VoIP DOS Attack

[portcullis]

I'm experiencing a denial of service attack on my VoIP server.

The VoIP server is located behind a firewall. I'm not on the receiving end of the "traditional" DOS attack, instead, I've got these two numbers "+26467303890" and "+6467303890" calling non stop.

As soon as we answer, we hear "beep beep" as per a fax machine or a modem trying to sync.

I've set up some simple rules to blacklist calls from the numbers, but the system is slowing down because of it and - most importantly - all my expensive G.729 licences are being used up by these idiots as Asterisk still answers the call before it drops it, meaning that people who actually want to talk to us can't get through because all the SIP circuits are being blocked by this b/s.

Switch Telecom provide the SIP circuits. They say there's nothing that they can do. The numbers are obviously being spoofed.

What do I do?

Do I go to the Police? If so, with what evidence? The VoIP server logs?

Also, what's the point of this? Is this simply somebody trying to disrupt our business? Is this some sort of hack attempt where they're looking for a modem to log into?

Lastly, why don't these people move on? There's nothing to see here...

 

[c0d3Black]

I would say put a firewall in front of the VoIP server to filter the traffic, but then you will need the source IP where the traffic is coming from. [make sense?]

Trying to explain the technology to the Police is your first obstacle there

I know Atlantic sells SIP accounts, depending on your needs. [What are they by the way?]

 

[portcullis]

I would say put a firewall in front of the VoIP server to filter the traffic, but then you will need the source IP where the traffic is coming from. [make sense?]

The "source" would be the SwitchTel data centre, but that would block all calls coming in.

Trying to explain the technology to the Police is your first obstacle there

I'm thinking maybe the commercial crimes guys in Belville?

I know Atlantic sells SIP accounts, depending on your needs. [What are they by the way?]

1 DID number
A couple of SIP circuits connected to that number.

We've got clients with Telfree, SwitchTel and Atlantic accounts on our network.
SwitchTel has the best call quality of the lot.

 

[gmza]

For clarity, Switch Telecom's recommendation was that you set up a rule on your PBX to reject calls from that caller ID. Asterisk-based PBXs can reject the call without answering it. They simply send back a 486 Busy response and Switch Telecom will in turn convey the message to the originating network. This can happen within under 100ms (i.e. less than one tenth of a second), so it should not hold up your channels, particularly given that the call intervals are minutes (sometimes hours), not seconds. It is not necessary to answer the call and hang it up; one can simply reject it with a busy response.

If you want Switch Telecom to perform the functions that your switchboard should be performing, then you need to contract for the Hosted Switchboard service. Switch Telecom will then route the calls from its switching platform through to a Hosted PBX solution which can do all sorts of intelligent call control (including filtering by source) and then on to you. But the associated service fee (R250 per month) will apply.

I am now offering you another free and very simple solution: Log into the Switch Telecom client zone, divert your number unconditionally to a fax line, wait for the call to come through, allow the fax to be received, read the fax and you'll know who its from. It is also likely that the originating fax server will stop retransmitting once it has successfully transmitted the fax.

 

[portcullis]

Sending 486 busy signal may well happen in less than a tenth of a second, but unfortunately, the logs on the SwitchTel site show that each of these silly calls actually uses the SwitcTel servers for about six seconds. Such a waste of resources.

I tried the "free and simple solution" and forwarded all calls to the number to a fax. All I got for my efforts was a call forwarding charge from SwitchTel. Whatever's doing the calling doesn't want to send a fax.

Since it's not a fax machine, it's got to be a computer. What do I do now?

 

[NightShift]

cant switchtel blacklist/block these numbers at the 'carrier' level so that it doesnt continue to affect the client?

 

[warwickw]

Opens a can of worms if carriers can go ahead blocking numbers, I would think at least there should be a court order or at least a statement and case number to back it up.

The best would be to reject the call coming in at the client side, or a Greg suggested redirect the call to a fax number and see what it is.

 

[XConnect]

XConnect offers solutions to telcos and we include tools to deal with DOS attacks, and what are called SPIT (spam over IT) attacks etc.

I am not saying we could deal with this particular issue (Switchtel is a competent provider) as I would have to know the details.

