[Freeswitch-users] (no subject)

Kamil Nigmatullin kamil.nigmatullin at gmail.com
Sat Oct 25 09:22:09 MSD 2014


Michael, thanks for your thought. I think that maybe they used fake
'referred by' header to get rid of the limit. So I will recommend everybody
who terminate paid traffic to use a separate box of freeswitch that limits
lines again after the clients' box or at least use daily limit which, in my
case, wasn't implemented.
22.10.2014 15:00 пользователь "Michel Brabants" <michel.brabants at gmail.com>
написал:

> Hello,
>
> my first thought would of course be that they are referring the calls to
> their phones, but maybe you checked this already. Of course, they need to
> have a working call-setup before they can do a refer. Of course, they had
> the password, so they could just register their phones and setup the
> initial invite and then refer the call to their phone permanently, before
> customer's phone registers again. Anyway, it's just a thought.
>
> Michel
>
> On Wed, Oct 22, 2014 at 5:31 AM, Kamil Nigmatullin <
> kamil.nigmatullin at gmail.com> wrote:
>
>> The password was lost by client. Not by brouteforce on other site and I
>> defenetly use fail2ban.  That;s not the issue.
>> I don't have any transfers within  meta bind app.  I think it was some
>> kind of sip reffer attack.
>>
>> 2014-10-22 6:46 GMT+06:00 Steven Ayre <steveayre at gmail.com>:
>>
>>> Also do you know how the password was gained? If it was brute-forced
>>> look at implementing a secure password policy and using fail2ban to detect
>>> and block brute forcing attacks
>>>
>>>
>>> On Wednesday, October 22, 2014, Stanislav Sinyagin <ssinyagin at gmail.com>
>>> wrote:
>>>
>>>> (now on a normal keyboard)
>>>> Kamil,
>>>>
>>>> when you use the "limit" application and increase the user's counter,
>>>> it keeps its value only within the context where it was originally called.
>>>> If you, for example, used pieces of the original (Vanilla) FreeSWITCH
>>>> configuration, there are bind_meta_app bindings which send the call into
>>>> another context ("features"). Once it's done, the user's limit counter is
>>>> lost, and you need to increment it again in the new context.
>>>>
>>>> Also, why don't you implement daily and monthly minute limits and block
>>>> the user as soon as these limits are reached?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Oct 21, 2014 at 9:21 PM, Stanislav Sinyagin <
>>>> ssinyagin at gmail.com> wrote:
>>>>
>>>>> Limit resets as soon as the call leaves the context - could that be
>>>>> the reason?
>>>>> On Oct 21, 2014 8:44 PM, "Kamil Nigmatullin" <
>>>>> kamil.nigmatullin at gmail.com> wrote:
>>>>>
>>>>>> Dear all,
>>>>>>
>>>>>> Today we had an attack. One of our clients lost password to his SIP
>>>>>> account. So with this password attackers made calls on our client's behalf
>>>>>> to very expensive destinations.
>>>>>>
>>>>>> We have Opensips as a border controller and Freeswitch as a
>>>>>> Softswitch. This phone was confugured for 1 concurrent line using module
>>>>>> limit of FS. Howerver they somehow managed to make several concurrent calls
>>>>>> per one account. On CDR's we found that there was Attended transfer. Does
>>>>>> anybody knows what kind of attack was that and how I can protect us against
>>>>>> this? Is it sip refer attack when attacker set REFERED BY HEADER?
>>>>>>
>>>>>> When I check if limit works whith a sipphone, I see that it worked
>>>>>> 100%.
>>>>>>
>>>>>> Thanks in advance
>>>>>>
>>>>>> --
>>>>>> Kamil Nigmatullin
>>>>>> Tel: 77272323748
>>>>>> mob: 7 (707) 2517003
>>>>>> Skype: kamil.nigmatullin
>>>>>>
>>>>>>
>>>>>> _________________________________________________________________________
>>>>>> Professional FreeSWITCH Consulting Services:
>>>>>> consulting at freeswitch.org
>>>>>> http://www.freeswitchsolutions.com
>>>>>>
>>>>>> Official FreeSWITCH Sites
>>>>>> http://www.freeswitch.org
>>>>>> http://confluence.freeswitch.org
>>>>>> http://www.cluecon.com
>>>>>>
>>>>>> FreeSWITCH-powered IP PBX: The CudaTel Communication Server
>>>>>> http://www.cudatel.com
>>>>>>
>>>>>> FreeSWITCH-users mailing list
>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>> UNSUBSCRIBE:
>>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>>> http://www.freeswitch.org
>>>>>>
>>>>>
>>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-powered IP PBX: The CudaTel Communication Server
>>> http://www.cudatel.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>>
>>
>> --
>> Kamil Nigmatullin
>> Tel: 77272323748
>> mob: 7 (707) 2517003
>> Skype: kamil.nigmatullin
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-powered IP PBX: The CudaTel Communication Server
>> http://www.cudatel.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-powered IP PBX: The CudaTel Communication Server
> http://www.cudatel.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20141025/b882926a/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list