Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

SIP Attacks and Bad Service Providers

SIP Attacks and Bad Service Providers

SIP Attacks and Bad Service Providers

Anyone known where there is a reasonable list of bad service providers know to harbor malicious actors? I've been building up my firewall rules on the SBC and have eliminated most attacks however I'm still getting a few every couple of days.

I had one major issue and eventually had to open a case with the FBI since the hosted solution provider basically refused to do anything other than change their form for abuse reporting (I assume so they could filter mine out). Provider also refused to disclose the name of the individual or company attacking me.

Blocking foreign address space is relatively easy. Unfortunately foreign entities are allowed to purchase hosted space using US IP address space.

RE: SIP Attacks and Bad Service Providers

I asked Avaya to add it to the SBC. Like firewalls feed up the naughty stuff to the firewall vendor's mothership and they learn what new bad stuff their is and your software subscription gets you updates.

Are you worried about bad IPs trying to register as remote workers or bad calls coming from these providers thru your provider and onto your SIP trunk?

If it's the latter, that ain't going to be easy. You're basically waiting for STIR/SHAKEN so your carrier can pass you a level of attestation and then you decide what to do with that if they're not attested.

Until that's a carrier provided thing, there's not much your provider knows about the originating end.

RE: SIP Attacks and Bad Service Providers

Even after STIR/SHAKEN implementation it might be tough. Attestation can only come if the whole path of the call is IP based. Throw any TDM legs into the mix and you won't see certs passed. The carrier simply won't know if it's a valid call or not.

Offshore/foreign entities will have an easier time of keeping TDM in play, at least for the meantime.

RE: SIP Attacks and Bad Service Providers

Not worried about STIR/SHAKEN. Getting a variety of attacks. I've been able to eliminate most since there seems to be specific hosted providers which are being leveraged more than others. Even so I still get the occasional hacker trying to get in. I make sure to report the attacks to the hosted solution provider so they can take action. I also post on the abuseipdb.com Unfortunately there is no requirement for them to provide any information on a customer. Without significant financial loss FBI Cyber won't touch it.

RE: SIP Attacks and Bad Service Providers

Is you SBC directly connected to the internet versus a private connection directly to your carrier?

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close