Simply that we do offer specific solutions based on experience in other countries and they are policy-based (ie to prevent SPIT attacks, one can specify thresholds on multiple calls from the same A-number within specified time periods). Our customers (telcos) would ask us to deal with this at the incoming level so they are protected from the direct attack.

 

[gmza]

Switch Telecom is responding to this and I'm not prepared to publicly debate how our systems are implemented. I have made it clear that we do offer a solution that allows for blocking on our side rather than the customer's side but that an upgrade/change of service is required with an associated additional service fee.

In the mean time, we have spoken to our interconnect partners and traced the calls. They are originating from Namibia. We therefore believe that the caller ID is genuine and, based on the number, is a land-line service of sorts in Otjiwarango, Namibia provided by Telecom Namibia.

It is now up to portcullis to either take the matter up with the authorities, or, to upgrade his service if he would like us to filter on our side, or, both.

Please note that Switch Telecom does NOT consider this to be a DoS. The call volumes are not even 1% of what would qualify as a DoS. We are not responding to this as a DoS, but rather as a routine customer service query. If the volumes were 100 to 10,000 times what they are, our response would be different.

 

[warwickw]

Greg, out of all the calls done by portcullus in the last say month, what percentage are from these callerid's ? My point is that this might not be a DOS in the terms of switchtel's call numbers but in portcullus's numbers it might very well be.

 

[portcullis]

Warwick, we're talking about +/- 1200% more fake calls than actual calls. Although we don't receive that many calls, the percentage was a lot for a small fry like me.

Update: Greg spoke to Telkom. Telkom researched the matter and traced the calls. They were in fact originating in Otjiwarongo, Namibia.

This afternoon I called Telecom Namibia and spoke to them. Wow! I've been sat here for 12 hours trying to find the words to describe my experience with Telecom Namibia and words just can't describe it. We are Pinnacle clients of Telkom SA as we spend a considerable amount of money with them each month for all our data services. As such we get priority service - not unlike the very high end banking packages where you have private banking halls and your own customer relationship manager who knows what type of golf balls you use. Not even Telkom's Pinnacle "Exceptional Customer Service" can compare with the service that I got from one quick phone call to Windhoek. I'm still hald in a dwaal just thinking about it.

Once I'd been transferred to the right person, she did a reverse lookup on the number, called the guy, gave him a bollocking and told him to explain himself to me before they deal with him. He called me on my cellphone two minutes later and it turns out that Caltex had installed a new credit card machine in his premises and that they had programmed the wrong number into his machine. He's as grumpy with Caltex as I am with him as he's not received one cent for all his card transactions in his shop since the new machine went in. He's now switched the Verifone off until Caltex sort it out. No more beep beep calls at two in the morning.

This one has been resolved amicably. Thanks to Greg from SwitchTel for getting the ball rolling with the investigation and getting Telkom SA to provide the information we needed. Thanks to Warwick for helping me word the email that got the investigation going and thanks to Telecom Namibia for sorting this out chop chop.

However, please spare a thought for the poor shopkeeper in Otjiwarongo who's machine made a couple of thousand international calls and who's going to get a very interesting phone bill some time soon.

 

[warwickw]

Wow impressed, dont think you would get that service from Telkom here. Nice that they sorted it out.

I feel sorry for the shop owner, he's going to have one huge phone bill with no income.... ouch.

 

[portcullis]

Warwick, talking of huge bills and no income...

There is progress with the Helderberg hut rebuild. We've finally got the insurance to agree as to the type of hut. We're planning some interesting stuff including a two door setup with a partition so as to keep the electricity and generator away from the kit. Since it's all new and shiney, I'm also looking at putting in new and shiney network cabinets with cages so that each tenant can have 4U, 8U etc that he - and only he - has access to.

I've reserved some space for you about 15m up so you should see Stellenbosch easily.

 

[XConnect]

Since this is a public forum and people use it for advice, it must be noted that a telco should offer its customers a quick-response service which blocks calls from a particular ANI (call party number or CLI) at telco level.

Although this issue has low visilibility in South Africa, it does happen globally more than one would have thought, and VoIP in SA is on the rise so will become more prevalent.

We do provide this functionality to all telcos who use our service.