<p dir="ltr">Michael, thanks for your thought. I think that maybe they used fake 'referred by' header to get rid of the limit. So I will recommend everybody who terminate paid traffic to use a separate box of freeswitch that limits lines again after the clients' box or at least use daily limit which, in my case, wasn't implemented.</p>
<div class="gmail_quote">22.10.2014 15:00 пользователь "Michel Brabants" <<a href="mailto:michel.brabants@gmail.com">michel.brabants@gmail.com</a>> написал:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hello,<br><br>my first thought would of course be that they are referring the calls to their phones, but maybe you checked this already. Of course, they need to have a working call-setup before they can do a refer. Of course, they had the password, so they could just register their phones and setup the initial invite and then refer the call to their phone permanently, before customer's phone registers again. Anyway, it's just a thought.<br><br></div>Michel<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Oct 22, 2014 at 5:31 AM, Kamil Nigmatullin <span dir="ltr"><<a href="mailto:kamil.nigmatullin@gmail.com" target="_blank">kamil.nigmatullin@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>The password was lost by client. Not by brouteforce on other site and I defenetly use fail2ban. That;s not the issue. <br></div>I don't have any transfers within meta bind app. I think it was some kind of sip reffer attack.<br></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">2014-10-22 6:46 GMT+06:00 Steven Ayre <span dir="ltr"><<a href="mailto:steveayre@gmail.com" target="_blank">steveayre@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Also do you know how the password was gained? If it was brute-forced look at implementing a secure password policy and using fail2ban to detect and block brute forcing attacks<div><div><br><br>On Wednesday, October 22, 2014, Stanislav Sinyagin <<a href="mailto:ssinyagin@gmail.com" target="_blank">ssinyagin@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>(now on a normal keyboard)<br></div>Kamil, <br></div><br>when you use the "limit" application and increase the user's counter, it keeps its value only within the context where it was originally called. If you, for example, used pieces of the original (Vanilla) FreeSWITCH configuration, there are bind_meta_app bindings which send the call into another context ("features"). Once it's done, the user's limit counter is lost, and you need to increment it again in the new context.<br><br></div>Also, why don't you implement daily and monthly minute limits and block the user as soon as these limits are reached?<br><br><br><br><div><br> <br><div><br><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 21, 2014 at 9:21 PM, Stanislav Sinyagin <span dir="ltr"><<a>ssinyagin@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><p dir="ltr">Limit resets as soon as the call leaves the context - could that be the reason?</p>
<div class="gmail_quote"><div><div>On Oct 21, 2014 8:44 PM, "Kamil Nigmatullin" <<a>kamil.nigmatullin@gmail.com</a>> wrote:<br type="attribution"></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div><div dir="ltr"><div><div>Dear all, <br><br></div>Today we had an attack. One of our
clients lost password to his SIP account. So with this password
attackers made calls on our client's behalf to very expensive
destinations. <br><br>We have Opensips as a border controller and
Freeswitch as a Softswitch. This phone was confugured for 1 concurrent
line using module limit of FS. Howerver they somehow managed to make
several concurrent calls per one account. On CDR's we found that there
was Attended transfer. Does anybody knows what kind of attack was that
and how I can protect us against this? Is it sip refer attack when attacker set REFERED BY HEADER?<br><br></div><div>When I check if limit works whith a sipphone, I see that it worked 100%. <br></div><div><br></div>Thanks in advance <br clear="all"><br>-- <br><div dir="ltr">Kamil Nigmatullin<br>Tel: 77272323748<br>mob: 7 <a href="tel:%28707%29%202517003" value="+17072517003" target="_blank">(707) 2517003</a><br>Skype: kamil.nigmatullin</div>
</div>
<br></div></div>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a>consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a>FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br></blockquote></div>
</blockquote></div><br></div></div></div></div></div></div>
</blockquote>
</div></div><br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br><br clear="all"><br>-- <br><div dir="ltr">Kamil Nigmatullin<br>Tel: 77272323748<br>mob: 7 <a href="tel:%28707%29%202517003" value="+17072517003" target="_blank">(707) 2517003</a><br>Skype: kamil.nigmatullin</div>
</div>
</div></div><br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br></div>
<br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br></blockquote></div>