of our VoIP
and video conferencing systems today. Initially, we fielded
a report of a "system gone bad" followed by another, then
another, and another. This has now carried on into some of
our videoconference units (LifeSize).

Because our goal is to get telephony up and running, there
was not much we could do via incident response, so I have
little to add on attack vectors however, I will state that
PBXNSIP has been the primary target, with about a dozen of
these being hit pretty hard to the point I've had to block
all, stop the software and re-start it.

My dealings with vulnerability disclosures has been that,
vendors don't care, so if there is something specific with
PBXNSIP, no one knows, and due to their political bickerings
in house, no one is going to fix it. So for anyone using
this software, long weekend dictates: "lock your **** down."
Same goes for LifeSize.
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
J. Oquendo
2013-11-26 18:40:29 UTC
Permalink
Hey J,
can you describe what you're seeing please? E.g. Is it a system compromise,
toll fraud or DoS (or none of these?:) )
Feel free to post the response to the lists or privately to me.
cheers,
Yo what's going on Sandro... Will post to list so that
others may be able to chime in if they've seen similar.

Unsure what was happening since we had to get systems up and
running "right now" since they were live systems with a mess
of users on them (give or take 1000,1500 users). This is
all I can say...

Yesterday morning, client who uses a PBXNSIP based system
calls: "Can't make calls, receive calls." Not a big deal,
reload software, sometimes it acts up. Ten minutes later,
another client using PBXNSIP calls with the same issue,
followed by 2-5 systems within a half an hour of one
another.

lsof | grep -i snom showed there were a lot of connections
via http and SIP to various addresses in Europe (.it, .de
and a few others). No one was connected out there. I could
not do packet captures because clients were complaining
so my ultimate reflex was an antitoll script I wrote which
blocks ALL but ARIN based (North American) networks.

This solved the problem on PBXNSIP. Minutes later, some of
my LifeSize videoconferencing units started making phantom
calls to extensions. The username was Test() via the
LifeSize, but I could not perform a packet capture on that
either.

We didn't see any bursts of traffic, e.g., N_amount of
excess bandwidth coming in, so DDoS was out of the question
and I am always abusing (vulnscanning, webscanning, hitting
up) my PBXs, but I have yet to ever make one unresponsive.
So I am lost as to what occurred. Had I to guess what
happened to PBXNSIP... Maybe some bad packetjuju forced it
to crash (because it was down for the count). Mind you, this
ONLY affected PBXs running PBXNSIP.

Wish I knew anything more than "that was some bad packetry"
but I'm stumped.
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
Sandro Gauci
2013-11-27 09:16:50 UTC
Permalink
Thanks for the reply! Any logs from PBXNSIP/LifeSize?

Also, have you ever done INVITE floods (and other INVITE tricks) etc on
that PBX? I haven't so I'm wondering if this is simply the case of someone
running svwar.py with INVITE method or a similar tool. I've seen a rise in
that sort of thing lately.

Sandro Gauci
Penetration tester and security researcher
Email: ***@enablesecurity.com
Web: http://enablesecurity.com/
PGP: 8028 D017 2207 1786 6403 CD45 2B02 CBFE 9549 3C0C
Hey J,
can you describe what you're seeing please? E.g. Is it a system
compromise,
toll fraud or DoS (or none of these?:) )
Feel free to post the response to the lists or privately to me.
cheers,
Yo what's going on Sandro... Will post to list so that
others may be able to chime in if they've seen similar.
Unsure what was happening since we had to get systems up and
running "right now" since they were live systems with a mess
of users on them (give or take 1000,1500 users). This is
all I can say...
Yesterday morning, client who uses a PBXNSIP based system
calls: "Can't make calls, receive calls." Not a big deal,
reload software, sometimes it acts up. Ten minutes later,
another client using PBXNSIP calls with the same issue,
followed by 2-5 systems within a half an hour of one
another.
lsof | grep -i snom showed there were a lot of connections
via http and SIP to various addresses in Europe (.it, .de
and a few others). No one was connected out there. I could
not do packet captures because clients were complaining
so my ultimate reflex was an antitoll script I wrote which
blocks ALL but ARIN based (North American) networks.
This solved the problem on PBXNSIP. Minutes later, some of
my LifeSize videoconferencing units started making phantom
calls to extensions. The username was Test() via the
LifeSize, but I could not perform a packet capture on that
either.
We didn't see any bursts of traffic, e.g., N_amount of
excess bandwidth coming in, so DDoS was out of the question
and I am always abusing (vulnscanning, webscanning, hitting
up) my PBXs, but I have yet to ever make one unresponsive.
So I am lost as to what occurred. Had I to guess what
happened to PBXNSIP... Maybe some bad packetjuju forced it
to crash (because it was down for the count). Mind you, this
ONLY affected PBXs running PBXNSIP.
Wish I knew anything more than "that was some bad packetry"
but I'm stumped.
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
Loading...