Support A2Billing :

provided by Star2Billing S.L.

Support A2Billing :
It is currently Tue Mar 19, 2024 4:41 am
Voice Broadcast System


All times are UTC




Post new topic Reply to topic  [ 11 posts ] 
Author Message
 Post subject: SECURITY ISSUE.LIMIT MAXIMUM SIMULTANEOUS CALLS
PostPosted: Wed Nov 09, 2011 3:10 pm 
Offline

Joined: Sun Nov 07, 2010 10:00 pm
Posts: 253
Hello all,
Again, another security issue, and attack as this people become really professionals, much more then we expect.

We got an attack from Romania who was passing several calls to Bulgaria, Dem. Rep. of Congo and else and let us the account in negative value -190$.

We have limited the call transfer in the dealcommand, in the sip.conf, and also in the db as we're using realtime server...
As dialcommand_param we use:
Quote:
,60,LIW(%TIMEOUT(absolute)=3600%:60000:30000)


And also we setup the absolute timeout in the dialplan as:
Quote:
[voip]
exten => _X.,1,NoOp(A2Billing Start)
exten => T,1,Set(TIMEOUT(absolute)=3600)
exten => _X.,n,DeadAgi(a2billing.php,2)
exten => _X.,n,Hangup


But this time, they placed intensive simultaneous calls which by end arrive to make calls even when the account balance was in negative... I understand as it's impossible to control that and avoid in negative value in simultaneous calls, but how it could be to go so far away to -190$ in negative, I can't really understand it...

The question, there calls wasn't with so long duration, the average ACD which they did was in 20 minutes per call, so I can't understand how a2billing allow accepting more calls when the balance was so deep in negative value??

Can any one advice, please in this?


Top
 Profile  
 
 Post subject: Re: SECURITY ISSUE.LIMIT MAXIMUM SIMULTANEOUS CALLS
PostPosted: Thu Nov 10, 2011 7:14 pm 
Offline

Joined: Sun Nov 07, 2010 10:00 pm
Posts: 253
Hello,
I'd update the eventual solutions which I'm giving myself, to go forward limiting this scams...

First, we turn the callcounter directive to yes, in sip.conf, and in the db, as I'm using asterisk 1.8.X, it's applicable also to asterisk 1.6.

Second, in the DB, I reduce the call-limit default value from 3600 simultaneous calls to 5, so when we turn on simultaneous calls, it will be limited to this value in asterisk peer, and we can go upgrading peer per peer accordingly.

Any suggestion more,, I'd insure updating the asterisk DB in all cases to turn the call-limit to 5 instead of 3600 as it's actually... as it's highly risky and aggressive value!!

Regards,


Top
 Profile  
 
 Post subject: Re: SECURITY ISSUE.LIMIT MAXIMUM SIMULTANEOUS CALLS
PostPosted: Fri Nov 11, 2011 2:43 am 
Offline

Joined: Mon Jan 08, 2007 6:56 pm
Posts: 345
I've seen a similar issue, but the loss was the remaining credit + 3 about $11.

The Client had a SIP phone on a public IP that was registered with the server and crooks sent calls through to the server unrestricted. It did not work well though; because each call put the other on hold. Most of the calls were terminated because "rtptimeout" was set.

It would also seem this can be a problem on a LAN if there is a security issue and phones are not updated.

However, I've created a cron script to watch the active outbound channels and terminate the SIP channels when credit is used up for account. It seems to work. If you are interested in trying it let me know.

The solution is a semi integration with asterisk but only for SIP.


Top
 Profile  
 
 Post subject: Re: SECURITY ISSUE.LIMIT MAXIMUM SIMULTANEOUS CALLS
PostPosted: Fri Nov 11, 2011 7:10 am 
Offline

Joined: Sun Nov 07, 2010 10:00 pm
Posts: 253
Quote:
However, I've created a cron script to watch the active outbound channels and terminate the SIP channels when credit is used up for account. It seems to work. If you are interested in trying it let me know.


Yes, please, can you share it with me, to check the possibilities??

Regards,


Top
 Profile  
 
 Post subject: Re: SECURITY ISSUE.LIMIT MAXIMUM SIMULTANEOUS CALLS
PostPosted: Fri Nov 11, 2011 2:24 pm 
Offline

Joined: Mon Jan 08, 2007 6:56 pm
Posts: 345
I'm improving script some more and will provide a copy when completed. I was still curious though as to why calls could be placed when the credit limit was reached. After digging through the code, I have found a couple of serious bugs that affect POSTPAID accounts and calls from DID to DID.

The hacked account described was a POSTPAID account.

All this is still being verified.


Top
 Profile  
 
 Post subject: Re: SECURITY ISSUE.LIMIT MAXIMUM SIMULTANEOUS CALLS
PostPosted: Fri Nov 11, 2011 7:13 pm 
Offline

Joined: Mon Jan 08, 2007 6:56 pm
Posts: 345
I've posted the script here :
viewtopic.php?f=35&t=9302&p=35751#p35751

As for the other script issues , that will be addressed later.


