Hi
A customer contacted us for some paid support who had the same problem in that they were suffering from caller ID spoofing, which meant I needed to analyse the problem further.
On inspection, we realised that the call was not coming from the DID provider, but directly through SIP, e.g. 12345@IP-of-A2Billing.
Because of the way that the customer's sip.conf and dialplan was set up, with default SIP context as follows...
Code:
[default]
exten => _x.,1,Answer()
exten => _x.,n,Wait(1)
exten => _x.,n,AGI(a2billing.php,1)
exten => _x.,n,Hangup()
...this meant that any number was matching, making it very easy to do spoofing, as the spoofer did not have to know the access number to attack the platform. They just had to dial <<any-number>>@<<IP-of-A2Billing>> from any IP in the world, and keep testing different callerID's until a valid one was found.
So the first part of the solution was to modify the code only to allow their actual DID to go through, and hangup anything else, and add some more dial-plan to grab the source IP to log spoofing attempts. With a bit of imagination, you could add these to an IPTables block list.
But if they know your access DID, they could simply dial 1234567890@IP-of-customers-server from anywhere, and they could begin attempting spoofing again.
So the next step was to use IP authentication, so if the call was from one of your DID provider's IP address, we send it into your calling card context, then check the right number has been called, and if it's from any other address, and is not otherwise authenticated via username / password or IP in A2Billing's VoIP settings, then the call gets sent to a context that logs the IP and simply hangs up.
These steps should make it uneconomic for the CLID spoofer, as they have to call the access number directly via the PSTN, which will cost them real money. Furthermore, giving your customers the access numbers via email or printed on the calling-card and not announcing them on your web page will further reduce your attack surface area especially if you are running your calling card service on a toll-free number.
If you need help to set this up on your own platform then contact us at
[email protected]. The exact solution will depend on the existing set-up of your platform.
Joe