I was reading up on some security advice and came across an article from Digium (<a href="http://blogs.digium.com/2009/03/28/sip-security/">http://blogs.digium.com/2009/03/28/sip-security/</a>). A few points that stood out for me were:<br>
<br>"Make your SIP usernames different than your extensions". This sounds like good advice because now an attacker has to guess the user name and password instead of just a password. The biggest benefit to this is that even if someone knows the format of your extension numbers, they are not able to use it for registration credentials. Of course, the issue of DoS using a large number of simultaneous authentication requests still remains. How can we deal with this?<br>
<br>"... reject bad authentication requests on valid usernames with the same rejection information as with invalid usernames ..." How can we do this in FS? I haven't looked at this yet so maybe FS does such a thing anyways; advice from your experience and expertise required.<br>
<br>"Allow only one or two calls at a time per SIP entity, where possible." This is standard practice in prepaid phone card business. They allow only one simultaneous call and if you try to use the PIN to make another call it's not allowed. At the application level we may be able to do this in FS but it reminds me of another scenario. Let's say a user's registration is compromised. Can we prevent registration with same credentials from two different locations in FS? For example, one registration attempt is from New York and the other from Baltimore. This would affect the legitimate user because they might not be able to register. Does anyone restrict this way using FS?<br>
<br>Apart from the article mentioned, there are some other issues, one of which is ANI authentication. A lot of pinless prepaid phone services use your caller ID to authenticate and authorize a call. you give them your phone number and when you call from there you can use the service. With VoIP it's very easy to spoof ANI. I believe the concept of "context" helps a lot here. Say you know the ANI's you assigned to your registered users. They would be in the "default" context, for example. Now if an attacker uses the same ANI but tries not from a registered endpoint but say from one of your carriers. His context would be "public", for example. This way the combination of ANI with context can prevent such attacks.<br>
<br>But what if the authorized ANI (say 4145550000) is not from a registered endpoint but from a cell phone, similar to the pinless services offered today. In this scenario I think there's not much we can do. If we have given a user an access number (say 2125550000) provided to us by a DID provider, say ABC, then whenever someone dials 2125550000 then we get the call only through ABC, whom we have allowed. But we can't be sure that 4145550000 is actually 4145550000 and not someone pretending to be them. Has anyone figured out a way to detect and/or prevent such fraudulent calls? Is it even possible?<br>
<br><br><br><br><div class="gmail_quote">On Tue, Jun 15, 2010 at 4:59 PM, Anthony Minessale <span dir="ltr"><<a href="mailto:anthony.minessale@gmail.com">anthony.minessale@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
We have some parameters to disable some commonly abused features in a carrier env.<div><br></div><div>in the sofia profile</div><div><br></div><div>set manage-presence to false</div><div><br></div><div>If you are not providing registration or client transfers disable them completely</div>
<div>set disable-transfer to true</div><div>set disable-register to true</div><div><br></div><div><br></div><div>And register for ClueCon where someone will probably give a talk on VoIP security!</div><div><br></div><br>
<div>-- <br>Anthony Minessale II<br><br>FreeSWITCH <a href="http://www.freeswitch.org/" target="_blank">http://www.freeswitch.org/</a><br>ClueCon <a href="http://www.cluecon.com/" target="_blank">http://www.cluecon.com/</a><br>
Twitter: <a href="http://twitter.com/FreeSWITCH_wire" target="_blank">http://twitter.com/FreeSWITCH_wire</a><br><br>AIM: anthm<br><a href="mailto:MSN%3Aanthony_minessale@hotmail.com" target="_blank">MSN:anthony_minessale@hotmail.com</a><br>
GTALK/JABBER/<a href="mailto:PAYPAL%3Aanthony.minessale@gmail.com" target="_blank">PAYPAL:anthony.minessale@gmail.com</a><br>
IRC: <a href="http://irc.freenode.net" target="_blank">irc.freenode.net</a> #freeswitch<br><br>FreeSWITCH Developer Conference<br><a href="mailto:sip%3A888@conference.freeswitch.org" target="_blank">sip:888@conference.freeswitch.org</a><br>
<a href="mailto:googletalk%3Aconf%2B888@conference.freeswitch.org" target="_blank">googletalk:conf+888@conference.freeswitch.org</a><br>
pstn:+19193869900<br>
</div>
<br></blockquote></div>