[Freeswitch-users] thoughts about call fraud and sip security

Fri Mar 21 13:45:23 MSK 2014

Hello all,

out of curiosity, since i work in the voip field, i am playing with a
freeswitch + fusionpbx setup from a few weeks.
I put it on a linux machine with public ip address, no firewall.
The scenario is quite simple: it has a gateway towards a VoIP provider and
one extension that is a softphone behind NAT (in my LAN).
All works smoothly.

Of course I received a lot of scans in these days, and i configured my
fail2ban to react properly. But yesterday I received a call attempt from a
malicious users on the public context (where resides the gateway to my voip
provider) and this has been processed.
Of course the call hasn't got through since the called number was not my
own number, and it has been dropped in the public context without being
transferred to the default context.
But, if the attacker would guess my public number, i think i could receive
a unauthorized call inbound to my softphone.
And since this kind of calls are processed, i think i am suitable to be
DDoS-ed.

There comes a more theoretical question about the SIP protocol (I have
posted it on the sip-implementors ML without any reply):

*Let's have a very common scenario, where a sip "client" A (my freeswitch)
interacts with a sip server B*
*(my voip provider).*
*To keep things simple, the interactions are registrations (REGISTER) and
calls (INVITE and ACK).*
*The administrator configured A with credentials that have been registered
on B, so REGISTERs and INVITEs*
*incoming to B are authenticated.*

*Now in this network a malicious user appears, let's call it C.*

*Of course it will be not able to send any malicious request to B, since B
will ask for credentials (that C does*
*not know) and subsequentially drop the unauthorized requests.*
*What about A? What if C sends an unsolicited call to A?*

*At this point A has a "registration" up with B, so they are exchanging
some informations.*
*Is A able to recognize that the call C is sending it is "not related" to
its "registration session" with B? (of*
*course without dealing with network addresses)*

*For example, A and B are exchanging some random tags.*
*Are they brought (by protocol, and not as an proprietary extension) in the
subsequent dialogs initiated by*
*B towards A, so that A can recognize them?*

*If that is the case, can you point me to the exact point of the RFC that
states it?*

Thank you to anyone that reached here to read :)

Kind regards,
Sandro.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140321/45968988/attachment.html 