Top
 Profile  
 
 Post subject: Re: SECURITY ISSUE.LIMIT MAXIMUM SIMULTANEOUS CALLS
PostPosted: Fri Nov 11, 2011 7:28 pm 
Offline

Joined: Sun Nov 07, 2010 10:00 pm
Posts: 253
vulcan wrote:
I've posted the script here :
viewtopic.php?f=35&t=9302&p=35751#p35751

As for the other script issues , that will be addressed later.


Thanks Vulcan, as you said, and to be more specific, what's related to your script, I'll discuss it there...


Top
 Profile  
 
 Post subject: Re: SECURITY ISSUE.LIMIT MAXIMUM SIMULTANEOUS CALLS
PostPosted: Mon Nov 14, 2011 4:15 pm 
Offline

Joined: Sun Nov 07, 2010 10:00 pm
Posts: 253
Hello Guys,
I'd update you, that the solution which I proposed it's working perfectly, i run a test using sipp from a local mechine to the server, and after the maximum established limites call-limit=5 which i set for the peer, the calls are being dropped as below:

Quote:
== Using SIP RTP CoS mark 5
[Nov 14 19:11:08] NOTICE[1549]: chan_sip.c:5829 update_call_counter: Call from peer '82724' rejected due to usage limit of 5
[Nov 14 19:11:08] NOTICE[1549]: chan_sip.c:22046 handle_request_invite: Failed to place call for device 82724, too many calls


So, I guess, this solution is better, as it's coming in box, and being managed by asterisk itself.


Regards,


Top
 Profile  
 
 Post subject: Re: SECURITY ISSUE.LIMIT MAXIMUM SIMULTANEOUS CALLS
PostPosted: Fri Dec 23, 2011 3:42 am 
Offline

Joined: Sat Oct 13, 2007 4:07 am
Posts: 189
So if it is a prepaid account, no worries?


Top
 Profile  
 
 Post subject: Re: SECURITY ISSUE.LIMIT MAXIMUM SIMULTANEOUS CALLS
PostPosted: Fri Mar 23, 2012 8:49 am 
Offline

Joined: Fri Nov 13, 2009 8:04 pm
Posts: 24
ubunter wrote:
Hello Guys,
I'd update you, that the solution which I proposed it's working perfectly, i run a test using sipp from a local mechine to the server, and after the maximum established limites call-limit=5 which i set for the peer, the calls are being dropped as below:

Quote:
== Using SIP RTP CoS mark 5
[Nov 14 19:11:08] NOTICE[1549]: chan_sip.c:5829 update_call_counter: Call from peer '82724' rejected due to usage limit of 5
[Nov 14 19:11:08] NOTICE[1549]: chan_sip.c:22046 handle_request_invite: Failed to place call for device 82724, too many calls


So, I guess, this solution is better, as it's coming in box, and being managed by asterisk itself.


Regards,


Dear ubunter,

you set call-limit=5 in the sip.conf for each peer or inside the voip settings for each peer from a2billing website?

Thanks!


Top
 Profile  
 
 Post subject: Re: SECURITY ISSUE.LIMIT MAXIMUM SIMULTANEOUS CALLS
PostPosted: Fri Mar 23, 2012 9:12 am 
Offline

Joined: Sun Nov 07, 2010 10:00 pm
Posts: 253
Quote:
you set call-limit=5 in the sip.conf for each peer or inside the voip settings for each peer from a2billing website?


Hello,

as I'm running asterisk in realtime server, no need to setup this in sip.conf, and also, if you setup this in sip.conf it would be generic for all...

any way, in the cc_sip_buddies table, I add the call-limit entry within 5 as default... and verify if it's applied for all the users, as so... and then, if you need further channels per user, it would be upgraded one by one specifically.

If you need to do this from a2billing gui, you need to edit A2B_entity_friend.php to load this entry from the db, but in my case, I'm doing this in sql queries directly.

If you're not running asterisk in realtime, you need to edit the sip.conf general section and add call-limit=5 it would be applied for all users, and then go addiding the additional line call-limite for each specific user which you need to upgrade this capacity.

I'd also recommend to setup a high level of minimum credit to call in the agi-conf, for example, in my case I have it as 0.8ยข, with this manner, a2billing will start to drop calls when user arrive to this balance, and the existing calls will start to be dropped as also the simultaneity is limited....


Experience.
We're doing wholesale service, so one of our customers got a security attack a week ago, where he had simultaneous calls activated within 5 simultaneous calls limit. The attack was sending calls to a premium destination in Slovenia, the conclusion is, all calls was dropped, and the negative balance was only 8$, which is assumable in case of security attack, where asterisk log show as that we had received from the customer about 50 simultaneous calls per second, so if so, we could go in negative balance in several hundred, or thousands of dollars.

Cheers,


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 11 posts ] 
Auto Dialer Software


All times are UTC


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group