SIP Security

a cat-and-mouse story from a SIP provider in response to question about nature of a security incident reported in 2007:

Well, it’s more complex, really, than just a matter of technical tricks unfortunately. What we’re seeing is a mixture of social engineering, PRS fraud, classic credit card fraud, and hacking.

For instance, it started out simple — before we had premium service offerings — almost two years ago. We offered free US toll-free calls, free SIP-SIP calling, etc. We started seeing a lot of signups with many different names. At first, I assumed these were just new signups…. but then I noticed that most of them were being used to call toll-free numbers over and over again. I checked some of the numbers being called, and they were all calling-card numbers and Premium Rate Services. I then noticed that the signup IPs for all the accounts were based in Link.net in Egypt. I started deleting the accounts, and blocking the IPs from whence they came, but they were all dynamically-assigned DSL IPs, so whomever was coming in just found more. Eventually, we were forced to shut down access to all of link.net. Then, he started coming in through TG Net in Egypt. And Morocco, and Jordan.

I blocked IPs right and left… and eventually, he went away. Once in a while, he’d sign up again, but nothing much came of it. Then, not too long ago, we launched premium services for our users — dialin, dialout from and to the PSTN… and he returned. He started signing up for accounts and using stolen credit cards to sign up for dialout credits. I noticed he used credit cards with the same names he’d used for accounts I’d deleted almost two years prior. He’d then immediately start dialing PRS numbers in Somalia, Nigeria, Palestine, and Australia. He would always sign up and then dial a number in Egypt — likely his own — as a test. Then he’d start calling PRS numbers. A classic case of PRS fraud.

SO… I was forced to disallow PSTN calls to Egypt, Nigeria, and a few other locations. But that didn’t stop him signing up. He just got more clever. He started signing up from IP addresses in Germany — compromised machines that he used as back doors. LOTS of them. Every day, a new machine on the server4you.de network. Then other networks in Germany as well. All his signups had the same pattern — all using free yahoo.com email addresses, and all with numeric passwords, so he was easy enough to spot. Soon, he discovered that he was being too easy to spot, so he started to change his patterns. He’d use stolen credit cards from the UK and dial UK numbers and buy UK dialins. Often, however, he’d have to charge several cards to find one that worked, and that helped us spot him. At this point, I created an AVP table of blocked numbers so, when we found a number he was calling, we could block it. This has worked reasonably well for blocking calling-card hackers who try and hack calling-card PINs from our toll-free services. But the Egyptian, as we’ve come to call him, has never given up. He still comes in… now changing his methods from one day to the next to try and throw us off. Sometimes using different email addresses — free AOL or free Hotmail addresses. Often signing up from a hacked machine in the same country or city as the owner of the stolen credit card he plans to use lives. That was the case today, for instance. He signed up from a machine in Mountain View, California in the US. The card he charged for dialout services belonged to someone who lives in Valencia, CA. Being infinitely paranoid at this point, however, I looked up the card holder online, called him, and asked him about it. He said he’d never made the purchase, so I refunded his money and locked out the account.

He’s used some technical tricks here and there, though. For instance, to give you an idea of our setup, we use SER and Asterisk mixed together. Calls going to toll free numbers go straight from SER to the remote SIP switches that handle them — as do calls to our peers or calls to other users or ENUM services. Calls to the PSTN, however, go through Asterisk. We have several home-written B2BUA programs on the Asterisk box which handle authentication, calculation of timeouts for dialout calls based on the amount of money in the user’s account and the price of the dialed location, etc, etc. When we send calls to the PSTN, they have to be authorised in several ways. First, when a user signs up for dialout services, we add them to a dialout group. If they’re in the dialout group, and they dial a number that doesn’t fit one of the free services, we tack on a dialing prefix to that number and send it to the Asterisk box. That dialing prefix lets the asterisk box know that this is a number bound for one of the PSTN B2BUA programs, and spawns the AGI code accordingly. He has, in the past, assumed that the prefix we add was some sort of authorisation code to allow dialing out to the PSTN, and he’s spoofed the IP of our SER server, created SIP packets with that prefix, and tried to send them directly to our Asterisk server.

Of course, the Asterisk server does authentication, and if the user doesn’t have money in his account and doesn’t send the appropriate password credentials, it won’t forward the call on the PSTN servers (which are all blocked with firewalls) anyway… but he didn’t know that… and he tried many times unsuccessfully to hack his way through in such a fashion. But still he tries. Over and over and over and over. It’s a constant battle, and we’ve enlisted the US FBI, the British Security Services, and several other law enforcement agencies to help, but they’ve been able to do little other than subpoena the companies such as Yahoo and AOL to give them information about the IP of the person who signed up for email. We’re not the only company he hits, though. Many other VoIP companies are reporting the same patterns — even AT&T in the US has a report open on him.

But he doesn’t give up. It’s likely a career for him, so it will continue until he’s caught. Unfortunately, SIP security is only the beginning of the overall picture, as there’s so much MORE involved than just the SIP packets themselves. It’s the hazard of doing business on the Internet. We either leave our service open and relatively easy to use, sign up for, and work with — which gets us more users, but more fraud. Or we close it down tightly and securely… which leaves us with less fraud, but few users. There’s a happy medium somewhere, but we’ve yet to figure out what it is.