[Freeswitch-users] (no subject)

Michel Brabants michel.brabants at gmail.com
Wed Oct 22 12:59:40 MSD 2014 

Hello,

my first thought would of course be that they are referring the calls to
their phones, but maybe you checked this already. Of course, they need to
have a working call-setup before they can do a refer. Of course, they had
the password, so they could just register their phones and setup the
initial invite and then refer the call to their phone permanently, before
customer's phone registers again. Anyway, it's just a thought.

Michel

On Wed, Oct 22, 2014 at 5:31 AM, Kamil Nigmatullin <
kamil.nigmatullin at gmail.com> wrote:

> The password was lost by client. Not by brouteforce on other site and I
> defenetly use fail2ban.  That;s not the issue.
> I don't have any transfers within  meta bind app.  I think it was some
> kind of sip reffer attack.
>
> 2014-10-22 6:46 GMT+06:00 Steven Ayre <steveayre at gmail.com>:
>
>> Also do you know how the password was gained? If it was brute-forced look
>> at implementing a secure password policy and using fail2ban to detect and
>> block brute forcing attacks
>>
>>
>> On Wednesday, October 22, 2014, Stanislav Sinyagin <ssinyagin at gmail.com>
>> wrote:
>>
>>> (now on a normal keyboard)
>>> Kamil,
>>>
>>> when you use the "limit" application and increase the user's counter, it
>>> keeps its value only within the context where it was originally called. If
>>> you, for example, used pieces of the original (Vanilla) FreeSWITCH
>>> configuration, there are bind_meta_app bindings which send the call into
>>> another context ("features"). Once it's done, the user's limit counter is
>>> lost, and you need to increment it again in the new context.
>>>
>>> Also, why don't you implement daily and monthly minute limits and block
>>> the user as soon as these limits are reached?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Oct 21, 2014 at 9:21 PM, Stanislav Sinyagin <ssinyagin at gmail.com
>>> > wrote:
>>>
>>>> Limit resets as soon as the call leaves the context - could that be the
>>>> reason?
>>>> On Oct 21, 2014 8:44 PM, "Kamil Nigmatullin" <
>>>> kamil.nigmatullin at gmail.com> wrote:
>>>>
>>>>> Dear all,
>>>>>
>>>>> Today we had an attack. One of our clients lost password to his SIP
>>>>> account. So with this password attackers made calls on our client's behalf
>>>>> to very expensive destinations.
>>>>>
>>>>> We have Opensips as a border controller and Freeswitch as a
>>>>> Softswitch. This phone was confugured for 1 concurrent line using module
>>>>> limit of FS. Howerver they somehow managed to make several concurrent calls
>>>>> per one account. On CDR's we found that there was Attended transfer. Does
>>>>> anybody knows what kind of attack was that and how I can protect us against
>>>>> this? Is it sip refer attack when attacker set REFERED BY HEADER?
>>>>>
>>>>> When I check if limit works whith a sipphone, I see that it worked
>>>>> 100%.
>>>>>
>>>>> Thanks in advance
>>>>>
>>>>> --
>>>>> Kamil Nigmatullin
>>>>> Tel: 77272323748
>>>>> mob: 7 (707) 2517003
>>>>> Skype: kamil.nigmatullin
>>>>>
>>>>>
>>>>> _________________________________________________________________________
>>>>> Professional FreeSWITCH Consulting Services:
>>>>> consulting at freeswitch.org
>>>>> http://www.freeswitchsolutions.com
>>>>>
>>>>> Official FreeSWITCH Sites
>>>>> http://www.freeswitch.org
>>>>> http://confluence.freeswitch.org
>>>>> http://www.cluecon.com
>>>>>
>>>>> 
>>>>> 
>>>>>
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:
>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> http://www.freeswitch.org
>>>>>
>>>>
>>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> 
>> 
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
>
> --
> Kamil Nigmatullin
> Tel: 77272323748
> mob: 7 (707) 2517003
> Skype: kamil.nigmatullin
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> 
> 
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20141022/8683a8b8/attachment-0001.html

Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list