<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.m-3216078669516091508hoenzb
{mso-style-name:m_-3216078669516091508hoenzb;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>You miss my point entirely… its not just CDR reporting, but its network traffic monitoring in general. There are things in FreeSWITCH specifically made to address this sort of attack. Limits can be applied in various ways, certain SIP features can be completely disable or handling in ways that allow for more stringent checks… for instance, why would you blindly follow a refer? That in and of itself is just asking to get owned.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> freeswitch-users-bounces@lists.freeswitch.org [mailto:freeswitch-users-bounces@lists.freeswitch.org] <b>On Behalf Of </b>Kamil Nigmatullin<br><b>Sent:</b> Sunday, December 11, 2016 10:49 PM<br><b>To:</b> FreeSWITCH Users Help <freeswitch-users@lists.freeswitch.org><br><b>Subject:</b> Re: [Freeswitch-users] SBC<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>I understand that. But CDR comes after the call is done. Sometimes one minute costs 10$ and I understand this after 20 minutes. I agree that this things doest't guarantee anything but it is funcionality of so called SBC. And it helps almost in any case except attackers broke sip device and sends traffic from this devices where monitoring and various limitations are really important. And about REFFER attack it is really very dangerous thing that is not fixes yet.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>2016-12-12 10:00 GMT+06:00 Ken Rice <<a href="mailto:krice@freeswitch.org" target="_blank">krice@freeswitch.org</a>>:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal>You do realize all of these things can be chexked in freeswitch. However no amount of checking various things the user is sending will stop such fraud. This is where your cdr's and pattern analysis come into play. Theres a reason large providers have rooms full of fraud prevention people<br><br>Sent from my iPhone<o:p></o:p></p></div><div><div><div><p class=MsoNormal style='margin-bottom:12.0pt'><br>On Dec 11, 2016, at 21:43, Kamil Nigmatullin <<a href="mailto:kamil.nigmatullin@gmail.com" target="_blank">kamil.nigmatullin@gmail.com</a>> wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><p class=MsoNormal>The first was the problem, where attacker somehow got login and password (i think they broke thier ATA) from clinet and used it. But for this client there was a limit of one line. I used limit module with local database. What attacker actially did, is that they used REFER attack, where they put their own number as a referrer, and opened unlimited lines to PSTN. So the, solution was - to replace limit functunality to opensips. <o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The second - it is not actually the FS issue. It is because Freeswitch is not flexible enouph to work at the low level where Kamailio or opensips operates. E.g, we programmed opensips to lookup for UserAgent database, we add useragent for each client manually. And only using client's IP and user-agent we allow this user to call to PSTN. We watch for blacklists of IP adresses, subnets. If it comes from Gaza, Panama, China we block it. And a lot of other things. Most of them is not out-of-box in opensips, but it is not hard to implement. All this functionality is very important. We lost about $10k last time. This is very serious.<o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>2016-12-12 8:56 GMT+06:00 Alex Balashov <<a href="mailto:abalashov@evaristesys.com" target="_blank">abalashov@evaristesys.com</a>>:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><p class=MsoNormal>On Mon, Dec 12, 2016 at 08:17:57AM +0600, Kamil Nigmatullin wrote:<br><br>> I love freeswitch, but frankly I would not recomend to set it as SBC. I<br>> personally faced two attacks where FS was not good at. And we lost a lot of<br>> money. It works perfectly as NAT between internal and extenal networks,<br>> actually in everything but it is weak as a firewall. Stanislav knows that,<br>> he helped me to resolve the problem first time when it happend. I cannot go<br>> into details as this is open forum. You need to put either kamailio or<br>> opensips in front of FS.<br><br>Strongly agree.<br><span style='color:#888888'><br><span class=m-3216078669516091508hoenzb>--</span><br><span class=m-3216078669516091508hoenzb>Alex Balashov | Principal | Evariste Systems LLC</span><br><br><span class=m-3216078669516091508hoenzb>Tel: <a href="tel:%2B1-706-510-6800" target="_blank">+1-706-510-6800</a> (direct) / <a href="tel:%2B1-800-250-5920" target="_blank">+1-800-250-5920</a> (toll-free)</span><br><span class=m-3216078669516091508hoenzb>Web: <a href="http://www.evaristesys.com/" target="_blank">http://www.evaristesys.com/</a>, <a href="http://www.csrpswitch.com/" target="_blank">http://www.csrpswitch.com/</a></span></span><o:p></o:p></p><div><div><p class=MsoNormal><br>_________________________________________________________________________<br>Professional FreeSWITCH Consulting Services:<br><a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br><a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br><br>Official FreeSWITCH Sites<br><a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br><a href="http://confluence.freeswitch.org" target="_blank">http://confluence.freeswitch.org</a><br><a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br><br>FreeSWITCH-users mailing list<br><a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br><a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><o:p></o:p></p></div></div></blockquote></div><p class=MsoNormal><br><br clear=all><o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>-- <o:p></o:p></p><div><div><p class=MsoNormal>Kamil Nigmatullin<br>Tel: 77272323748<br>mob: 7 <a href="tel:(707)%20251-7003" target="_blank">(707) 2517003</a><br>Skype: kamil.nigmatullin<o:p></o:p></p></div></div></div></div></blockquote><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>_________________________________________________________________________<br>Professional FreeSWITCH Consulting Services: <br><a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br><a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br><br>Official FreeSWITCH Sites<br><a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br><a href="http://confluence.freeswitch.org" target="_blank">http://confluence.freeswitch.org</a><br><a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br><br>FreeSWITCH-users mailing list<br><a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br><a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><o:p></o:p></p></div></blockquote></div></div></div><p class=MsoNormal><br>_________________________________________________________________________<br>Professional FreeSWITCH Consulting Services:<br><a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br><a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br><br>Official FreeSWITCH Sites<br><a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br><a href="http://confluence.freeswitch.org" target="_blank">http://confluence.freeswitch.org</a><br><a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br><br>FreeSWITCH-users mailing list<br><a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br><a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><o:p></o:p></p></blockquote></div><p class=MsoNormal><br><br clear=all><o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>-- <o:p></o:p></p><div><div><p class=MsoNormal>Kamil Nigmatullin<br>Tel: 77272323748<br>mob: 7 (707) 2517003<br>Skype: kamil.nigmatullin<o:p></o:p></p></div></div></div></div></body></html>